MikroTik

Hello all!

I'm new to this community and MikroTik products in general. I've decided to go with a "RB4011iGS+5HacQ2HnD-IN" since my IPS router started annoying me.
To keep this short as possible, I have a public static IPv4 address and a IPv4 /24 home network where all my devices are connected. MikroTik router has one DHCP server defined (pretty basic setup) which is handing out IPs to all the devices. As for the DNS, I have 2x Raspberry Pi's (for redundancy purposes) with Pihole running on them. Pihole is set-up to use Cloudflare as a DNS.

This is all working very well, except for the smartphones .. they seem to be bypassing the Pihole and I get no ad blocking on them. I believe that this is due to the mobile devices assigning themselves an IPv6 address (via SLAAC) and using AAAA DNS -> they get no IPv6 DNS server info from the router since it's a IPv4 network. And then the default DNS (from what I saw via torch, 8.8.8.8) is used for queries.
Pihole DNS settings Primary Pihole and secondary Pihole Does anyone know a good & clean way to solve this problem? I wouldn't want to enable IPv6 on the router & Piholes just to filter AAAA DNS queries. And as previously stated, from what I noticed only mobile devices are causing these "problems".

Thanks in advance!

To prove your theory, disable mobile data on the phone to see what happens.

You should really post your export so everyone can see the whole config.

To prove your theory, disable mobile data on the phone to see what happens.

You should really post your export so everyone can see the whole config.

Aren't the torch results enough? It clearly shows queries towards google DNS inside of the local network. Why would mobile data traffic show on the router??

Devices don't have to use DHCP assigned DNS - Chromecast devices for instance only use 8.8.8.8.

You mentioned slaac assigned by the mobile connection.

I was following your assumption and trying to verify the the source.

If you want better answers with out a lot of guessing, post your export (with hide-sensitive=yes).

You mentioned slaac assigned by the mobile connection.

Noone said it was "assigned by the mobile connection", the smartphone uses slaac to assign itself an IPv6 in the local network. This is not the case just with my phone (huawei p40 pro), the same behaviour was observed with 3 others as well (2x Huawei & 1x Xiaomi). Iphone 11 for example does not do that.

I don't know why the phones would do this(have not seen this on phones at least). You are best off using a dst nat rule that redirects port 53 traffic to your pi hole servers. I use a rule like this to point to my local resolvers that then use doh.

Following did the trick: Just not sure how to make this solution redundant .. since I use 2x Piholes and now everything is being sent to the x.x.x.2 Pihole, and the x.x.x.3 is just sitting pretty.
If the Pihole Nr.1 (192.168.100.2) goes offline, I will have no working DNS in my network. Any tips?

Try to instead of redirect,
drop on firewall filter forward the direct connections from "pool of smartphone ip" to the IP 8.8.8.8 and 8.8.4.4
On this way probably the device must be forced to use internal provided IP from DHCP Server

Try to instead of redirect,
drop on firewall filter forward the direct connections from "pool of smartphone ip" to the IP 8.8.8.8 and 8.8.4.4
On this way probably the device must be forced to use internal provided IP from DHCP Server

Would like to give it a try, just not sure about the rule (since I'm new to MikroTik)
Would it look something like this? Not sure how to add both destination addresses, and also I would do it for the whole subnet because otherwise I'll have to either set-up 2 DHCP servers or manually sort smartphones / assign them static IPs in a specific range. I think ..

Your rules only cover udp, so don't forget the tcp rules for DNS (not as common as udp).

I don't know if any failover scenario other than using bgp and creating an anycast address to be used by DNS.

You would use bird on the pihole devices for bgp.

In the dst-nat rule you would use the anycast address.

I mean this, not on NAT but on fiilters:

6.6.6.6 is the smartphone IP just for do the test

Yap, it works well!
I'll change it now so that it'll be valid for whole /24 network. Thanks for the help!