Manual DNS bypasses the Pihole - force redirect to pihole

Kataius · Mon Oct 30, 2023 3:26 pm

Hi, I set up pihole in a container in the mikrotik. Everything works perfectly, except: if some client set the DNS server manually it bypass the pihole. I put the rules in the firewall to force redirect to pihole but it doesn't work. What am I doing wrong?

Pihole IP: 192.168.0.8
LAN filtered: 192.168.0.0/20
100-Casa: vlan100 (LAN Filterd =>192.168.0.0/20)
sfp-sfpplus1: provider-vlan and all-vlan (casa, mamma, guest) (from a manage-switch)
veth1: container PiHole

/interface list member
add interface=provider-pppoe list=WAN
add interface=provider-vlan list=WAN
add interface=BR-Capsman list=LAN
add interface=BR-Pihole list=LAN

/interface bridge port
add bridge=BR-Pihole interface=veth1
add bridge=BR-Capsman interface=sfp-sfpplus1
add bridge=BR-Pihole interface=100-Casa

/ip firewall address-list
add address=192.168.0.0/20 comment="Casa NET" list=net_casa
add address=10.255.255.0/24 comment="Mamma NET" list=net_mamma
add address=172.16.0.0/20 comment="Guest NET" list=net_guest
add address=10.255.255.0/24 comment="Excluded from PiHole" list=excluded
add address=172.16.0.0/20 comment="Excluded from PiHole" list=excluded
add address=192.168.0.8 comment="Excluded from PiHole" list=excluded

/ip firewall filter
add action=accept chain=forward comment=PiHole dst-address=192.168.0.8 \
    src-address=192.168.0.0/20
add action=accept chain=input comment=PiHole dst-port=53 protocol=tcp \
    src-address=192.168.0.0/20
add action=accept chain=input comment=PiHole dst-port=53 protocol=udp \
    src-address=192.168.0.0/20

/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.0.0/20
add action=masquerade chain=srcnat src-address=10.255.255.0/24
add action=masquerade chain=srcnat src-address=172.16.0.0/20
add action=dst-nat chain=dstnat comment=PiHole dst-port=53 in-interface-list=\
    LAN protocol=tcp src-address-list=!excluded to-addresses=192.168.0.8 \
    to-ports=53
add action=dst-nat chain=dstnat comment=PiHole dst-port=53 in-interface-list=\
    LAN protocol=tcp src-address-list=!excluded to-addresses=192.168.0.8 \
    to-ports=53

Thanks

jvanhambelgium · Mon Oct 30, 2023 5:29 pm

Hi, place these before the masq entries, so re-order them.

add action=dst-nat chain=dstnat comment=PiHole dst-port=53 in-interface-list=\
LAN protocol=tcp src-address-list=!excluded to-addresses=192.168.0.8 \
to-ports=53
add action=dst-nat chain=dstnat comment=PiHole dst-port=53 in-interface-list=\
LAN protocol=tcp src-address-list=!excluded to-addresses=192.168.0.8 \
to-ports=53

I use the about the same rules and this simply works, but these are completely at the top.

anav · Mon Oct 30, 2023 5:51 pm

Very hard to read.
so basically you have three subnets 192.168.0/20, mamma subnet 10.255.255.0/24 and guests 172.16.0.0/20
ONLY 192.168.0.0/20 needs to go through pihole.
The pi-hole resides on the the only subnet requiring piHOLE DNS.

The GOOD!
1. forward chain rule allows subnet users to pihole, but in this case its meaningless and firewall rules are L3 and the users access pi-hole on L2, if you had other subnets requiring pi-hole then the rule would make sense. Typically add chain=forward action=accept in-interface-list=LAN dst-address=Pihole0-IP

2. You have an exclusion list for pihole that includes the two other subnets and the piohle itself, 192.168.0.8/32
These are captured properly in the dst nat rules.
EXCEPT change protocol of one of them to UDP!!!

The NOTSURE
add action=accept chain=forward comment=PiHole dst-address=192.168.0.8 \ { as stated not needed but no harm no foul }
src-address=192.168.0.0/20
add action=accept chain=input comment=PiHole dst-port=53 protocol=tcp \
src-address=192.168.0.0/20

My comment here is that the LAN interface should require access to DNS. Especially the pi-hole but also the excluded subnets.
There is no harm in allowing full LAN access to DNS because we are redirecting specific users to pi-hole anyway.
add chain=input action=accept in-interface-list=LAN dst-port=53 protocol=udp
add chain=input action=accept in-interface-list=LAN dst-port=53 protocol=tcp

SUGGESTIONS

/ip dhcp-server network
add address=192.168.0.0/20 gateway=192.168.0.1 dns-server=192.168.0.8
add address=10.255.255.0/24 gateway=109.255.255.1 dns-server=10.255.255.1
add address=172.16.0.0/20 gateway=172.16.0.1 dns-server=172.16.0.1

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Now test with any changes made and see what happens.

I dont think you need hairpin nat rule but if still no joy try adding.
add chain=srcnat action=masquerade src-address=192.168.0.0/20 dst-address=192.168.0.0/20

jvanhambelgium · Mon Oct 30, 2023 6:38 pm

Ahhhh..good spotting @anav about the UDP/53 missing in the DNAT-rules. That might explain a lot.

Kataius · Wed Nov 01, 2023 3:20 pm

Hello, thanks.
But problem still remain. If i left automatic dns the device takes 192.168.0.8 (like i have setup in

 /ip dhcp-server network

) but if i set manually dns in a client, it's bypass pihole and use the manual dns that i have set: Any other ideas?

/ip firewall nat
add action=masquerade chain=srcnat comment=PiHole dst-address=192.168.0.0/20 src-address=192.168.0.0/20
add action=accept chain=input comment=PiHole dst-port=53 protocol=tcp src-address=192.168.0.0/20
add action=accept chain=input comment=PiHole dst-port=53 protocol=udp src-address=192.168.0.0/20
add action=accept chain=forward comment=PiHole dst-address=192.168.0.8 in-interface-list=LAN
add action=dst-nat chain=dstnat comment=PiHole dst-port=53 protocol=tcp src-address=192.168.0.0/20 src-address-list=!excluded to-addresses=192.168.0.8 to-ports=53
add action=dst-nat chain=dstnat comment=PiHole dst-port=53 protocol=udp src-address=192.168.0.0/20 src-address-list=!excluded to-addresses=192.168.0.8 to-ports=53
add action=masquerade chain=srcnat src-address=192.168.0.0/20

The rules are working, i see that in packets.

Only rules isn't working is:

add action=accept chain=forward comment=PiHole dst-address=192.168.0.8 in-interface-list=LAN

Thanks again

Amm0 · Wed Nov 01, 2023 3:27 pm

Do you have a fasttrack rule if it's enabled in /ip/firewall/filter? If so you might want the /ip/firewall/filter to just accept DNS traffic before the fasttrack rule.

Kataius · Wed Nov 01, 2023 4:24 pm

Thanks but it not works also with you suggestion:

/ip firewall filter
add action=accept chain=forward comment=PiHole dst-address=192.168.0.8 in-interface-list=LAN
add action=accept chain=input comment=PiHole dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment=PiHole dst-port=53 in-interface-list=LAN protocol=udp
add action=fasttrack-connection chain=forward comment="Fast Track" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Fast-Forward\r\
    \n" connection-state=established,related
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder
add action=drop chain=forward comment="DROP traffico da Mamma a Casa" dst-address-list=net_casa src-address-list=net_mamma
add action=drop chain=forward comment="DROP traffico da Guest a Casa" dst-address-list=net_casa src-address-list=net_guest
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!net_casa
add action=drop chain=input comment="Block all access to the www - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST" dst-port=80 protocol=tcp src-address-list=!net_casa
add action=drop chain=input comment="Block all access to the www-ssl - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST" dst-port=443 protocol=tcp src-address-list=!net_casa
add action=drop chain=input comment="Block all access to the telnet - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST" dst-port=23 protocol=tcp src-address-list=!net_casa
add action=drop chain=input comment="Block all access to the ssh - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST" dst-port=22 protocol=tcp src-address-list=!net_casa
add action=drop chain=input comment="Block all access to the ftp- except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST" dst-port=21 protocol=tcp src-address-list=!net_casa
add action=drop chain=input comment="Block all access to the api-ssl - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST" dst-port=8729 protocol=tcp src-address-list=!net_casa
add action=drop chain=input comment="Block all access to the api - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST" dst-port=8728 protocol=tcp src-address-list=!net_casa
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" connection-state=established
add action=accept chain=input comment="Accept to related connections" connection-state=related
add action=accept chain=input comment="Full access to net_casa address list" src-address-list=net_casa
add action=accept chain=input comment="Full access to net_mamma address list" log=yes src-address-list=net_mamma
add action=accept chain=input comment="Full access to net_guest address list" log=yes src-address-list=net_guest
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" log-prefix=DROP!!
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood, adjust the limit as needed" icmp-options=8:0 limit=2,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp

Amm0 · Wed Nov 01, 2023 5:33 pm

I think you need chain=forward, not chain=input in the filter rules

pe1chl · Wed Nov 01, 2023 6:24 pm

except: if some client set the DNS server manually it bypass the pihole

Once you have fixed that, some client will not use the DNS protocol on TCP/UDP port 53, but instead will use DoH or DoT.
Or when you have a client that does not like your limitations, they will just setup a VPN and send everything (including DNS) over that.

Kataius · Wed Nov 01, 2023 9:53 pm

Again i'm here... doesn't works... In a windows 11 pc (for example) if i put automatic dns or 192.168.0.8 as dns all works. If i put 8.8.8.8 bypass pihone. Now i give you my all config of firewall. Thanks for the help you gave to me and thanks for the help you will give to me.

  /ip firewall address-list
add address=192.168.0.0/20 comment="Casa NET" list=net_casa
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" list=\
    bogons
add address=******.net list=WAN
add address=10.255.255.0/24 comment="Mamma NET" list=net_mamma
add address=172.16.0.0/20 comment="Guest NET" list=net_guest
add address=10.255.255.0/24 comment="Excluded from PiHole" list=excluded
add address=172.16.0.0/20 comment="Excluded from PiHole" list=excluded
add address=192.168.0.8 comment="Excluded from PiHole" list=excluded
add address=192.168.0.1 comment="Excluded from PiHole" disabled=yes list=\
    excluded
/ip firewall filter
add action=accept chain=forward comment=PiHole dst-address=192.168.0.8 \
    src-address=192.168.0.0/20
add action=accept chain=forward comment=PiHole dst-port=53 protocol=tcp \
    src-address=192.168.0.0/20
add action=accept chain=forward comment=PiHole dst-port=53 protocol=udp \
    src-address=192.168.0.0/20
add action=fasttrack-connection chain=forward comment="Fast Track" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Fast-Forward\r\
    \n" connection-state=established,related
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" \
    connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" src-address-list=\
    Syn_Flooder
add action=drop chain=forward comment="DROP traffico da Mamma a Casa" \
    dst-address-list=net_casa src-address-list=net_mamma
add action=drop chain=forward comment="DROP traffico da Guest a Casa" \
    dst-address-list=net_casa src-address-list=net_guest
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=\
    tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=\
    Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP \
    protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except to \
    support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT\
    \_ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!net_casa
add action=drop chain=input comment="Block all access to the www - except to sup\
    port list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT AD\
    DRESS LIST" dst-port=80 protocol=tcp src-address-list=!net_casa
add action=drop chain=input comment="Block all access to the www-ssl - except to\
    \_support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPO\
    RT ADDRESS LIST" dst-port=443 protocol=tcp src-address-list=!net_casa
add action=drop chain=input comment="Block all access to the telnet - except to \
    support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT\
    \_ADDRESS LIST" dst-port=23 protocol=tcp src-address-list=!net_casa
add action=drop chain=input comment="Block all access to the ssh - except to sup\
    port list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT AD\
    DRESS LIST" dst-port=22 protocol=tcp src-address-list=!net_casa
add action=drop chain=input comment="Block all access to the ftp- except to supp\
    ort list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADD\
    RESS LIST" dst-port=21 protocol=tcp src-address-list=!net_casa
add action=drop chain=input comment="Block all access to the api-ssl - except to\
    \_support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPO\
    RT ADDRESS LIST" dst-port=8729 protocol=tcp src-address-list=!net_casa
add action=drop chain=input comment="Block all access to the api - except to sup\
    port list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT AD\
    DRESS LIST" dst-port=8728 protocol=tcp src-address-list=!net_casa
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=\
    ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=\
    3h chain=forward comment="Add Spammers to the list for 3 hours" \
    connection-limit=30,32 dst-port=25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
    protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
    connection-state=established
add action=accept chain=input comment="Accept to related connections" \
    connection-state=related
add action=accept chain=input comment="Full access to net_casa address list" \
    src-address-list=net_casa
add action=accept chain=input comment="Full access to net_mamma address list" \
    log=yes src-address-list=net_mamma
add action=accept chain=input comment="Full access to net_guest address list" \
    log=yes src-address-list=net_guest
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RU\
    LE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" log-prefix=DROP!!
add action=accept chain=ICMP comment=\
    "Echo request - Avoiding Ping Flood, adjust the limit as needed" \
    icmp-options=8:0 limit=2,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
    3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
    protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat comment=PiHole dst-address=192.168.0.0/20 \
    src-address=192.168.0.0/20
add action=accept chain=input comment=PiHole dst-port=53 protocol=tcp \
    src-address=192.168.0.0/20
add action=accept chain=input comment=PiHole dst-port=53 protocol=udp \
    src-address=192.168.0.0/20
add action=accept chain=forward comment=PiHole disabled=yes dst-address=\
    192.168.0.8 in-interface-list=LAN
add action=dst-nat chain=dstnat comment=PiHole dst-port=53 protocol=tcp \
    src-address=192.168.0.0/20 src-address-list=!excluded to-addresses=\
    192.168.0.8 to-ports=53
add action=dst-nat chain=dstnat comment=PiHole dst-port=53 protocol=udp \
    src-address=192.168.0.0/20 src-address-list=!excluded to-addresses=\
    192.168.0.8 to-ports=53
add action=masquerade chain=srcnat src-address=192.168.0.0/20
add action=masquerade chain=srcnat src-address=10.255.255.0/24
add action=masquerade chain=srcnat src-address=172.16.0.0/20
/ip firewall service-port
set ftp disabled=yes
set h323 disabled=yes
set pptp disabled=yes

Amm0 · Wed Nov 01, 2023 10:09 pm

I'm not sure what the same subnet to same subnet NAT rule is doing for you... & it before the dst-nat. Also is the particular interfaces involved actually part of the LAN interface list.

It might be helpful for you trace your rules against the Packet Flow Diagram: https://help.mikrotik.com/docs/display/ ... n+RouterOS

As noted, and importantly, this is never going to be full proof as applications can directly use DoH/DoT.

Manual DNS bypasses the Pihole - force redirect to pihole

Manual DNS bypasses the Pihole - force redirect to pihole

Re: Manual DNS bypasses the Pihole - force redirect to pihole

Re: Manual DNS bypasses the Pihole - force redirect to pihole

Re: Manual DNS bypasses the Pihole - force redirect to pihole

Re: Manual DNS bypasses the Pihole - force redirect to pihole

Re: Manual DNS bypasses the Pihole - force redirect to pihole

Re: Manual DNS bypasses the Pihole - force redirect to pihole

Re: Manual DNS bypasses the Pihole - force redirect to pihole

Re: Manual DNS bypasses the Pihole - force redirect to pihole

Re: Manual DNS bypasses the Pihole - force redirect to pihole

Re: Manual DNS bypasses the Pihole - force redirect to pihole

Who is online