Redirect Hardcoded DNS devices
-
Hello everyone,
I've been running into this problem for a couple of days now but I couldn't figured it out and hope if someone can guide me to the right direction.
I'm following this article to redirect all traffic to pi hole and after filtered by pihole it will then distributed to the client.
I were able to get it set up and forced pfsense to provide my clients with pi hole dns address. However, I'm trying to block all traffic that hardcoded devices i.e. amazon stick, google mini home etc. and redirected them to my pi since no matter how pfsense try it cannot make those devices connect to my pi's address.
I've tried many combination and also the guide from netgate to redirect all traffic to the pi before the dns resolve but somehow ad still go through.
I hope if anyone can shed some light for me.
The example I uses are in these articles. I've tried them both but ad still leak through when i set my pc to cloudfare dns or google.
-
@bohaman Are these devices on another network? You can redirect ALL DNS on an interface to a specific IP address with this recipe: https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html
What you can't do with these is block DoH or DNSoverTLS. But you can track the traffic used by each device (logs, states, or a straight pcap) to see where it's going and kill it... but that's a lot of work.
-
@rcoleman-netgate Hello,
Thank you so much for answering. After reading your comment, I searched more about the topics and I think it is exactly what you are talking about.
Without custom DNS server, my pfsense give out DNS server IP as my Pi's IP and all of my devices connect to pfsense got adblock and everything worked really well. However, on my desktop when I tried to change my DNS server to 1.1.1.1 ad started to leak in. There were no traffic sent to my pi. I've tried to add the same redirected for DNS/TLS port and HTTPS as well but I think my browswer couldn't recognize the traffic. Because my desktop can ping google.com, but when I tried to access using webbrowser it couldn't resolve.
I've tried again using my Macbook. HOwever, even when I changed my DNS server to 1.1.1.1 ad is still blocked by pihole. that just confirmed that my set up is correct and it just my desktop using DNS over the HTTPS port and I don't think pihole knows how to filter it out.
May I ask if pfsense adblock able to prevent add like this from public DNS/ hard code devices DNS?
Thank you for your time. I'm really new to this and there are so many things to learn.
-
@bohaman pfBlockerNG can block some of the ad networks if you configure it for it but it won't stop DoH or DNS over TLS. That requires something that would act as a MITM.
-
@rcoleman-netgate
hey there, you got me confused: should a reject rule for port 853 not be enough to stop DoT (at least for those devices using standard dot port)? -
@the-other yeah block rule for 853 would stop dot, but most devices don't use dot they use doh. Doh hides itself in normal looking 443 (https) traffic. So you need a list of known doh servers be it fqdn or IP or both.. I block both.. and log what IPs try to hit the rules..
I believe pfblocker has a built in list that has well known doh servers.
-
@johnpoz thanx for clarifying! I knew that DoH is a b... to go around, yeah there is a blocklist for pfblocker, but it is another race one must enter.
I was just confused, cause it was mentioned above, that mitm was need for DoT as well...
:) -
@the-other yeah its going to be a never ending game of wack-a-mole for sure..
Keep in mind I have heard of doh using other ports as well 5053, 453 as examples.
-
@johnpoz haven't heard of that...thanks again! Another race to enter...*sigh
-
@johnpoz said in Redirect Hardcoded DNS devices:
Keep in mind I have heard of doh using other ports as well 5053, 453 as examples.
Wuuutttt
-
https://github.com/oneoffdallas/dohservers/blob/master/iplist.txt
dnscrypt.ca is using Port 453 for DoH (instead of 443)
https://www.speedguide.net/port.php?port=5053
5053 tcp rlm DNS over HTTPS (used by Cloudflared)I think this is some proxy/relay sort of thing running on pi-hole.. But that they are using other ports other than 443 just points other ways to circumvent blocking it, etc..
its a never ending game of wack-a-mole..
-
-
@bohaman re: pfBlockerNG-devel, I usually use Alias Native and create my own aliases, so I use the DOH/Great Wall feed and have rules like this that block any port, to listed IPs:
-
@steveits you actually allow doh? Really? I would never in a million years allow that on purpose.. I don't care the device, if some device required doh - I wouldn't be using that device.
My take on doh is its yet another loss of control that the big players are tricking the end users into thinking they have their best interests -- which is utter and complete BS!!
-
@johnpoz said in Redirect Hardcoded DNS devices:
if some device required doh - I wouldn't be using that device.
It is my Dish (satellite) DVR. :) Not the part that downloads guide and software updates, but the "on demand" movie channels (which is basically an app) use only DoH not DNS. If it's blocked, no movies. ¯\(ツ)/¯
Edit: the ICMP is so I don't think my Internet is down if I ping 8.8.4.4.
-
@steveits really? That blows.. Have you thought of cutting the sat connection? I have been directv for years and years and years. And i am so ready to get rid of it - but wife is hard to convince - she knows how to use it, and she loves being able to record 8 different things at the same time..
And this is the last year for sunday ticket on directv, so next year -- I might be able to just get rid of it? Fingers crossed..