I have an old 2013 AirPort Extreme router and want to use Pi-hole as default DNS server to block certain analytics and ad queries in my network. There is also a guest Wi-Fi for guests and my work computer which ideally should also be protected by the Pi-hole. I don’t want to manually configure all clients’ DNS settings. It should work out of the box when you connect to the AirPort.

The Pi-hole runs on a Raspberry Pi 3 Model B, is connected to the AirPort via Ethernet and gets a static IP in the 192.168.0.x main subnet. In the router’s Internet settings I can configure the Pi-hole as primary DNS. Everything works like it should on the main network, but not on the guest network.

The guest network is in a different subnet (172.16.42.x) that cannot access the main network, including the Pi-hole. As the AirPort is consumer-grade hardware that doesn’t allow extensive VLAN configuration or firewall rules, there are two promising solutions to this problem:

  1. Don’t protect the guest network and configure an external DNS (e.g. 8.8.8.8) as secondary DNS on the AirPort. This doesn’t work as the configured secondary DNS is only applied to the primary network. The guest network uses the AirPort itself (172.16.42.1) as DNS server which doesn’t resolve requests in this constellation.
  2. Connect the Pi to the guest network via WiFi and configure its interface listening behavior to permit all origins. I found this tip on Reddit but it doesn’t work either with my AirPort as I cannot configure it as secondary DNS.

My current approach is to manually configure DNS settings on the guest network clients. This is very inconvenient and far from ideal but the only working solution at the moment.