pihole on unraid not blocking ads with pfsense



  • @johnpoz said in pihole on unraid not blocking ads with pfsense:

    I have been running pihole for quite some time... This is how I set it up... I have pihole running on on an actual pi In my dmz network 192.168.3/24

    All clients point to pihole directly via setting dhcpd on pfsense to hand this out. pihole then forwards to pfsense.. Pfsense then "RESOLVES" using dnssec.

    This allows me if I want to just ask pfsense IP directly for something if I don't want to be be blocked by piholes list. If I want a device to not use pihole, i just setup that device to use pfsense for dns.

    On pihole I just set it to foward PTRs for rfc1918, ie uncheck
    "Never forward reverse lookups for private IP ranges"

    This requires min config on both unbound and pihole. No need to setup any conditional forwards, still get to "resolve" and use dnssec per setting on unbound. And also host overrides set on unbound work, etc.

    John would you one day be able to do a step by step on how you got it working like that sounds perfect with what i am wanting to do. I sometimes find pfsense quite complicated 90% of the time.


  • LAYER 8 Global Moderator

    I kind of just did, when I told you how I have it setup.. Didn't I.. What step is missing there ;)



  • @johnpoz said in pihole on unraid not blocking ads with pfsense:

    I kind of just did, when I told you how I have it setup.. Didn't I.. What step is missing there ;)

    Nevermind thanks anyway.


  • LAYER 8 Global Moderator

    Do you need a picture on how to setup dhcp to point to the pihole IP? Do you need picture on how to setup pihole to point to pfsense IP? Just a bit confused to what other info you would need?



  • @johnpoz said in pihole on unraid not blocking ads with pfsense:

    Do you need a picture on how to setup dhcp to point to the pihole IP? Do you need picture on how to setup pihole to point to pfsense IP? Just a bit confused to what other info you would need?

    Not really a picture tho it might help. I know you told us what you have set up I just wouldn't know how to set it up this way. I was hoping you could give a run down and the setting you did to achieve this.


  • LAYER 8 Global Moderator

    Again - already did..

    You set dhcp server in pfsense to point to pihole IP.
    You set pihole to forward to pfsense IP..

    What else is there to know?

    Clients now ask pihole, stuff that is not blocked gets forwarded to pfsense. It answers for local stuff, and resolves public stuff and answers back to pihole, which sends it back to client.

    One thing I would do is let pihole do PTR.. So uncheck
    "Never forward reverse lookups for private IP ranges"



  • @johnpoz said in pihole on unraid not blocking ads with pfsense:

    Again - already did..

    You set dhcp server in pfsense to point to pihole IP.
    You set pihole to forward to pfsense IP..

    What else is there to know?

    Clients now ask pihole, stuff that is not blocked gets forwarded to pfsense. It answers for local stuff back to pihole, which sends it back to client.

    One thing I would do is let pihole do PTR.. So uncheck
    "Never forward reverse lookups for private IP ranges"

    So

    SystemGeneral Setup DNS Servers 10.0.0.22 (which is my pihole)
    now on pihole
    Upstream DNS Servers
    points to pfsense 10.0.0.1

    Never forward non-FQDNs
    Never forward reverse lookups for private IP ranges
    Use DNSSEC
    All ticked?

    Can't seem to find PTR in the dns options unless Never forward reverse lookups for private IP ranges is it?


  • LAYER 8 Global Moderator

    @X2LR said in pihole on unraid not blocking ads with pfsense:

    SystemGeneral Setup DNS Servers 10.0.0.22 (which is my pihole)

    No where did I say anything about that??

    You don't do anything to unbound, or pfsense other than change the IP that gets handed to clients in the dhcp server settings.

    never forward non-fqdn - checked!
    never private - unchecked
    use dnssec - uncheck, its POINTLESS on a forwarder.. Pointless!! Unbound will do your dnssec for you out of the box.



  • @johnpoz said in pihole on unraid not blocking ads with pfsense:

    @X2LR said in pihole on unraid not blocking ads with pfsense:

    SystemGeneral Setup DNS Servers 10.0.0.22 (which is my pihole)

    No where did I say anything about that??

    You don't do anything to unbound, or pfsense other than change the IP that gets handed to clients in the dhcp server settings.

    Sorry you are correct I miss read. Is there others correct?



  • @johnpoz So

    Services>DHCP >Server>LAN>Servers

    DNS servers = 10.0.0.22?


  • LAYER 8 Global Moderator

    Exactly..

    Now was that hard ;)

    See my edit on the checkboxes.. The only thing pfsense should point to for dns is itself, 127.0.0.1.. Unbound out of the box will resolve and use dnssec.



  • @johnpoz said in pihole on unraid not blocking ads with pfsense:

    Exactly..

    Now was that hard ;)

    Thank you.

    last few questions if you don't mind.

    in resolver

    DNSSEC is ticked
    is any of the others ticked at all?
    DNS Query Forwarding etc..

    also in General Setup do you tick or untick
    DNS Server Override
    Disable DNS Forwarder

    Now I know you never said anything about General Setup just don't wont wrong set up in here.

    which dns do yuo use john? ive been using quad9


  • LAYER 8 Global Moderator

    If unbound is resolving you have little reason to allow for dhcp of pfsense wan to set dns for pfsense..

    So unchecked..

    If you check disable forward/resolver - how would pfpsense resolve anything for itself? Since that just removes pointing to 127.0.0.1 for pfsense.

    In unbound, no forwarding is not check.. It resolves out of the box. Yes you would leave dnssec checked if you want it checking for that. That is up to you.. As to other settings in unbound.. I personally use cache prefetch and serve ttl 0, but those have nothing to do with who is asking be it pihole or normal clients, etc. I also set min TTL of 3600.. Only because I despise these 60 second some sites use for ttl.. Have seen zero issues with doing that, but I wouldn't suggest you do anything like that unless you fully understand what it means.



  • @johnpoz said in pihole on unraid not blocking ads with pfsense:

    If unbound is resolving you have little reason to allow for dhcp of pfsense wan to set dns for pfsense..

    So unchecked..

    If you check disable forward/resolver - how would pfpsense resolve anything for itself? Since that just removes pointing to 127.0.0.1 for pfsense.

    In unbound, no forwarding is not check.. It resolves out of the box. Yes you would leave dnssec checked if you want it checking for that. That is up to you.. As to other settings in unbound.. I personally use cache prefetch and serve ttl 0, but those have nothing to do with who is asking be it pihole or normal clients, etc. I also set min TTL of 3600.. Only because I despise these 60 second some sites use for ttl.. Have seen zero issues with doing that, but I wouldn't suggest you do anything like that unless you fully understand what it means.

    Thanks and yes i don't understand what that means so ill leave that be.

    As for dns i want to use i add that in General Setup? I think ive had it wrongly set up for years i had it in the dhcp part ☹



  • Also you said you can bypass pihole if i wanted to do that for 10.0.0.20 and 10.0.0.22 would that be in pfsense or pihole settings


  • LAYER 8 Global Moderator

    You would do that on the client :) via a dig or nslookup calling out pfsense IP.

    Or sure if you don't want client X using pihole, then setup dhcp reservation for them and have it just ask pfsense directly via dhcp settings. Or you could do on the client directly via static settings.


  • LAYER 8 Global Moderator

    @X2LR said in pihole on unraid not blocking ads with pfsense:

    As for dns i want to use i add that in General Setup?

    No... You don't put anything in general setup on pfsense.. Pfsense only ever needs to talk ask itself.. Nothing goes in general setup on pfsense. That is the whole point of unbound resolving.



  • @johnpoz said in pihole on unraid not blocking ads with pfsense:

    @X2LR said in pihole on unraid not blocking ads with pfsense:

    As for dns i want to use i add that in General Setup?

    No... You don't put anything in general setup on pfsense.. Pfsense only ever needs to talk ask itself.. Nothing goes in general setup on pfsense. That is the whole point of unbound resolving.

    Where would you put dns? (9.9.9.9 ? im lost now.)

    @johnpoz said in pihole on unraid not blocking ads with pfsense:

    You would do that on the client :) via a dig or nslookup calling out pfsense IP.

    Or sure if you don't want client X using pihole, then setup dhcp reservation for them and have it just ask pfsense directly via dhcp settings. Or you could do on the client directly via static settings.

    Hmmm? sounds very complicated, ill leave that for another day.


  • LAYER 8 Global Moderator

    @X2LR said in pihole on unraid not blocking ads with pfsense:

    Where would you put dns? (9.9.9.9 ? im lost now.)

    You wouldn't!!! what would be the freaking point of that?

    So you want clients to ask pihole, and then pihole to ask pfsense (Only for local stuff) and then forward to 9.9.9.9?? Sure you could do that... If your going to do, might as well just take pfsense out of the equation and let pihole be your dhcp so it can resolve your local clients and take pfsense out of it for dns/dhcp.

    But now your forwarding - not resolvoing.



  • @johnpoz said in pihole on unraid not blocking ads with pfsense:

    @X2LR said in pihole on unraid not blocking ads with pfsense:

    Where would you put dns? (9.9.9.9 ? im lost now.)

    You wouldn't!!! what would be the freaking point of that?

    okay i don't understand this at all than.

    this is what i thought would happen.

    Quad 9 would be my dns
    Pihole would just remove ads and block sites.

    I am clearly misunderstanding this big time.


  • LAYER 8 Global Moderator

    Se my edit... If all you want is quad9 as your dns.. Just have pihole forward to it.. Why would you need pfsense in the mix..

    Nowhere in my discussion of how I am setup did I ever mention pfsense not resolving.. No external name services are needed, or desired if you ask me. If you want pfsense to forward to quad9, then sure you can do that - but you don't need dnssec check on unbound than... If you forward - dnssec is POINTLESS!! Only a resolver can do anything with dnssec.



  • @johnpoz So you don't need any dns if this is the case (3rd party) I would be using the dns my ISP serves me? Virgin media? Im sorry John im no where up to speed with you and im sure my question are frustrating you im sorry... I thought I knew what I was doing clearly not!


  • LAYER 8 Global Moderator

    So it seems you do not understand what a resolver is vs a forwarder?

    Basic
    Resolver, walks down from roots looking for the authoritative ns for a domain.
    resolver
    roots - hey what is NS for .com
    .com NS - what is the NS for domain.com
    domain.com NS - hey what is the A record for www.domain.com

    Next time someone asks for host.domain.com, if the NS for domain.com is still cached, just ask ns domain.com for host.domain.com

    This is how resolving works.. No need for anything setup in pfsense, it knows who the roots are and can glean any other info from their for any other domain your looking for.

    Forwarder.
    Hey 1.2.3.4 (some NS) what is A record for www.domain.com

    If it does not have this cached already, then it can either resolve, or it might forward to something else.. You really have no idea what its doing. It could be resolver, it could be a forwarder you don't really know. All you know is you ask it for something, and you get an answer. Or you don't

    Does that help? Or does it just make things more confusing?

    Somepoint in the asking for dns there has to be a resolver.. Be it who your forwarding to, or somewhere upstream of who they forward too, etc. A resolver is what validates dnssec, forwarding to somewhere and asking for dnssec does nothing but add extra traffic for the query. If the resolver anywhere in you path is doing dnssec, and something doesn't pass dnssec then that info is not going to be passed downstream.

    example.. I ask quad9 for a record that fails dnssec..

    here see quad9 does dnssec validation - so if I ask it for a known record that fails dnssec I do not get an answer

    $ dig @9.9.9.9 www.dnssec-failed.org
    
    ; <<>> DiG 9.14.4 <<>> @9.9.9.9 www.dnssec-failed.org
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21744
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;www.dnssec-failed.org.         IN      A
    
    ;; Query time: 176 msec
    ;; SERVER: 9.9.9.9#53(9.9.9.9)
    ;; WHEN: Mon Aug 12 08:09:43 Central Daylight Time 2019
    ;; MSG SIZE  rcvd: 50
    

    But if I ask something that doesn't do dnssec.. Say 4.2.2.2, or even quad9 different address - it gives me answer even though the dnssec fails, be it I ask for dnssec or not

    $ dig @9.9.9.10 www.dnssec-failed.org
    
    ; <<>> DiG 9.14.4 <<>> @9.9.9.10 www.dnssec-failed.org
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1233
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;www.dnssec-failed.org.         IN      A
    
    ;; ANSWER SECTION:
    www.dnssec-failed.org.  7200    IN      A       68.87.109.242
    www.dnssec-failed.org.  7200    IN      A       69.252.193.191
    
    ;; Query time: 145 msec
    ;; SERVER: 9.9.9.10#53(9.9.9.10)
    ;; WHEN: Mon Aug 12 08:13:04 Central Daylight Time 2019
    ;; MSG SIZE  rcvd: 82
    

    9.9.9.10 is specific address by quad9 that does not do dnssec validation.



  • @johnpoz wow thank you John. I understand it alot better now I think!

    So if my dns from my ISP is going into pfsense to be resolved when a domain is asked of it. what happens to the dns they send is it just killed of so to speak and pfsense takes over?


  • LAYER 8 Global Moderator

    You mean if your isp dns hands out dns to pfsense.. It would be added added to pfsense dns listing.. And pfsense might ask them if unbound is not working for example.. Ie not running.

    Normally you should prob not let your isp dhcp hand you dns if your going to be using resolver.. There is little point to it, if you unbound is not working for some reason - you prob want to know about it!! DNS not working would be really big clue to check that unbound is running and working ;)



  • @johnpoz said in pihole on unraid not blocking ads with pfsense:

    You mean if your isp dns hands out dns to pfsense.. It would be added added to pfsense dns listing.. And pfsense might ask them if unbound is not working for example.. Ie not running.

    Normally you should prob not let your isp dhcp hand you dns if your going to be using resolver.. There is little point to it, if you unbound is not working for some reason - you prob want to know about it!! DNS not working would be really big clue to check that unbound is running and working ;)

    Thanks again just didn't want to run the dns Virgin provide but from the sound of it thats the not case thank you again for thw write up and help with pihole seems to be running fine now just wished it would show hostnames not ips but hey! its all good cheers


  • LAYER 8 Global Moderator

    It will show hostnames.. You just need to make sure the hostnames are listed in unbound either via dhcp reservations and registration, or host overrides, or just plain dhcp registration, and you need to allow it to forward the rfc1918 PTRs..

    Hostnames are found via PTR queries, out of the box pihole will not forward these - so you need to make sure that check box is checked, and unbound resolves them.



  • @johnpoz said in pihole on unraid not blocking ads with pfsense:

    It will show hostnames.. You just need to make sure the hostnames are listed in unbound either via dhcp reservations and registration, or host overrides, or just plain dhcp registration, and you need to allow it to forward the rfc1918 PTRs..

    Hostnames are found via PTR queries, out of the box pihole will not forward these - so you need to make sure that check box is checked, and unbound resolves them.

    John that makes close to zero sense to me mate don't worry ill google and see what i can come up with thanks again



  • @johnpoz Long time no see John and hopefully im now not as dumb as I was back than. But time will tell.

    im just setting all this up again after moving and starting over with new gear and I can't seem to get PiHole to work with the settings I have.
    If you have time will you just read over these to see how it looks please.

    System>General Setup I have no dns names added and nothing checked
    Services>DHCP Server>LAN I have the DNS servers as 10.0.0.222 (which is Pihole)
    Services>DNS Resolver>General Setting nothing is checked other than server Enable

    On pihole dns page I have the dns server pointing to Pfsense (10.0.0.1) and Never forward non-FQDNs is the only thing Checked.

    Many Thanks


  • LAYER 8 Global Moderator

    What is not working? Your PTR lookups?

    If you query pfsense IP directly.. (10.0.0.1) does it resolve what your looking for - ie say google.com?

    From any box on your network do a dig or nslookup using pfsense IP 10.0.0.1.. Does this work?

    My pfsense IP is 192.168.9.253, so here are examples.

    $ dig @192.168.9.253 www.google.com                                     
                                                                            
    ; <<>> DiG 9.16.1 <<>> @192.168.9.253 www.google.com                    
    ; (1 server found)                                                      
    ;; global options: +cmd                                                 
    ;; Got answer:                                                          
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2153                
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1    
                                                                            
    ;; OPT PSEUDOSECTION:                                                   
    ; EDNS: version: 0, flags:; udp: 4096                                   
    ;; QUESTION SECTION:                                                    
    ;www.google.com.                        IN      A                       
                                                                            
    ;; ANSWER SECTION:                                                      
    www.google.com.         3238    IN      A       172.217.4.228           
                                                                            
    ;; Query time: 0 msec                                                   
    ;; SERVER: 192.168.9.253#53(192.168.9.253)                              
    ;; WHEN: Tue May 05 08:57:11 Central Daylight Time 2020                 
    ;; MSG SIZE  rcvd: 59                                                   
                                                                            
    

    Here is same command using nslookup

    $ nslookup www.google.com 192.168.9.253       
    Server:  sg4860.local.lan                     
    Address:  192.168.9.253                       
                                                  
    Non-authoritative answer:                     
    Name:    www.google.com                       
    Addresses:  2607:f8b0:4009:801::2004          
              172.217.4.228                       
    


  • @johnpoz Sorry didn't really say did I :/

    Pihole shows nothing zero queries its like nothing is sent there.

    nslookup www.google.com 10.0.0.1
    Server:  pfSense.localdomain
    Address:  10.0.0.1
    
    Non-authoritative answer:
    Name:    www.google.com
    Addresses:  2a00:1450:4009:81b::2004
              216.58.210.228
    

    Dig command didn't work on windows


  • LAYER 8 Global Moderator

    dig is something you would have to add ;) Its not part of windows.. But its a great dns troubleshooting tool you can install it with the free bind software from isc, just install the tools if you wan to play with it.

    Ok so your pfsense is resolving. So does pihole not resolve?

    If you use pihole?

    My box is set to use pihole normally, so simple nslookup returns that it used pihole.. 192.168.3.10 in my network

    $ nslookup www.google.com
    Server:  pi-hole.local.lan
    Address:  192.168.3.10
    
    Non-authoritative answer:
    Name:    www.google.com
    Addresses:  2607:f8b0:4009:801::2004
              172.217.4.228
    


  • @johnpoz Well i thought setting pihole Ip on the dhcp server it would get rid of ads show on sites and block malware etc...

    nslookup www.google.com 10.0.0.222
    Server:  14619edbadac
    Address:  10.0.0.222
    
    Non-authoritative answer:
    Name:    www.google.com
    Addresses:  2a00:1450:4009:81b::2004
              216.58.210.228
    

    Hmm after I run that pihole showed queries guess it is working? just thought there would of been lot more queries show from all the site the family use.

    I'll check them tools out thanks.

    Abit of topic here and pihole related do you know john if there is a way to show hostnames on pihole which is sent via pfsense?
    Was reading this post about it


  • LAYER 8 Global Moderator

    why is your pihole coming back with 14619edbadac as a name??? WTF?

    Well try doing a query for something that is blocked? say doubleclick.net should be on pretty much any blocklists your using

    $ nslookup doubleclick.net
    Server:  pi-hole.local.lan
    Address:  192.168.3.10
    
    Name:    doubleclick.net
    Addresses:  ::
              0.0.0.0
    

    Are you seeing queries from all your devices - just because you change your dhcp to point to pihole, doesn't mean that the clients got the new info yet. They will only get that once they renew their lease, etc.

    Also what block lists are you using? If you validate pihole blocks stuff that should be blocked then its working. Its possible your clients browsers are using their own dns as well, freaking doh nonsense - and not using your local dns.

    Also your machines and browsers will cache for the length of the ttl records... So if they looked up something.shouldbeblock.tld and cached it.. before you put in pihole, they would just use their cache vs asking pihole for the ip..

    Also possible your clients are using ipv6 for their dns, and not pointing to pihole - and using ipv6 vs ipv4 to look up stuff



  • @johnpoz could be because its in a docker! sorry forgot to say that! im running OMV and pi hole is in the docker

    nslookup doubleclick.net
    Server:  14619edbadac
    Address:  10.0.0.222
    
    Name:    doubleclick.net
    Addresses:  ::
              0.0.0.0
    

    Looks good?


  • LAYER 8 Global Moderator

    See my edit about your clients maybe using ipv6 for dns vs ipv4 that points to pihole.

    even if in a docker, your 10.0.0.222 should resolve to something valid, you would set that.



  • This post is deleted!


  • @johnpoz Okay ipv6 is of and my IPS doesn't use it.

    I meant the weird name for the server it looks like a docker name lol

    Client	Requests	Frequency
    10.0.0.16	65	
    10.0.0.68	62	
    10.0.0.12	54	
    10.0.0.15	24	
    10.0.0.14	23	
    10.0.0.13	9	
    10.0.0.11	9	
    
    

    Seems to be working now just wish it would show the hostname not the IPs



  • screencapture-10-0-0-222-admin-index-php-2020-05-05-15_30_42.jpg

    Yea shes working John Thanks again. Seems my setting was correct for once.

    Do you use the Conditional Forwarding option in Pihole John? if so how do you use it I put the IP and pfsense host name in there but its still not showing the hostnames.


  • LAYER 8 Global Moderator

    @Mike34 said in pihole on unraid not blocking ads with pfsense:

    Conditional Forwarding option in Pihole John? if so how do you use it I put the IP and pfsense host name in there but its still not showing the hostnames.

    I don't use it.. pihole sends everything to pfsense. I maintain all hosts in pfsense.


Log in to reply