Redirecting Google Chromecast and other 'Bad-DNS' Clients to My Own DNS Server
-
I have blocked all DNS requests that do not use my own DNS server (Pi-Hole).
I've now learned that Chromecast and other devices are crap and will not be told their DNS server.....
Can someone advise how I can direct these queries to my own DNS server? I have found other posts on this topic but they're old and the links/images are no longer working.
Thanks
-
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html#redirecting-client-dns-requests
While its simple enough to redirect normal just over 53 dns.. You run into a problem trying to redirect doh for example.. For starters its on 443, and even if you listed specific doh servers IP to redirect... You still have the issue that your cert wouldn't match where they are trying to go.. say googldns via doh.. So the client should say hey wait this isn't the server I wanted to talk too.. Now the client might be stupid and not doing that check, but that is suppose to be one of the advantages of say doh and dot, is your sure who your talking to for dns..
-
@johnpoz Will redirect 53 not be sufficient for Chromecast etc? Do they require DOH?
-
@MikhailCompo I have not used a chromecast in years.. But would be fair to assume they might be trying to do doh.. But if they are just using normal dns its simple enough to redirect them.. If you blocked other dns and they are not complaining - I would take it they are either using who you assigned to them via static or dhcp.. Or they are using doh.. Which is hard enough to block, let alone trying to redirect..
-
@johnpoz said in Redirecting Google Chromecast and other 'Bad-DNS' Clients to My Own DNS Server:
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html#redirecting-client-dns-requests
Following this guide breaks DNS, after adding the rule all DNS queries are blocked. Did I create the rule incorrectly?
-
@MikhailCompo Following the redirect guide fra Johnpoz only works if your DNS is running locally on pfSense. You have a Pi-hole running, and if you attempt to NAT forward to that IP instead, it will only work if the Pi-Hole is on a different interface than the requesting client.
If they are on the same interface you have to fx. setup DNS forwarder in pfSense and have it forward to your Pi-hole. Then Johnpoz's posted guide will work once again. -
@MikhailCompo said in Redirecting Google Chromecast and other 'Bad-DNS' Clients to My Own DNS Server:
Following this guide break
Well for starters your not following the guide, the guide clearly shows redirecting to 127.0.0.1.. There are many a thread here going over trying to redirect traffic to some other IP on the same network as the client.. This will create asymmetrical flow, and the client will normally balk at getting an answer from an IP that is clearly not who he sent the traffic too.
-
@johnpoz said in Redirecting Google Chromecast and other 'Bad-DNS' Clients to My Own DNS Server:
@MikhailCompo said in Redirecting Google Chromecast and other 'Bad-DNS' Clients to My Own DNS Server:
Following this guide break
Well for starters your not following the guide, the guide clearly shows redirecting to 127.0.0.1.. There are many a thread here going over trying to redirect traffic to some other IP on the same network as the client.. This will create asymmetrical flow, and the client will normally balk at getting an answer from an IP that is clearly not who he sent the traffic too.
If I had configured 127.0.0.1 as the guide says, would it have worked for me or would my DNS be broken?
-
@MikhailCompo 127.0.0.1 will work if unbound is working.. Here is one of the many threads where this has been discussed
-
Might want to look at incorporating DoH blocklists into your Pi.
https://www.reddit.com/r/pihole/comments/lhkwta/doh_url_blocklist/?rdt=59763
