Unifi Security Gateway - Setup mandatory DNS redirect to Pi-hole

With this redirect I make sure that all my devices use my own DNS settings. In this case all DNS traffic goes through my Pi-hole, but that could also be AdGuard Home, for example.

I’m using the UniFi Controller docker container, but I think it works the same with the CloudKey.

Dependencies

You need a Unifi Security Gateway so you can use the config.gateway.json.

Find the right interface

  1. Log in to the USG with an SSH connection. For example via Putty.
  2. Run the following on the CLI: 
    sudo ifconfig -a
  3. Check if eth1 is the interface with your gateway ip. For example 192.168.1.1. Note which interface is used.

Create config.gateway.json

  1. Log in to the Docker host where the Unifi Controller container runs with an SSH connection.
  2. The path ~/unifi/unifi/data/sites/default/ must exist. default is the id of the site. The id can be obtained by browsing to the Unifi Controller. The default address is: 
    http://<IP DOCKER SERVER>:8080/

    In the address bar, the id will appear after /manage/site.

    If the site does not exist go to the Unifi Controller and just add a picture as a topology map. The folder structure is now created automatically. The topology map can then be deleted again via the Unifi Controller.

  3. Go to ~/unifi/unifi/data/sites/default/ and run: 
    sudo nano config.gateway.json
  4. Put the code below in it: 
     {
  "service": {
   "nat": {
    "rule": {
     "1": {
      "description": "Redirect DNS queries to pihole",
      "destination": {
       "port": "53",
       "address": "!192.168.x.xx"
      },
      "inbound-interface": "eth1",
      "inside-address": {
       "address": "192.168.x.xx",
       "port": "53"
      },
      "source": {
       "address": "!192.168.x.xx"
      },
      "log":"disable",
      "protocol": "tcp_udp",
      "type": "destination"
     },
     "6000": {
      "description": "Translate reply back",
      "destination": {
       "address": "192.168.x.xx",
       "port": "53"
      },
      "log":"disable",
      "outbound-interface": "eth1",
      "protocol": "tcp_udp",
      "type": "masquerade"
     }
    }
   }
  }
 }

Adjust the following:

192.168.x.xx
Choose the IP address of your Docker host which runs the Pi-hole container

eth1
Replace with the interface you noted earlier

Exit Nano (CTRL-X) and save the changes.

Testing (Windows)

  1. Test on Windows if necessary:
    • Open the Command Prompt and run: 
      nslookup
server 8.8.8.8
tesla.com

      This query will not be found in the Pi-hole logs.

  2. Apply the settings:
    • Old UI (Unifi Controller < 6):
      • Open the UniFi Controller and go to Devices. Click on the USG, then Configuration (gear icon). Expand Manage Device and click on the Provision button (under Force provision)
    • New UI:
      • Open the UniFi Controller and go to Devices. Click on the USG, then Settings (gear icon). Go to Trigger Provision and click on Trigger Provision
  3. Test on windows:
    • Open the Command Prompt and run: 
      nslookup
server 8.8.8.8
tesla.com

      This query will now be found in the Pi-hole logs.

Read other notes

Comments

    No comments found for this note.

    Join the discussion for this note on this ticket. Comments appear on this page instantly.

    Tags


    Notes mentioning this note

    There are no notes linking to this note.


    Notes Graph