On my router TP-Link TL-WDR4300 v1 I use LEDE Reboot 17.01.4 for the firmware, I also run two Ubuntu 16.04.3 LTS servers both as my DNS and DHCP using Pi-Hole.
While reading the Pi-Hole forums at Reddit this one question peaked my interest
https://www.reddit.com/r/pihole/comments/7o0ev3/how_to_force_dns_as_pihole_ddwrt/.
The Question " How to "force" DNS as Pihole. (dd-wrt) " was something I wanted to do on my network and since DD-Wrt is similar to Lede I figured it should work for me.
The easiest way I know to make iptables persistent in Lede is to use the luci interface by going to
Network > Firewall > Custom Rules
I pasted this into luci
#keep network on
pi-hole
iptables -t nat -I PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to 192.168.200.10-192.168.200.11:53
iptables -t nat -I PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to 192.168.200.10-192.168.200.11:53
#punch DNS hole for pi-hole
iptables -t nat -I PREROUTING -i br-lan -p tcp -s 192.168.200.10 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br-lan -p udp -s 192.168.200.10 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br-lan -p tcp -s 192.168.200.11 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br-lan -p udp -s 192.168.200.11 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to 192.168.200.10-192.168.200.11:53
iptables -t nat -I PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to 192.168.200.10-192.168.200.11:53
#punch DNS hole for pi-hole
iptables -t nat -I PREROUTING -i br-lan -p tcp -s 192.168.200.10 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br-lan -p udp -s 192.168.200.10 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br-lan -p tcp -s 192.168.200.11 --dport 53 -j ACCEPT
iptables -t nat -I PREROUTING -i br-lan -p udp -s 192.168.200.11 --dport 53 -j ACCEPT
Then pressed "Restart Firewall", I also rebooted the router but I don't think that was necessary.
Checking if it works
The easiest way I know of to keep an eye on both Pi-Holes at the same time when using Windows is to use a program called DNSQuerySniffer made by Nir Sofer it's free and it works, It's recommended to install the WinPcap capture driver to make it work properly but if you have WireShark installed you more than likely have WinPcap installed already.
Here is a small capture, Looks like it's working.
Note: This cap was taken with the iptables rule below
Note: This cap was taken with the iptables rule below
Here is around the same time frame as DNSQuerySniffer in the Pi-Hole interface's
192.168.200.10
192.168.200.11
The only problem with these iptables is that if the DNS server 192.168.200.10 goes down the command "nslookup" will not work, It just times out but other than that it works and I have connectivity to the internet.
No comments:
Post a Comment