I have a rapberry pi 4 running Pi-hole on 192.168.1.20 on port 53.
I use this as a DNS server.
I would like to block port 53 for all other devices on the network.
When I enable "Override DNS Settings of All Clients" it also blocks the port 53 on my Pi-hole device.
What can I do?
Hi,
Does the raspberry work as drop-in gateway mode behind the GL router?
If yes, it does not need to block port 53 of all other devices on the network, just set the DNS in the GL router, to point to the raspberry IP.
I'm also using it to block porn. So I need to block port 53 for everything except the raspberry pi.
Tbh this isn't a real protection. Most modern browsers will use DoH or DoT anyway.
So don't invest much effort in it.
I'm just looking for the same functionality that I had with my TP-Link. Is there no way?
You can block stuff by using the firewall in luci.
See firewall - Properly block ports on openwrt - Super User
But as I wrote: DNS is changing. Plain DNS (UDP 53) is going to die in most environments. Blocking websites using DNS is always a decision of your own (for blocking ads, f.e.) but you can't really enforce it anymore.
Every teenager with access to the internet can simply download something like Free the internet. With the Mullvad Browser. or google "Unblocking DNS" or "changing DNS" and is free to go. So like 2 minutes effort to get behind your "protection".
I put it like that?
But won't it also block port 53 for my Raspberry Pi? How do I exclude it?
It will block port 53 completely, yep.
Can't you change your Pi hole to use DoH as upstream DNS? Is way more secure than plain DNS.
--
Example 192.168.8.200 is your Pi hole:
# Allow TCP/UDP traffic to port 53 for IP 192.168.8.200
iptables -A OUTPUT -p tcp -d 192.168.8.200 --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp -d 192.168.8.200 --dport 53 -j ACCEPT
# Drop all other TCP/UDP traffic to port 53
iptables -A OUTPUT -p tcp --dport 53 -j DROP
iptables -A OUTPUT -p udp --dport 53 -j DROP
1 Like
It doesn't work.
I've tried to negate the lan ip rule for the Raspberry Pi:
By using !192.168.1.2 but it's not working too.
I took your code, changed the Ip Address accordingly and saved, restarted the firewall but it doesn't work.
I also changed OUTPUT to FORWARD and still nothing.
The DNS requests are not forwarded through the router but through the raspberry pi directly:
What if you set this
Use the router to proxy dns to your pi hole.
So all dns request to port 53 is forwarded to the pi hole.
1 Like
Wouldn't this stop the Pi Hole communicating with any DNS server on port 53?
So if his Pi Hole will use DoT or DoH it should be fine, but with plain DNS only?
When DNS Proxy is enabled and Override DNS is checked, it doesn't work because the Raspberry Pi is on the local lan...