DNS Filtering using MikroTik, Pi-hole, and OpenDNS

DNS filtering is an important part of a well planned firewall. Not only does DNS filtering help protect users from accessing dangerous or unwanted domains, but it can significantly reduce the amount of unwanted traffic on your network. Pi-hole is a free resource that is intended to block ads. OpenDNS is intended to be more of a firewall and is free for home use, but has commercial support available. There are other alternatives as well, such as FlashStart. So here is a quick run-down on how DNS affects the end user:

Step 1: The host devices wants to reach some domain such as http://www.rickfreyconsulting.com. Initially, that device does not actually know how to get there, so its does a DNS look-up by querying whatever DNS server its been set to use.

Step 2: The DNS (Domain Name System) is a server that is responsible for resolving the domain names to usable IP addresses and it responds to the host’s DNS query with the appropriate IP address. In very simplistic terms, DNS servers talk with other DNS servers and keep each other updated. 

Step 3: Now that the host has a usable IP address, it directs it attention directly to that address.

Pros and Cons to standard DNS queries:

The obvious pro, is as long as we are using a good DNS server, we always know how to reach everything on the Internet. The biggest Con is that we now can reach ALL listed domains on the Internet… whether they are good or bad domains; and whether they have been requested by us or background services. Even things such as the ads that accompany so many websites these days all add up to make our web browsing experience more sluggish, less enjoyable, more dangerous, and ultimately,… more expensive.

Here is how you can take advantage of both DNS filtering services at the same time:

One of the nice things about this approach is that the configuration for the client devices can be left as their original values. Since its doesn’t matter if the client devices has static settings or is receiving a DHCP lease, we’ll start with the RouterOS configuration that applies to this configuration. In RouterOS go to IP -> Firewall and select the NAT tab. Create the following rule:

You will also need to go to IP -> Firewall and choose the Address Lists tab. Here you will need add the address(es) of your LAN clients. Be sure NOT to include the Pi-hole server address. 

Installing Pi-hole on a Linux server is incredibly easy and only requires issuing this command from a terminal in Linux:

curl -sSL https://install.pi-hole.net | bash

Once it is set up on your server you will need to direct the Pi-Hole’s DNS request to OpenDNS (this can also be down during the install), which is found under the Settings menu and the DNS tab.

The next step is to configure OpenDNS. Once you have logged in, you will need to go to the Settings tab to add the IP address that the DNS requests will be coming from. It will probably be populated for you, so you just have to click the “Add This Network” button. Alternatively, you can manually add the address.

Next, click on the network you just added to set the security level.

If click on the “Customize” link you can enable content filtering the suits your deployment.

Next, you will want to enable the Stats and Logs by choosing the linking on the Left side of the web page.

Both Pi-Hole and OpenDNS have very nice reporting features that you will want to check out. Here some screen shots of both: