forcing dns to pihole
-
The bad news : You need a firewall.
The good news : pfSense is a firewall !So, add at the top a firewall rule on the LAN interface 192.168.80.0/24 that passes DNS traffic (destination port 53, TCP and UDP) to 30.30.30.2
After this pass rule, add a second, block rule : it should block "from any" and "to any" port 53 traffic, using TCP or UDP.Now, everybody can contact 30.30.30.2, but can't contact 8.8.8.8 or 1.1.1.1 or even the pfSense resolver on 192.168.80.1 using destination port 53 (dono if that's good or bad, check this)
-
A long time ago I forced all DNS requests go to PiHole. This link is how I did it. I believe this will answer your question.
https://forum.netgate.com/topic/156453/pfsense-dns-redirect-to-local-dns-server?_=1663853296484
-
@publictoiletbowl said in forcing dns to pihole:
pihole in different vlan 30.30.30.2
Where did you come up with that IP scheme?
30/8 is a DoD public network - why would you be using that on your local network?
It is bad practice to just pick random public IP space and use it internally, I would highly suggest you stick to the rfc1918 space.
You can either block access to unwanted dns, or you can redirect it. I personally prefer blocking.. Or your just as bad as the isps doing dns interception..
-
@johnpoz said in forcing dns to pihole:
Or your just as bad as the isps doing dns interception..
Maybe. Different motive.
-
@andyrh said in forcing dns to pihole:
Different motive.
Is it? They don't want client using some other dns, so they can keep tabs, get info, change records. Optimize their network flow, so that traffic stays internal and lets their users share a cache vs every single user all talking to 8.8.8.8 asking for www.whateverdomain.tld
How as that really any different than redirecting to your pihole. You have now everything logged, you can alter what is returned for some fqdn, you can block stuff you don't want too ;)
Just because a isp is redirecting doesn't mean they are getting some monetary gain, while that might be true..
While redirection in a home setup can be quite useful sure.. If something has 8.8.8.8 for example hard coded and uses that to validate it has internet, and you don't want it talking to 8.8.8.8 a redirection can let it think its talking to 8.8.8.8 so it knows it has internet.
Do you make sure you tell all your guests or users of your network that their dns is being redirected? ;) if not how is that different than the isps doing it hehehe
I much rather just blocking outside dns.. Its cleaner, is more up front, etc. Not saying I don't use redirection, but I use it a limited fashion, only for the the bs iot devices that keep hammering checking 8.8.8.8 every 2 seconds if they don't get an answer ;)
-
@johnpoz It is a little off subject of the original post, but a good question.
I do tell people they will be forced through PiHole.
I do it to prevent a rouge DNS from being used, the kids have caught bugs before.
I do it to prevent Roku from reporting usage.
I do it to reduce the bad sites things in my house can go to. (I also block IPs with pfSense)
I do it so I can track where the kids go if I need it. Nothing like bringing out a log and asking "Why did you go here?"If you come to my house you now know what you get.
-
@johnpoz was questioning the usage of :
@johnpoz said in forcing dns to pihole:
pihole in different vlan 30.30.30.2
Not pihole, but 30.30.30.2 which is most probably an IP you are not 'allowed' to use, as it is sold to some one else.
This can create routing issues.Btw : I was thinking : "Nice, that changes from x.x.x.x or a.b.c.d as people are hiding their RFC1918 these days."
For your "I do" list : most of us do exactly the same thing, I guess ( I do too ^^)
-
@andyrh yeah a bit off topic ;)
But all good info on what others are doing. I run pihole myself, the eye candy is nice - and its very nice to see where iot devices are trying to go.. And sure the adblocking a huge plus, etc.
I just hand out pihole is all, and normally block other dns, especially doh.. I wouldn't have a problem with doh if it was user initiated, and agreed too. What rubs me the wrong way with it is applications and browsers adopting it on their own, without confirmation that is what the user is wanting to do..
If dhcp hands you 1.2.3.4 as your dns - that is what you should use.. I wouldn't have so much of a problem with fallback, if dhcp didn't hand you a dns for some reason, or that dns didn't answer.. But these devices that insist on trying to ask 8.8.8.8 drive me nuts ;)
-
@gertjan said in forcing dns to pihole:
not 'allowed' to use
There is no IP police that will knock on your door and say hey, you can't use that IP range its owned by X.
But sure it can cause issues, what if you really wanted to go to some 30.x address on the public - highly unlikely sure, this is mostly the reason I believe people choose dod networks.. Its highly unlikely they will ever need to actually talk to a IP in that range on the public internet.
Technically you can use any network you want internally, as long as you don't expect to be to actually get to the real network using that on the public internet.
But it is bad practice.. There is really no reason to use public networks internally - rfc1918 has enough space.. If you run into a issue with overlap with say vpn clients or the like - just use a odd rfc1918 space internally, not the default 192.168.0 and .1 networks ;) 172.29.42/24 for example ;) Is highly unlikely to overlap with some starbucks your at trying to vpn home ;)
-
@johnpoz hello sir actually just an example i quoted 30/8 but my ip actual settings belong to the rfc1918 standard i use 172.16.0.x for my pihole ip and at the moment its working i added rules from my office lan destination to pihole address, anyway thanks to you and someone input hearing about my concerns.
thanks