Install on ASUS stock firmware

This guide will configure the firmware’s DNS resolver to forward queries to Pi-hole.
This method utilizes scripts from jacklul/asuswrt-scripts repository.

1. Install the main script by following the instructions in the jacklul/asuswrt-scripts repository.
   Read the warning carefully and apply mentioned workaround when needed.

2. Install required scripts (entware, custom-configs, service-event, hotplug-event):

/jffs/scripts/jas.sh install entware custom-configs service-event hotplug-event

3. Plug your USB storage to your router if you didn't already.

4. Install Entware:

/jffs/scripts/jas.sh entware install
# If your storage is not detected, you will have to provide it as an argument:
/jffs/scripts/jas.sh entware install /tmp/mnt/sda1
# replace /tmp/mnt/sda1 with the actual path to your mounted storage

5. Add pihole user in USB Application -> Servers Center -> Samba.

6. Install Pi-hole package by following the instructions on the main wiki page.
   During the installation a random password will be generated for the web interface, you can change it with pihole setpassword command later.

7. Create /jffs/scripts/dnsmasq.postconf:

#!/bin/sh

[ -z "$1" ] && exit 1

# Make sure Pi-hole binary exists and the server is running on the expected port
if [ -f /opt/bin/pihole-FTL ] && netstat -tulnp | grep -Fq "127.0.0.1:5053"; then
    # Ignore WAN DNS settings
    sed '/^resolv-file=/ s/^/#/' -i "$1"
    sed '/^servers-file=/ s/^/#/' -i "$1"
    sed '/^server=/ s/^/#/' -i "$1"

    # Forward queries to Pi-hole
    sed "/^user=/a server=127.0.0.1#5053" -i "$1"

    # Add IP and MAC address information to forwarded queries
    /opt/bin/pihole-FTL --config misc.dnsmasq_lines | grep -Fq "strip-subnet" && sed "/^server=/a add-subnet=32,128" -i "$1"
    /opt/bin/pihole-FTL --config misc.dnsmasq_lines | grep -Fq "strip-mac" && sed "/^server=/a add-mac=text" -i "$1"

    # Let Pi-hole handle caching
    sed '/^cache-size/ s/^/#/' -i "$1"
    sed "/^user=/a cache-size=0" -i "$1"

    # Let Pi-hole handle DNSSEC
    if grep -q "^dnssec" "$1"; then
        sed '/^dnssec/ s/^/#/' -i "$1"
        sed '/^trust-anchor/ s/^/#/' -i "$1"
        sed '/^proxy-dnssec/ s/^/#/' -i "$1"
    fi

    # Pi-hole won't work with this option
    if grep -q "^stop-dns-rebind" "$1"; then
        sed '/^stop-dns-rebind/ s/^/#/' -i "$1"
    fi

    # Any DNS entry including LAN domain name will not be forwarded to Pi-hole when
    # 'Forward local domain queries' is disabled in the router settings.
    # Parse Pi-hole config and put those domains into Dnsmasq config directly instead...
    if grep -q "^local=" "$1"; then
        local_domain="$(grep '^domain=' "$1" | cut -d'=' -f2)"

        if [ -n "$local_domain" ]; then
            cat << EOF >> "$1"

# Pi-hole Local DNS ('$local_domain' domain only)
EOF

            /opt/bin/pihole-FTL --config dns.hosts | tr -d '[]' | tr ',' '\n' | \
                sed -E 's/ *([0-9.]+) ([a-z0-9.-]+)/host-record=\2,\1/' | \
                    grep -F ".$local_domain," >> "$1"
        fi
    fi

    # Warn if DNS loop configuration is detected
    if ! grep -q "^local=" "$1" && /opt/bin/pihole-FTL --config dns.revServers | grep -Fq "127.0.0.1#53"; then
        logger -t "$(basename "$0")" "Warning: DNS loop configuration detected - 'Forward local domain queries' is enabled in the router settings while Pi-hole uses the router for reverse lookups!"
    fi

    # Make sure system uses Pi-hole for DNS requests
    # This is optional, you can skip it if you don't want
    # software installed on the router to query Pi-hole
    resolvconf="$(readlink -f /etc/resolv.conf)"
    if ! head -n 1 "$resolvconf" | grep -q "^nameserver 127.0.0.1"; then
        sed '/127.0.0.1/d' -i "$resolvconf"
        sed '1i nameserver 127.0.0.1' -i "$resolvconf"
    fi
fi

8. Make it executable - chmod +x /jffs/scripts/dnsmasq.postconf

9. Create /opt/etc/init.d/S99restart-dnsmasq:

#!/bin/sh
# Restart firmware dnsmasq so that the changes from dnsmasq.postconf can apply

case "$1" in
    start)
        {
            sleep 15
            service restart_dnsmasq
        } > /dev/null 2>&1 &
    ;;
    restart)
        service restart_dnsmasq
    ;;
esac

10. Make it executable - chmod +x /opt/etc/init.d/S99restart-dnsmasq

11. Edit /opt/etc/pihole/pihole.toml and modify:
    Change 192.168.1.0/24 to match your LAN network and lan to match your LAN domain name.
    If the device you're installing on is not your DHCP server then you will also need to replace 127.0.0.1#53 with your DHCP server IP.

[dns]
  upstreams = [ 
    "1.1.1.1",  # As an example we are using Cloudflare DNS servers here
    "1.0.0.1"   # This can also be set in the web interface -> Settings -> DNS
  ]
  port = 5053
  interface = "lo"
  listeningMode = "BIND"
  revServers = [
    "true,192.168.1.0/24,127.0.0.1#53,lan"
  ]

# Disable NTP feature as it may conflict with firmware's NTP server and sync
[ntp]
  [ntp.ipv4]
    active = false
  [ntp.ipv6]
    active = false
  [ntp.sync]
    active = false

[webserver]
  port = "5080,5443s"

[misc]
  dnsmasq_lines = [
    "strip-subnet",
    "strip-mac"
  ]

12. In your router's web GUI go to LAN -> DHCP Server section and make sure no custom DNS server is set.
    On the WAN -> Internet Connection page, make sure external DNS servers are set (or the option to obtain them from your ISP is enabled), and disable Forward local domain queries to upstream DNS to avoid potential DNS loop when dns.revServers is set.

13. Start everything up:

/jffs/scripts/jas.sh start
/opt/etc/init.d/S65pihole-FTL start
/opt/etc/init.d/S99restart-dnsmasq start

14. Access Pi-hole's web interface at asusrouter.com:5080 or asusrouter.com:5443 and proceed to configuration.