I have an R8500 with DD-WRT on it.
Router configurastion
I have a local network (br0 / 192.168.1.1) with the only DNS server as 192.168.1.2.
I also have a wireless interface W1.1 with a bridge br1 (192.168.10.1) with Net Isolation enabled, as it is shared with my neighbors and I don't want them to mess with my personal network.
I configured PiHole with Conditional Forwarding.
Goal
My goal is to use Pihole to make DNS queries and all devices connected to the network needs to use the PiHole as it's DNS server. I also want to know which device made the query.
I tried...
- Local DNS In Router IP
- Static DNS 1 in DHCP
- dhcp-option=6,192.168.1.2 in Additional DNSMasq Options
- Forced DNS Redirection which result in no DNS at all for all devices on the entire network.
I'm testing using an Android phone and a laptop connected to the shared network with auto DNS and DHCP on the clients to see if the PiHole will catch the requests. I disconnect and reconnect the devices every time I change a configuration.
You can check my PiHole configuration here: https://tricorder.pi-hole.net/81om9lzgzm
I'm not quite sure how I should achieve this, any suggestion? I've been playing with this for a long time And I'm sorry if something isn't clear or if I forgot something, just let me know!
EDIT
I played a little and found some rules that doesn't work. I disabled Net Isolation for br1 and tried the following Firewall rules:
The middle rules are to try forcing the DNS server on the clients.
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
#keep network on pi-hole
iptables -t nat -I PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 192.168.1.2:53
iptables -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 192.168.1.2:53
iptables -t nat -I PREROUTING -i br1 -p tcp --dport 53 -j DNAT --to 192.168.1.2:53
iptables -t nat -I PREROUTING -i br1 -p udp --dport 53 -j DNAT --to 192.168.1.2:53
#punch DNS hole for pi-hole
iptables -t nat -I PREROUTING -i br0 -p tcp -s 192.168.1.2 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br0 -p udp -s 192.168.1.2 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br1 -p tcp -s 192.168.1.2 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br1 -p udp -s 192.168.1.2 --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
Internet doesn't work on the br1 (w1.1) public interface with those but I'm still playing with them.