Force All DNS Traffic To Go Through Pi-hole Using Mikrotik


Redirect all port 53 (DNS traffic) to Pi-hole for SmartDNS

Using a Mikrotik router you can route all DNS traffic to your raspberry PI on which you are running Pi-Hole using SmartDNS as the upstream DNS server.

By adding the firewall rules below we are telling the router to send everyone to the PiHole. This approach is only useful if you have a Mikrotik router and semi-useful if your router uses ipchains as the logic is the same and the syntax is not that different. This is especially great for business networks where you don’t want guests using their own DNS servers to bypass your content blocking.

Why are we going to redirect DNS traffic to a Local Server and force users to use our specified DNS server?

We want to access geo-blocked content like Netflix and BBC iPlayer on some devices like the Playstation 4 and 5 and the Google Chromecast who uses their own hardcoded DNS servers to determine their location no matter what you specify via DHCP or manually on the device itself.

Redirect all DNS traffic to PiHole with a MikroTik router

Step 1: Connect to the Mikrotik router using Winbox

Connect to your MikroTik router using Winbox. If you are not familiar with Winbox, it’s a small utility that allows administration of the MikroTik RouterOS using a fast and simple GUI.

Winbox can be downloaded from the mikrotik download page

To connect to the router, enter the IP or MAC address of the router, specify your username and password (if any) and click on the Connect button. You can also enter the port number after the IP address, separating them with a colon, like this 192.168.88.1:9999.

Tip: You can also connect to winbox through the windows command prompt, for example (with no password):

winbox.exe 192.168.88.1 admin ""
Step 2: Redirect DNS traffic that is neither to nor from the PiHole, to the PiHole

This code snippet assumes your raspberry pi’s IP address is 192.168.88.3, change the code below to the IP address of your PiHole instances’ address and replace 192.168.88.0/24 with your LAN subnet.

In winbox open the “terminal” and paste the following code:


    /ip firewall nat
    add chain=dstnat action=dst-nat to-addresses=192.168.88.3 protocol=udp src-address=!192.168.88.3 dst-address=!192.168.88.3 dst-port=53
    add chain=dstnat action=dst-nat to-addresses=192.168.88.3 protocol=tcp src-address=!192.168.88.3 dst-address=!192.168.88.3 dst-port=53
    
    add chain=srcnat action=masquerade protocol=udp src-address=192.168.88.0/24 dst-address=192.168.88.3 dst-port=53
    add chain=srcnat action=masquerade protocol=tcp src-address=192.168.88.0/24 dst-address=192.168.88.3 dst-port=53
    

This will force clients on your network to use Pi-hole, even if they have their own hardcoded DNS servers.

The masquerade rules will make all the DNS traffic to appear as if it’s originating from your router to your Pi-hole, without the masquerade rules you won’t be able to resolve any domains if you set the DNS servers on your clients to anything other than the Pi-hole’s IP address.

If you need help, send me a tweet (@ErikThiart)

What makes a MikroTik router better than any other router?

It allows you to configure DNS traffic for one.

The router allows you to enjoy many of the features found on high end networking devices like Cisco and Juniper at a remarkably low price.

The custom built linux operaing system of MikroTik called RouterOS allows you to do so much more than what a consumer grade router like TP-Link, D-link, Netgear, Asus or Linksys allows you to do (e.g. limit speeds for each device or user, set up usernames and passwords via Hotspot and/or PPPoE, configure a walled garden, set up guest internet access, accept multiple IPs from your ISP, and redistribute them to other routers, etc. etc. etc.). Furthermore, even the cheapest MikroTik routers can handle much larger amounts of traffic than most (if not all) consumer grade routers.

They are very reliable, chances are if you have Fiber in your home the box the ISP put there is a MikroTik. Various organizations that I am a part of uses both MikroTik routers and radios in some pretty remote, dusty, dirty, cold (or hot), places. No systemic issues.

I would suggest you buy a cheap mikrotik device like the RB931-2nD to try it out. If you can afford it, buy something like the RB2011UiAS-2HnD-INRBD52G-5HacD2HnD-TC or even the RBD53GR-5HacD2HnD&R11e-LTE6 that you can use at your home and then play a bit with it.

Tip: When using a MikroTik it will help if you think like a Linux guy doing networking, rather than a networking guy. Also keep in mind that support is nearly non-existent so buy a few extra units, both for your lab and as spares and test your configurations first.

What is Pi-Hole?

It is a program you can install on a raspberry pi that blocks ads for all devices inside your network.

When your computer wants to find out where a server is, the query is first sent to Pi-hole. If the domain is not an ad-serving domain, it is sent to an upstream (public) DNS server. It passes through your router and out to the Internet.

If the domain is an ad-serving domain, Pi-hole responds to your computer’s request and delivers a blank Webpage. Nothing leaves your network.

Most home routers are a switch and a router in one, so the information touches your router at some point so it knows who to send the information to, but the main difference is that if the domain is on the blacklist, it stays in your network, and if it’s not on the blacklist, it is sent out to the Internet.

I wrote an in-depth tutorial explaining how to set up pi-hole on a raspberry pi to get rid of all the advertisements (ads) you encounter on the internet. If everything goes according to plan, then all devices inside your network (Mobile phone, Laptop, Desktop…) will never be bothered by ads again without additional configuration for each device.

What is SmartDNS?

It allows you to access and unblock geo-restricted sites and services like Netflix, Hulu, ABC, BBC iPlayer, or music streaming services like Pandora, Spotify without needing to use a VPN. It’s somewhat similar to how proxy servers route your internet traffic through a remote server to hide your real IP address and physical location in essence fooling these websites into making them think you are accessing them from a different country.

I prefer to use SmartDNS proxy because there is no loss of speed in my internet connection. This method of bypassing restricted websites is much faster than a VPN because we are only re-routing (or re-directing) certain portions of the traffic (DNS) through their server.

I wrote an article about how SmartDNS works and how you can use it to access BBC iPlayer outside of the UK.

To sum it up again, if you use a VPN you will notice a reduction in latency and downloading speed. There is no loss of speed because Smart DNS Proxy only needs to re-route specific information relating to your geographical location – unlike a VPN (Virtual Private Network) which needs to re-route ALL of your internet data in order for you to visit just one site.

Popular Categories

Ad Blockers AWS Bitcoin CMD cPanel crypto Dark web Google IoT MikroTik Python Reviews SmartDNS Sonoff Tor VPN Windows WordPress Xiaomi Youtube Raspberry Pi

Subscribe (It's Free)


Featured Articles

The most important plugin for your WordPress website
The most important plugin for your WordPress website

Google’s official WordPress plugin. Get insights about how people find and use your site, how to improve, and monetize your content, directly in your WordPress dashboard. If you have a WordPress website and would like to see how users find and use your website, Site Kit is right for you. To help you build, maintain, and grow your online presence, Site Kit gives you easy-to-understand metrics and actionable insights directly on your WordPress dashboard.

Read The Article
How to transcribe video files to text files using Amazon AWS Transcribe for Free.
How to transcribe video files to text files using Amazon AWS Transcribe for Free.

Transcribe a video to text using AWS. In this tutorial we will create a Word Document from a YouTube Video using the automatic speech recognition service from Amazon called, AWS Transcribe. Amazon Transcribe is an automatic speech recognition (ASR) service that makes it easy for developers to add speech to text capability to their applications.

Read The Article
How to buy bitcoin on Binance?
How to buy bitcoin on Binance?

Binance exploded onto the scene in the mania of 2017 and has since gone on to become the top crypto exchange in the world. The company is very dedicated to making the exchange the premier source for trading, there are many trading events all the time, and coin approval doesn’t come without solid review. This allows for an exchange where every coin on it is considered to some degree legitimate. Binance actually understands the mindset and ethos of the crypto-community and the mantra of decentralization, it’s no wonder that they have the highest trading volume in the world while being a relatively new exchange.

Read The Article


Some articles you might also be interested in...

A Beginner’s guide on how to browse the dark web with TOR
A Beginner’s guide on how to browse the dark web with TOR

First thing to understand is that on the hidden web, you do not know about a website unless that website is shared with you. The dark web’s content on the internet isn’t accessible through traditional browsers or standard browsing technology. Content on the dark web is designed to be hidden from search engines and from casual users – you can’t simply stumble across dark web websites by accident.

Read The Article
How to choose the right web hosting company for your business
How to choose the right web hosting company for your business

There are plenty of web hosting providers out there, and it may seem difficult to decipher the good from the bad. So I have put together a guide on how to find the right web hosting provider for your business and my personal recommendation of who to use depending on where you are in the world. Teaming up with the right web hosting service is more important than you think. It’s a partnership. Opt for the wrong one and you could find yourself struggling to get support, suffering downtime, or worse.

Read The Article
Review: Sonoff GK-200MP2-B a Wi-Fi and Lan enabled Wireless IP Security Camera
Review: Sonoff GK-200MP2-B a Wi-Fi and Lan enabled Wireless IP Security Camera

You probably know the Sonoff brand for smart home electronics like the POW R2 or the Sonoff Basic switches, but they also released a security camera, the Sonoff GK-200MP2-B. I decided to try it out and made an in-depth review so you can make the right decision. Considering this is Sonoff, a well-known brand for robust electronics. I expect a good working, premium product that just works especially since to use the Sonoff GK200MP2-B, you need the eWeLink application which integrates very well with other Sonoff devices.

Read The Article