DNS Filtering using MikroTik, Pi-hole, and OpenDNS

DNS filtering is an important part of a well planned firewall. Not only does DNS filtering help protect users from accessing dangerous or unwanted domains, but it can significantly reduce the amount of unwanted traffic on your network. Pi-hole is a free resource that is intended to block ads. OpenDNS is intended to be more of a firewall and is free for home use, but has commercial support available. There are other alternatives as well, such as FlashStart. So here is a quick run-down on how DNS affects the end user:

Step 1: The host devices wants to reach some domain such as http://www.rickfreyconsulting.com. Initially, that device does not actually know how to get there, so its does a DNS look-up by querying whatever DNS server its been set to use.

Step 2: The DNS (Domain Name System) is a server that is responsible for resolving the domain names to usable IP addresses and it responds to the host’s DNS query with the appropriate IP address. In very simplistic terms, DNS servers talk with other DNS servers and keep each other updated. 

Step 3: Now that the host has a usable IP address, it directs it attention directly to that address.

Pros and Cons to standard DNS queries:

The obvious pro, is as long as we are using a good DNS server, we always know how to reach everything on the Internet. The biggest Con is that we now can reach ALL listed domains on the Internet… whether they are good or bad domains; and whether they have been requested by us or background services. Even things such as the ads that accompany so many websites these days all add up to make our web browsing experience more sluggish, less enjoyable, more dangerous, and ultimately,… more expensive.

Here is how you can take advantage of both DNS filtering services at the same time:


One of the nice things about this approach is that the configuration for the client devices can be left as their original values. Since its doesn’t matter if the client devices has static settings or is receiving a DHCP lease, we’ll start with the RouterOS configuration that applies to this configuration. In RouterOS go to IP -> Firewall and select the NAT tab. Create the following rule:

You will also need to go to IP -> Firewall and choose the Address Lists tab. Here you will need add the address(es) of your LAN clients. Be sure NOT to include the Pi-hole server address. 

Installing Pi-hole on a Linux server is incredibly easy and only requires issuing this command from a terminal in Linux:

curl -sSL https://install.pi-hole.net | bash

Once it is set up on your server you will need to direct the Pi-Hole’s DNS request to OpenDNS (this can also be down during the install), which is found under the Settings menu and the DNS tab.

The next step is to configure OpenDNS. Once you have logged in, you will need to go to the Settings tab to add the IP address that the DNS requests will be coming from. It will probably be populated for you, so you just have to click the “Add This Network” button. Alternatively, you can manually add the address.

Next, click on the network you just added to set the security level.

If click on the “Customize” link you can enable content filtering the suits your deployment.

Next, you will want to enable the Stats and Logs by choosing the linking on the Left side of the web page.

Both Pi-Hole and OpenDNS have very nice reporting features that you will want to check out. Here some screen shots of both:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

8 thoughts on “DNS Filtering using MikroTik, Pi-hole, and OpenDNS

      • tom

        Thanks for the fast repy! Any pros or cons to either approach? I just got this up and going and it looks like I only see the router the #1 client. Would that change via the NAT approach or only if I set the DNS on each client? Thanks for this article!

        • rickfrey1000 Post author

          Its really just a matter of choice. The nice thing about the design I showed here is all of knobs and flexibility. However, some of the functionality is mirrored in all three pieces and the complexity when troubleshooting does go up. Using the transparent NAT rules if the easiest approach, but you could also manually set each client. Thanks and I glad you enjoyed it!

  • Skipper

    Thank you for the tutorial.
    I had to add port 53 to the forwarding action (action tab -> To Ports) in order to get it work. Like they recommend in the Mikrotik Forum https://wiki.mikrotik.com/wiki/Force_users_to_use_specified_DNS_server

    Also added my router server as DNS server for local domain names. Using AdGuard, but i guess PiHole works similar.
    All requests for *.home.arpa are send to instead of the standard DNS server (dns10.quad9.net/dns-query).

    Also adding in the PiHole/Adguard IP in the DHCP Server (IP-> DHCP Server-> Networks -> -> DNS Server) made chrome work.

  • nilleftw

    Thanks for the instruction! For some reason the destination NAT caused some big issues for me. The packets seems to have been forwarded just fine because both Pi-Hole and OpenDNS got the DNS requests, but nothing actually returned to the client I couldn’t browse the Internet.

    Had to go with the easy way and config the Pi-Hole as the DNS server in the DHCP server, in the MikroTik router.