Port Forwarding for DNS Port 53 TCP/UDP Not Working
I have a pi-hole DNS server behind my Eero network. I'd like to open port 53 on the WAN IP of the Gateway Eero so DNS lookups can pass through to the internal pi-hole server or, by hairpin, internal clients can perform DNS lookups using the WAN IP of the Eero.
I have set up Port forwarding for the pi-hole's static internal IP and opened port 53 for both TCP and UDP. DNS lookups are not working with this setup.
I can successfully run DNS queries directly against the pi-hole DNS server locally by using its internal LAN IP but I can't run a DNS query against the WAN IP of the Eero (which should work by Hairpin if you are behind the eero with a lan IP). Requests performed using the WAN IP of the Eero as a client on the same subnet as the Eero WAN IP do not work either.
Note that I have tested opening up http port 80 using port forwarding on this same pi-hole server and it works fine both with the local lan IP, using the Eero's WAN IP via hairpin and also using a client on the same subnet as the WAN IP of the eero. This tells me my setup is sound.
Any ideas why this is not working?
I'm not sure what you're trying to accomplish with doing a port forward for this. Just set the custom DNS settings on your eero network to the IP address of your pi-hole server, and then all your client devices will get that IP address to use for their DNS setting.
Are you trying to allow for external clients (outside of your network) to use your pi-hole server?
No, I'm not trying to do that although I understand why it appears that way from my post.
I do use custom DNS servers currently. The problem is that Eero doesn't allow you to have a different set of custom DNS servers for the guest network. As a result, in my experience with Eero, if your custom DNS servers are inside/behind your eero network then guest clients can't perform DNS lookups as they are blocked from accessing local IPs by design. Most of my IoT devices are on the guest network so this creates a big problem.
...so currently I have my pi-hole servers located outside the eero network but behind another edge router. I'd like to bring those pi-hole servers behind the eeros becuase as it stands all the DNS requests logged on the pi-hole servers appear to come from a single IP - the WAN IP of the eero. This is fine but makes it hard to troubleshoot on the pi-hole and I also can't see pretty metrics on client lookups ;).
I was hoping that a port forward with the automatic hairpin rule in the eeros would solve this without needing for more advanced config.
Any other ideas are welcome - I'm really unsure why I can expose port 80 but port 53 doesn't work.
cMoo92 I agree that might be the case. At the same time if port 53 is somehow "reserved" you would think the Eero UI would alert you to this fact when you tried to set up the port forward.
I don't have a ton of IoT devices and I suppose I could just put them on the non-guest network but it's not ideal.
In the meantime if someone has other ideas just let me know.