Forward original hostname to pihole when blocking rogue DNS queries
-
I am using pi-hole for DNS resolution/blocking and unbound on pfsense as the upstream resolver for pi-hole. pfsense has also been set up to block all "rogue" DNS queries and forward them to pi-hole. Everything is working as expected; however, when pi-hole receives the query for a rogue host (routed through pfsense), the originating hostname is lost as the query is reported as coming from my pfsense box.
I am looking for a way to preserve the original (offending) hostname to be passed through to pi-hole.
Doable?
-
You can if the pihole is on a different vlan than your device doing the query.. Went over this recently I do believe - let me see if I can dig up the thread.
-
I don't have any vlans set up in pfSense and am running an unmanaged switch. Still recommend the vlan route?
-
So its a bit of a long thread... But went into some detail on why this happens, etc.
https://forum.netgate.com/topic/139457/transparently-intercept-and-redirect-dns-traffic-to-an-internal-dns
If you want to see the clients IP in pihole.. And you want to intercept traffic and send it on to pihole.. You really need to have the pihole on a different network than the client doing the query..
How you get the internal dns on a different network than the client is up to you.. Vlans yes would be the simple easy way to do it.. But you could also do physical separation if your pfsense has another nic you could use and a different switch or just plug the dns server into the port on pfsense, if its going to be the only thing on this other network.
I really don't get why someone would make the leap to something like pfsense vs soho stuff, and not have a smart switch.. You can get a vlan capable 8 port get switch for like $40.. Personally they shouldn't even sell dumb switches any more.. If the user wants to just use them as dumb - they can do that ;) There is really little reason to buy a dumb switch these days other than saving a couple of dollars... What a 8 port gig dumb is like 20-30, you can get a smart gig switch for like 40..
-
Thanks @johnpoz. I had looked at that thread and your comments and was hoping for an alternative to the vlan option as I don't have a managed switch and the switch sits between pfsense and other devices on the local network.
-
Get a smart switch... Not like going to break the bank at 40$ ;)
Here you go $37
https://www.amazon.com/D-Link-EasySmart-Gigabit-Ethernet-DGS-1100-08/dp/B008ABLU2I5 port for 32$
Keep in mind as long as you put the smart switch between pfsense and your dumb switch you can do vlans on the smart switch... your other devices on your dumb switch would just need to all be in 1 vlan..
While you could do it the other way where the dumb switch is upstream of your vlan.. And the dumb will pass along the tags.. Its not a secure way to do vlans..
-
I guess I'm going shopping.
-
Just do yourself a favor and stay away from the tplink switches... Whole thing that went on for 2 years or so them not actually understanding how vlans are suppose to work, and didn't allow you to remove vlan 1 from ports you wanted to put in a different vlan.. While they suppose to have fixed it in their later models and firmware.. I would just get some other brand - the netgear and dlink ones work.. I have both of those low end models never saw any problems with them actually isolating vlans.
If your budget is higher than cheapest you can do this, there there are some much better switches you could get ;) If you have like 200 to spend - yeah some really nice switches ;)
