blog/force-dns-pihole

[utterances-bot]

Your Smart TV is probably ignoring your PiHole - LabZilla

Welcome Hacker News readers!• Thank you to M. Hammad Mazhar for his research that inspired this guide.• @healyio made some great additional suggestions in th...

https://labzilla.io/blog/force-dns-pihole

[andy-at-smith]

No need to change DNS servers for the test: nslookup piholetest.example.com 1.1.1.1

[labzilla]

No need to change DNS servers for the test: nslookup piholetest.example.com 1.1.1.1

Solid point - can't believe that I forgot about this, because I use it all the time! 🤦🏻‍♂️

To fully explain for anyone reading this, you can specify a DNS server for nslookup to use when running the command (otherwise it will use whatever your system uses). So nslookup piholetest.example.com 1.1.1.1 will look up piholetest.example.com using the DNS server located at 1.1.1.1.

[leonroy]

Can't seem to perform the step here: Create Firewall Rules using IP List

pfSense gives the error IPv4 and IPv6 addresses can not be used in rules that apply to both IPv4 and IPv6 (except within an alias).

[redstamp101]

My pfSense says cannot create IPv4 and v6 rules without using aliases in the DNS over HTTPS or TLS rules. Presume could get around it by creating alias for pihole internal address. Also wondered which ruiles need duplicating if using two redundant piholes, or isn't this possible with these rules?

[johenkel]

Thank you for this neat write-up. I did follow all the guide to block all our Chromecasts and GoogleMinis from creating so much traffic and using our own pihole. It seems to work, their wifi experience is still shown as only 60% via unifi, which I don't much care about as they seem to be working just fine.

However, I had to exempt one device in our household. My kid has a school issued ipad which has its own dns resolver hardcoded as they restrict it's usage from the school. It had a lot of problems when I restricted our DNS locally and would constantly drop off our wifi and switch to 4G. My kid would say "I cannot do homework as my ipad doesn't work" ... go figure. :/ I created a static IP for that ipad and an alias for it as well ( to be able to add more school devices to it if needed).

Under Firewall - NAT - Outbound I created following rule: Interface : LAN Address Family : IPv4+IPv6 Protocol: TCP/UDP Source Network: Network - School_Devices ( School_Devices is the alias ) Destination: Any

This rule is set higher than the above mentioned rule that "Prevents hardcoded DNS clients from giving unexpected source errors after DNS redirected to PiHole"

That should enable the iPad to reach its school issued dns server, correct ? Or is there anything else I need to look at?

[finite9]

is this guide still valid? Followed it to the letter and it doesn't block if i manually change dns server to 8.8.8.8 on a Fedora client, or on my phone. pfsense 2.5.2 and latest pi-hole.

[drank-sinatra]

@finite9, it did not work for me either. I ended up just creating the firewall to block the alias containing the public servers, but I really would have liked the redirect to work.

[HakunMatat4]

@finite9 @drank-sinatra it actually works and for a long time I though my smart TV was still bypassing it. I do not use pfSense but OPNSense.

I added 8.8.8.8 on my smartphone for testing and although Sensei was showing that, it was the Pi-Hole actually processing the request. "pihole- t" was displaying all requests from my smartphone. If this wasn't working, "pihole -t" wouldn't have showed anything.

I suggest you repeat your test but this time have a shell tailing P-i-Hole logs. If the log is clean and don't show anything, I am afraid something was skipped.

As plan B, I am using these rules now: https://forum.opnsense.org/index.php?topic=24413.msg117229#msg117229 They are cleaner and easier to understand.

[kcalmond]

I am interested in implementing this on my home lan. I am currently running a pihole and a Ubiquiti UDMP. DNS settings to lan clients are handed out by the DHCP service running on the UDMP. I do not have an pfsense/opnsense style router. Will the NAT rules guidance here work directly on my UDMPro, or would I need to add an additional GW router in between my UDMPro and the modem to get this running? (If it matters, I'm running pihole in a container on the UDMP per this guidance).

[althor1138]

This seems to work great but seems to disable hostname resolution on pihole which means I cannot use it for group/client management as the only thing interacting with the pihole is pfsense? Is there a workaround for hostname resolution using this method? Thanks for the awesome writeup btw.

[ChrisChros83]

Thanks for this tutorial. I have transformed ure rules to my needs because I use a OPNsense firewall where also AdGuard Home is installed. So instead of a PiHole IP-Adresse I use 127.0.0.1 and it works for the most users. Unfortunately some of my devices do not like these rules, especially my google nest mini. Whene these rules are active the Nest mini is not capable to connect to the internet. Had anybodey else this behavior?

[vanillanesquik]

(1) Will this method work if pi-hole is running unbound as well?

(2) On Nat rule #3, what is "Your internal LAN network". Is that the gateway i.e. 192.168.1.1 or is it 192.168.1.0?

Thanks

[bohaman1]

Hello, For my third step when I add my LAN IP and my pihole I it keep reverting to .0 for example my lan ip is 192.168.0.1 and my pihole IP is 192.168.0.4 when I clicked save it go to 192.168.0.00 and 192.168.0.0 for my source and destination point.

This then would leak dns and ad keep going through for hard coded device.

WOuld anyone please help me?

Thank you

[HakunMatat4]

Had anybodey else this behavior?

I have largely followed that link https://labzilla.io/blog/force-dns-pihole where NAT Rule 3: Prevent clients from giving unexpected source errors should fix your issues. I have had no issues whatsoever since I got this in place some years ago so I cannot tell much, everything is working fine, wifey is also happy so I guess that is a solid okay haha

[rakklak]

Please forgive my ignorance but can anyone elaborate on "Your internal LAN network" in step 3? Would this be like eg 10.0.0.2-10.0.0.100 and how would I represent this in the field? Thanks in advance!

[Saeijou]

Can someone please explain to me how I configure my openwrt to do this? I can't figure out where I can find the configurations :(

[git-501]

Works like a charm! This is the best and easiest guide I ve fond so far. I was looking for a solution to both problems for quite a time. Thanks!!!!!

[sporkman]

So the outbound NAT rule that fixes the "unexpected address" issue does work, but it also means that your stats will show that all your clients are coming from a single IP. I don't think that's fixable, but would love to be told differently...

Of note, a Roku will totally bomb out without the outbound NAT rule. It doesn't give you any real diagnostic info, just a generic "no internet" message.

I should also note, I'm not using pi-hole, but adguard home, but same sort of thing...

[pjvander]

Thank you for writing this guide!

So, word of warning on Step "4" (DoH); that list of public IP's for the alias includes private addresses (e.g. 10.0.0.1) so be sure to have a way into your firewall in case you accidentally block https traffic to your firewall's web interface from where you might be accessing it. But, used this guide for OPNsense and AdGuard Home, and tweaked for the VLAN's I have and it worked like a charm! I would also like to second what @sporkman said about the outbound NAT rule obscuring the client IP's (for example, when looking at AdGuard's query log), but will also look for possible solutions. Great writeup!

[pjvander]

Quick update: regarding what @sporkman mentioned (obscured client IP's), I followed the link posted in the comments (OPNsense forums), and it appears setting/matching local tags in the rules will resolve this (tag the port forwarded packets and use that tag to match on the outbound NAT).

[amstwir]

For those who are going to use this, please add the ipv4 and ipv6 list from this github https://github.com/dibdot/DoH-IP-blocklists since upon checking, the 1.1.1.1 address still passess through with the guide's IP list

[RogueGhost93]

@pjvander commented on May 16, 2023 so how did you circumvent this? So, word of warning on Step "4" (DoH); that list of public IP's for the alias includes private addresses (e.g. 10.0.0.1) so be sure to have a way into your firewall in case you accidentally block https traffic to your firewall's web interface from where you might be accessing it. But, used this guide for OPNsense and AdGuard Home, and tweaked for the VLAN's I have and it worked like a charm! I would also like to second what @sporkman said about the outbound NAT rule obscuring the client IP's (for example, when looking at AdGuard's query log), but will also look for possible solutions. Great writeup!

how would you exclude those private addresses? Thanks bud!