iptables / DNS redirection


New Member
my Raspbian (raspberry pi) has the primary IP address, dnsmasq is running and listening on port 53. dnsmasq forwards dns requests to unbound, running on port 5552. When I nslookup a domain, dnsmasq either replies with the configured reply (usually, dnsmasq is used for adblocking) or, if nothing is configured for the domain, forwards the query to unbound. Unbound than resolves the domain name and sends the reply to dnsmasq, which sends the result to the client that initiated the lookup.

This works perfectly. the result is of course the client using DNS server is actually getting filtered results.

I now need to a device configured with unfiltered DNS.

This is what I want to try
- I added a secondary IP address on the raspberry pi, I already achieved this, using the command sudo ip -4 addr add dev eth0 (I know it will not survive a reboot)
- I changed the DNS assignment for the specific device to, everything still works, because dnsmasq is configured to listen on interface eth0
- I now want to use iptables to redirect all incoming requests on, port 53 (the secondary IP address) directly to, port 5552, thus bypassing dnsmasq and the filtering. Of course, as far as the client is concerned, the reply should appear to come from

To achieve this, I've tried the following:
sudo iptables -t nat -A PREROUTING -p tcp -d --dport 53 -j DNAT --to-destination
sudo iptables -t nat -A PREROUTING -p udp -d --dport 53 -j DNAT --to-destination
sudo iptables -t nat -A POSTROUTING -p tcp -d --dport 53 -j SNAT --to-source
sudo iptables -t nat -A POSTROUTING -p udp -d --dport 53 -j SNAT --to-source

but since the the nslookup request simply times out, this is obviously not correct.

any suggestions?


New Member
found a solution (pihole + unbound)
primary IP address = DNS adblocker (pihole)
secondary IP address = unfiltered DNS (unbound)
read here...