Wireless networks- dns

michmoor

Hello everyone,
Got a very benign design question for my home. I got 3 wireless vlans. Guest,KidsNet, and General IoT.
My Guest network uses Google DNS
My KidsNet uses OpenDNS(for web filter)
My IoT still uses pfsense for dns.

in your setups do you have all wireless networks point to an external dns?
I like having the pfblocker stats so that’s why I haven’t changed my IoT vlan dns.

Just curious to what y’all do.

johnpoz

@michmoor while pointing iot type devices or guests to external dns is a common thing to keep them resolving any of your local resources.

I point my iot devices to my pihole, which forwards to unbound on pfsense.

I do this for blocking reasons in pihole, plus the eye candy and info from pihole.. So I can see exactly what my rokus and other devices are wanting/trying to access, etc.

I don't really care if my iot devices for example might be able to resolve that 192.168.9.100 is my i9-win machine.. I mean it can't access it because of the firewall rules, etc.

And I enjoy the dns info get from having them query local dns more than any sort of concern of them being able to resolve local assets they can not access anyway.

For awhile I did have my guest wireless vlan I had handed out external dns for a while - but then again, why not them enjoy the ad blocking of my pihole if they are my guests, etc. If they want to use some external dns they are free to do so on the guest vlan. While my devices on my other vlans like iot and roku vlans can not use external dns in any fashion, and do my best from using doh as well.

Blocking access to say some sneaky doh server can be very difficult, it could be using some non known server out there, kind of hard to filter 443 without pretty much breaking the internet.. Unless you were running in a whitelest only sort of mode.. And even then with CDNs making up vast majority of the internet these days and having to allow for large swaths of IP ranges even if you were going to run whitelist only access for 443.. You still have the issue where this rogue doh server could be running on a CDN that you have allowed, etc. So blocking doh can be very problematic other then filtering all the well known servers that your iot devices might be wanting to use.

michmoor

@johnpoz The reason you want PiHole is the reason i want to keep my IoT vlan on pfsense...The pretty graphs
But you're right. No reason for all my wireless vlans i listed here to have access to my internal DNS server. Nothing will ever be routed across vlans - if they are we got some issues.

Ive used adguard in the past. Is PiHole good or better?
For DoH im using a feed list in pfblocker. Wont get all the servers out there but its better than nothing.

johnpoz

@michmoor said in Wireless networks- dns:

Is PiHole good or better?

Been using pihole for a long time, I like it does what it is suppose to do.. And the eye candy is better than pfblocker imho.. Not saying pfblocker can't do it or eye candy is not available.

Just being using pihole for so long, and no real reason to switch. I know how it works, I know how to use it, etc. And I have a pi there that wouldn't really be doing anything if wasn't running pihole ;)

michmoor

@johnpoz hehe ok I’ll give it a try today.

johnpoz

@michmoor stupid ass rokus and their attempts to log everything you do

pfblocker can do the same sort of stuff I am sure.. But the eyecandy is pretty ;)

michmoor

@johnpoz Thinking about it i know why i didnt have this IoT vlan dns change happen.
One of the best parts for me about pfsense is the all-in-one features. If dns stops working i know where the problem is. If i move it to something else now i have to troubleshoot that other thing..if i remember what server VM its on.
I know i know......it doesnt matter in the end. I troubleshoot enough at my job. Why do it at home!!

Either way im setting up Pi-Hole as i write this

johnpoz

@michmoor what would it take you 3 seconds to know if pihole is not answering, or unbound is not answering?

if dns is not working and I query unbound, and it works - its pretty much a given that pihole is the problem ;)

I don't recall pihole ever going down btw ;) And while some users report issues with unbound - I can not recall the last time I had any issues with it, mine never restarts, unless I do it on purpose sort of thing. Nor does it just stop.. Both have been pretty rock solid if you ask me.. Then again I am not loading 47 million things into dnsbl, nor do I forward, and sure and the hell if I did forward it wouldn't be doing it over tls nor would I be having dnssec set if I forwarded. And I don't register dhcp clients either, where unbound needs to restart every few minutes because some update to a dhcp client ;)

And my isp is pretty much rock solid..

I always have a cmd prompt open, it takes what 3 seconds to do a dig directly to pfsense IP vs the default dns of unbound.

I currently show unbound up for 12 hours, I made some adjustments this morning to my static reservations for some lightbulbs and needed to change some names, so unbound restarted. Other than my changes I pretty sure unbound would be running for the last 20 and half days.. which is the time pfsense has been up.