Redirect all port 53 (DNS traffic) to Pi-hole for SmartDNS

Using a Mikrotik router you can route all DNS traffic to your raspberry PI on which you are running Pi-Hole using SmartDNS as the upstream DNS server.

By adding the firewall rules below we are telling the router to send everyone to the PiHole. This approach is only useful if you have a Mikrotik router and semi-useful if your router uses ipchains as the logic is the same and the syntax is not that different. This is especially great for business networks where you don’t want guests using their own DNS servers to bypass your content blocking.

Why are we going to redirect DNS traffic to a Local Server and force users to use our specified DNS server?

We want to access geo-blocked content like Netflix and BBC iPlayer on some devices like the Playstation 4 and 5 and the Google Chromecast who uses their own hardcoded DNS servers to determine their location no matter what you specify via DHCP or manually on the device itself.

Redirect all DNS traffic to PiHole with a MikroTik router

Step 1: Connect to the Mikrotik router using Winbox

Connect to your MikroTik router using Winbox. If you are not familiar with Winbox, it’s a small utility that allows administration of the MikroTik RouterOS using a fast and simple GUI.

Winbox can be downloaded from the mikrotik download page

To connect to the router, enter the IP or MAC address of the router, specify your username and password (if any) and click on the Connect button. You can also enter the port number after the IP address, separating them with a colon, like this 192.168.88.1:9999.

Tip: You can also connect to winbox through the windows command prompt, for example (with no password):

winbox.exe 192.168.88.1 admin ""
Step 2: Redirect DNS traffic that is neither to nor from the PiHole, to the PiHole

This code snippet assumes your raspberry pi’s IP address is 192.168.88.3, change the code below to the IP address of your PiHole instances’ address and replace 192.168.88.0/24 with your LAN subnet.

In winbox open the “terminal” and paste the following code:


    /ip firewall nat
    add chain=dstnat action=dst-nat to-addresses=192.168.88.3 protocol=udp src-address=!192.168.88.3 dst-address=!192.168.88.3 dst-port=53
    add chain=dstnat action=dst-nat to-addresses=192.168.88.3 protocol=tcp src-address=!192.168.88.3 dst-address=!192.168.88.3 dst-port=53
    
    add chain=srcnat action=masquerade protocol=udp src-address=192.168.88.0/24 dst-address=192.168.88.3 dst-port=53
    add chain=srcnat action=masquerade protocol=tcp src-address=192.168.88.0/24 dst-address=192.168.88.3 dst-port=53
    

This will force clients on your network to use Pi-hole, even if they have their own hardcoded DNS servers.

The masquerade rules will make all the DNS traffic to appear as if it's originating from your router to your Pi-hole, without the masquerade rules you won't be able to resolve any domains if you set the DNS servers on your clients to anything other than the Pi-hole’s IP address.

If you need help, send me a tweet (@ErikThiart)

What makes a MikroTik router better than any other router?

It allows you to configure DNS traffic for one.

The router allows you to enjoy many of the features found on high end networking devices like Cisco and Juniper at a remarkably low price.

The custom built linux operaing system of MikroTik called RouterOS allows you to do so much more than what a consumer grade router like TP-Link, D-link, Netgear, Asus or Linksys allows you to do (e.g. limit speeds for each device or user, set up usernames and passwords via Hotspot and/or PPPoE, configure a walled garden, set up guest internet access, accept multiple IPs from your ISP, and redistribute them to other routers, etc. etc. etc.). Furthermore, even the cheapest MikroTik routers can handle much larger amounts of traffic than most (if not all) consumer grade routers.

They are very reliable, chances are if you have Fiber in your home the box the ISP put there is a MikroTik. Various organizations that I am a part of uses both MikroTik routers and radios in some pretty remote, dusty, dirty, cold (or hot), places. No systemic issues.

I would suggest you buy a cheap mikrotik device like the RB931-2nD to try it out. If you can afford it, buy something like the RB2011UiAS-2HnD-IN, RBD52G-5HacD2HnD-TC or even the RBD53GR-5HacD2HnD&R11e-LTE6 that you can use at your home and then play a bit with it.

Tip: When using a MikroTik it will help if you think like a Linux guy doing networking, rather than a networking guy. Also keep in mind that support is nearly non-existent so buy a few extra units, both for your lab and as spares and test your configurations first.

What is Pi-Hole?

It is a program you can install on a raspberry pi that blocks ads for all devices inside your network.

When your computer wants to find out where a server is, the query is first sent to Pi-hole. If the domain is not an ad-serving domain, it is sent to an upstream (public) DNS server. It passes through your router and out to the Internet.

If the domain is an ad-serving domain, Pi-hole responds to your computer's request and delivers a blank Webpage. Nothing leaves your network.

Most home routers are a switch and a router in one, so the information touches your router at some point so it knows who to send the information to, but the main difference is that if the domain is on the blacklist, it stays in your network, and if it's not on the blacklist, it is sent out to the Internet.

I wrote an in-depth tutorial explaining how to set up pi-hole on a raspberry pi to get rid of all the advertisements (ads) you encounter on the internet. If everything goes according to plan, then all devices inside your network (Mobile phone, Laptop, Desktop…) will never be bothered by ads again without additional configuration for each device.

What is SmartDNS?

It allows you to access and unblock geo-restricted sites and services like Netflix, Hulu, ABC, BBC iPlayer, or music streaming services like Pandora, Spotify without needing to use a VPN. It's somewhat similar to how proxy servers route your internet traffic through a remote server to hide your real IP address and physical location in essence fooling these websites into making them think you are accessing them from a different country.

I prefer to use SmartDNS proxy because there is no loss of speed in my internet connection. This method of bypassing restricted websites is much faster than a VPN because we are only re-routing (or re-directing) certain portions of the traffic (DNS) through their server.

I wrote an article about how SmartDNS works and how you can use it to access BBC iPlayer outside of the UK.

To sum it up again, if you use a VPN you will notice a reduction in latency and downloading speed. There is no loss of speed because Smart DNS Proxy only needs to re-route specific information relating to your geographical location - unlike a VPN (Virtual Private Network) which needs to re-route ALL of your internet data in order for you to visit just one site.

Looking for something?

Article Categories

Some articles you might also be interested in...

Review: Sonoff GK-200MP2-B a Wi-Fi and Lan enabled Wireless IP Security Camera

You probably know the Sonoff brand for smart home electronics like the POW R2 or the Sonoff Basic switches, but they also released a security camera, the Sonoff GK-200MP2-B. I decided to try it out and made an in-depth review so you can make the right decision. Considering this is Sonoff, a well-known brand for robust electronics. I expect a good working, premium product that just works especially since to use the Sonoff GK200MP2-B, you need the eWeLink application which integrates very well with other Sonoff devices.

Read Article
Force all DNS traffic to go through Pi-hole using Mikrotik

The following mikrotik firewall rules will force all the clients on your local network like your Sony PlayStation and Google Chromecast to use your Pi-hole or your own local server as their primary DNS server, even if they have hard coded their own DNS servers we do this because many apps and devices do not use the offered DNS servers per DHCP, they are just that - an offer. Hardcoded DNS servers will still resolve and allow ads and tracking unless we use NAT rules that will redirect all DNS requests, no matter where they go, to the Pihole.

Read Article
An affordable VPN that also comes with a Geo Blocker

The internet is full of restrictions, censorship, privacy invasions, security breaches, and a host of unwanted entities trafficking in your personal data. Using a VPN is a great first step toward protecting your privacy online. Privacy is fundamental to a well-functioning society because it allows norms, ethics, and laws to be safely discussed and challenged. Without privacy, a free and open society can neither flourish nor exist.

Read Article