Redirected all DNS to pihole using pfSense. Pihole still showing some hosts as not using the DNS ?
-
@viragomann I can see that mostly all DNS is going through the pihole so dunno why it is showing as those not going through the DNS ?
-
@abesh Pi-hole will highlight devices not using it in red. I don't see any red entries on that first screenshot. Brown simply means that device has not had a query for over 24 hours. Did you see the legend at the bottom of that page which explains this? It could mean that a device has been turned off or not going out to the web, or it could mean that the device only contacts a specific server and it queried it at one point and then stored it in its local DNS cache. The devices could also be using DoH or DoT which your port 53 rules on the NAT will not catch.
You can keep the pfsense DNS settings at their default. You don't have to put it in forwarding mode. I would put that back the way it was. It is best to let pfsense do the queries to the root servers directly. Leave DNS servers as 127.0.0.1 and ::1. Then you have to set Pi-hole to use pfsense as the DNS server. Then in the DHCP settings of pfsense, make sure you enter the Pi-hole address as the DNS server so that any client that get an IP will be using Pi-hole unless they have their own settings which must manually be changed.
-
@Raffi_ Thanks a lot for the explanation of the Brown entries. That makes a lot of sense.
Actually I run unbound locally on pihole and use that. That's why the DNS resolver is in FW only mode. -
@abesh Oh I see. I never tried running unbound on Pi-hole. So you're doing the reverse of what I suggested? Which device is acting as your DHCP server? pfsense or Pi-hole? Is the DHCP server pushing the Pi-hole or pfsense IP for DNS?
-
@Raffi_ So pfSense is the DHCP server and it hands out the pihole's address as the DNS server. The pfSense DNS resolver is configured to forward queries to pihole only. I need the pfSense DNS to resolve local names. Since pihole is not the DHCP server only IPs show up in pihole logs instead of hostnames if I don't do it this way. Pihole queries it's own unbound server at 127.0.0.1#5335 and responds back to the DNS queries.
-
@abesh Interesting sounds a little more round about. To be honest, I can't even see where to enable unbound on Pi-hole natively. Is that officially supported by the Pi-hole project? I'm curious because I must be missing that?
-
@Raffi_ The method is not much different than what I did.
https://forum.netgate.com/topic/156453/pfsense-dns-redirect-to-local-dns-server?_=1663853296484There are plenty of docs on how to install unbound on PiHole. I did it and it works well.
-
@Raffi_ Yup, officially supported by Pihole. Here's the documentation : https://docs.pi-hole.net/guides/dns/unbound/
-
@AndyRH Hey Andy ! Yes, thanks to you I could get this up and running :)
-
@abesh said in Redirected all DNS to pihole using pfSense. Pihole still showing some hosts as not using the DNS ?:
The pfSense DNS resolver is configured to forward queries to pihole only. I need the pfSense DNS to resolve local names.
The DNS Resolver on pfSense will never get a request, since you forward any to the pihole.
-
@viragomann Agree. Maybe I should turn off the resolver and see what happens ?
-
@abesh
You should rather redirect any traffic to pfSense. So it's treated by the DNS resolver and host overrides will take place, while other requests are forwarded to the pihole from the Resolver. -
@abesh Seems your setup is done correctly. Have you considered that the IP of those sessions might be hardcoded into the missing device?
Otherwise it is likely some unknown DNS over HTTPS server you are not blocking - or vendor specific nameresolution method - in play. -
@keyser That was my thought process as well. Seems like killing DoH is like playing whack-a-mole !!!
-
@abesh
Hardcoded DNS IP will be redirected anyway.
DoH can be an issue. You should consider to block DoH using pfBlockerNG. -
@viragomann Already blocking in pihole. But I have noticed a lot of these servers running on either cloudfront or google or amazon ec2 instances...
-
@abesh said in Redirected all DNS to pihole using pfSense. Pihole still showing some hosts as not using the DNS ?:
@Raffi_ Yup, officially supported by Pihole. Here's the documentation : https://docs.pi-hole.net/guides/dns/unbound/
Thanks for the tip. I learned something new. I figured it would be installed on the OS itself via apt. I just never thought about doing it that way since pfsense already had it out of the box. I may one day have to try this since I'm currently unable to run pfsense at my home setup.
-
@Raffi_ Hit me up if you decide to run this. I will share my optimized unbound config file with you :) You can just replace the existing unbound config and should be good to go :)
-
@abesh said in Redirected all DNS to pihole using pfSense. Pihole still showing some hosts as not using the DNS ?:
Already blocking in pihole.
DoH (https) will not go to the pihole. It will go straight to the default gateway, which is pfSense, I guess.
Edit:
So you block the resolution of DoH hosts on the pihole?
OK, but blocking it on pfSense would be more reliable, if a device goes to the IP directly. -
@viragomann It was hardcoded application IP endpoint I was reffering to - not hardcoded DNS. Aka: The APP on the device just contacts the IP directly - no DNS resolution beforehand.
DoH is a game of Whack a Mole - as is DoT even though most of them can be blocked by blocking port 853.
Unfortunately this is where everything is going (in the name of privacy - even though it is mostly used by vendors to make sure they have the revenue of selling your data rather than your ISP)