Skip to content
Fiction Becomes Fact

How to redirect dns from UniFi Security Gateway to Pi-hole

Introduction

With this redirect I make sure that all my devices use my own DNS settings. In this case all DNS traffic is going to my Pi-hole, but that could also be AdGuard Home, for example.

Requirements

You need a UniFi Security Gateway (USG) so you can use the config.gateway.json settings.

How To

Find the right interface

  1. Log in to the USG with a SSH connection
  2. Lookup the interface

    Run the following command:

    # Open your terminal application
    sudo ifconfig -a

    Check if eth1 is the interface with your gateway IP. For example 192.168.1.1. Make a note which interface is used.

Create config.gateway.json

  1. Log in to the UniFi Controller
  2. Obtain the id of the site

    In the address bar, the id will appear after /manage/site. In my case default is the id of the site.

  3. Modify config.gateway.json

    Log in to the machine where the UniFi Controller is running, for example the host where the container is running. If you are using the container the sites folder is located in unifi/data. Then you can save the following code to unifi/data/sites/default/config.gateway.json and replace default with the name of your site:

    unifi/data/sites/default/config.gateway.json
    # To create this script use your text editor application, for example Nano
    {
    "service": {
      "nat": {
      "rule": {
        "1": {
        "description": "Redirect DNS queries to pihole",
        "destination": {
          "port": "53",
          "address": "!192.168.x.xx"
        },
        "inbound-interface": "eth1",
        "inside-address": {
          "address": "192.168.x.xx",
          "port": "53"
        },
      "source": {
          "address": "!192.168.x.xx"
        },
        "log":"disable",
      "protocol": "tcp_udp",
        "type": "destination"
        },
        "6000": {
        "description": "Translate reply back",
        "destination": {
          "address": "192.168.x.xx",
          "port": "53"
        },
        "log":"disable",
      "outbound-interface": "eth1",
        "protocol": "tcp_udp",
        "type": "masquerade"
        }
      }
      }
    }
    }
    # IMPORTANT: Please read the instructions below
    Instructions:
    • Required Remove all comments starting with #
    • Required Replace 192.168.x.xx with the IP address of Pi-hole
    • Required Replace eth1 with the interface you noted earlier

Apply the settings and check the results

  1. Test on Windows or go to the next step

    Go to the Command Prompt and run the following commands:

    # Open your terminal application
    nslookup
    server 8.8.8.8
    fictionbecomesfact.com

    This query will not be found in the Pi-hole logs.

  2. Apply the config.gateway.json settings

    Open the UniFi Controller and go to Devices. Click on the USG, then Settings (gear icon). Go to Trigger Provision and click on Trigger Provision.

  3. Repeat the test

    Go to the Command Prompt and run the following commands:

    # Open your terminal application
    nslookup
    server 8.8.8.8
    fictionbecomesfact.com

    This query will now be found in the Pi-hole logs.

Comments

    No comments found for this note.

    Join the discussion for this note on Github. Comments appear on this page instantly.

    Tags:
    Copyright 2021- Fiction Becomes Fact