Pi-Hole + Unbound vs. pfBlockerNG
-
@the-other I don't want to use Google DNS. I believe that I'm currently using unbound for DNS. Is there something else I should do to verify?
-
@gpinzone Hey,
not using fedora here.
With a
nslookup xyz | grep server my ubuntu shows the actual dns server...my pfsenseI don't know why you have all those other dns server IPs in your system...if you do not use them you can go ahead and delete them.
So, what are your settings under System > General Setup?
Is unbound running under Services > DNS resolver?
Is it running in forwarder mode?
:) -
-
@gpinzone so, in case you do not want to use google as dns you could enter something less curious...or get rid of that and change to use only this server (no fall back to remote) and delete google dns.
Here, no entries under general settings...personal decision. -
@the-other I made two changes. I removed the google DNS servers (I had assumed I couldn't get rid of them both, but I just had to clear out the field of the remaining one.)
I also unchecked the DNS Server Override option and that got rid of my ISP's DNS servers from appearing on the status page.
DNS server(s) 127.0.0.1
I don't think this changed anything significant since I'm almost positive unbound/pfBlockerNG was supplying the DNS requests even with those entries in place.
-
@gpinzone
Yeah, but now you removed data hungry Google from your setting.
With the right firewall setting, you can make sure everything in your lan uses unbound, no other dns query targets allowed. -
I woke up this morning and I appeared to lose Internet on every device except for a laptop that is connected using a VPN (locally configured on that laptop). I could still ping IP addresses. It appeared to be a system-wide DNS failure. The pfBlockerNG logs showed failures trying to resolve the hostnames to download the blocking information. I restored the checkbox to allow the DNS server list to be overridden by DHCP/PPP on WAN. That didn't seem to make a difference. Perhaps I didn't wait long enough? I rebooted the Netgate 4100 and DNS was restored. I do see the ISP's DNS servers on the status page, but I can verify my LAN isn't using them.
I'm not sure what happened. I assume the DNS cache expired. Without any external DNS servers configured, the system can't bootstrap itself to get unbound working. Am I correct?
-
@gpinzone unbound uses a list of authorative dns servers...
As mentioned, i have no extra entry fordns servers in my system...still working. -
@the-other Thank you. I wonder why I had a failure?
-
@gpinzone
There are known issues when unbound is running and under Services > DNS Resolver are the followin settings active
...DHCP Registration
...no / wrong listening listening interfacesTry search in this forum for "unbound dns fail", during the last few weeks, many users experienced some problems. You might find a solution there.
Are you using IPv6? PfblockerNG_dev? Any firewall rules regarding Port 53 (typically dns)?
-
@the-other
silly me...of course you are using pfblocker...*double facepalm :)Well, do you have under services > DNS Resolver the Python script active?
Also...any restrictions (IP Block outgoing i.e.) so that your dns might not reach the needed servers?As mentioned, problems with unbound and pfblocker_ng are a quite common topic here, so a short search could help...
-
@the-other I'm using the latest development version, not using Python, no IPv6 (my ISP doesn't support it), and I'm not blocking port 53. I know there's a way to redirect all DNS traffic to your DNS server and I have not done that.
I did read something about unbound used by pfBlockerNG isn't the latest. I guess we'll just have to wait.
If it fails again, I assume a complete reboot isn't necessary. I'll see if there's a way just to restart unbound.
-
@gpinzone
Sure there is a way:
First, log on to pfsense
Then go to your status page (it might sho you the status of all services, otherwise check at Status > Services)
There you will see, if unbound is not running...in that case hit Restart Service button and...taDAAA...should restart without rebooting your pfsense in general.
:) -
@the-other Thank you. Added service status to my dashboard.
