Skip to content

Install on Asuswrt‐Merlin

Jump to bottom Edit New page
Jack'lul edited this page Sep 4, 2025 · 25 revisions

This guide will configure Pi-hole to replace the firmware's DNS resolver.

  1. Install Entware: https://github.com/Entware/Entware/wiki/Install-on-Asuswrt-Merlin-firmware

  2. Add pihole user in USB Application -> Servers Center -> Samba.
    Alternatively, you could also use /jffs/configs/passwd.add and /jffs/configs/group.add (look here for help).

  3. Install Pi-hole package: https://github.com/jacklul/entware-pi-hole/wiki#installation
    During the installation a random password will be generated for the web interface, you can change it with pihole setpassword command later.

  4. Enable custom scripts by turning on Enable JFFS custom scripts and configs in Administration -> System.

  5. Create /jffs/scripts/dnsmasq.postconf:

#!/bin/sh

[ -z "$1" ] && exit 1

# Make firmware Dnsmasq listen for DNS on non-default port (we need it for the reverse lookups)
if ! grep -q "^port=8053" "$1"; then
    sed '/^port=/ s/^/#/' -i "$1"
    sed "/^user=/a port=8053" -i "$1"
fi

# Make sure system uses Pi-hole for DNS requests
# This is optional, you can skip it if you don't want software
# and addons installed on the router to query Pi-hole
resolvconf="$(readlink -f /etc/resolv.conf)"
if ! head -n 1 "$resolvconf" | grep -q "^nameserver 127.0.0.1"; then
    sed '/127.0.0.1/d' -i "$resolvconf"
    sed '1i nameserver 127.0.0.1' -i "$resolvconf"
fi

  1. Make it executable - chmod +x /jffs/scripts/dnsmasq.postconf

  2. Edit /opt/etc/pihole/pihole.toml and modify:
    Change 192.168.1.0/24 to match your LAN network and lan to match your LAN domain name.

[dns]
  upstreams = [ 
    "1.1.1.1",  # As an example we are using Cloudflare DNS servers here
    "1.0.0.1"   # This can also be set in the web interface -> Settings -> DNS
  ]
  port = 53
  interface = "br0"
  listeningMode = "LOCAL" # set to 'ALL' if VPN clients can't access Pi-hole DNS, ensure firewall blocks public access to the port set above
  revServers = [
    "true,192.168.1.0/24,127.0.0.1#8053,lan"
  ]

# Disable NTP feature as it may conflict with firmware's NTP server and sync
[ntp]
  [ntp.ipv4]
    active = false
  [ntp.ipv6]
    active = false
  [ntp.sync]
    active = false

[webserver]
  port = "5080,5443s"

  1. In your router's web GUI go to LAN -> DHCP Server and make sure Advertise router's IP in addition to user-specified DNS is turned on and no other DNS server is set in that section (DNS set on the WAN page should be external).
    You should also disable Forward local domain queries to upstream DNS in WAN -> Internet Connection as it can create a DNS loop with dns.revServers set.

  2. Restart Dnsmasq and start Pi-hole service:

service restart_dnsmasq
/opt/etc/init.d/S65pihole-FTL start

Note

It is possible that you will see "dnsmasq warning: using interface lo instead" in Pi-hole's web interface and FTL.log - it can be safely ignored as it only indicates that one of the interfaces is either virtual or labeled.
In this particular case it will be caused by lo:0 interface created by ASUS firmware.

  1. Access Pi-hole's web interface at asusrouter.com:5080 or asusrouter.com:5443 and proceed to configuration.
Add a custom footer

Pi-hole for Entware wiki

Device-specific installation:

Extras:


Clone this wiki locally