After update to core 141 no more dns forwarding to local pi-hole

I have the green forwad sign above but it does not direct the requests to me about TCP and UDP do not work

what should I write into tls name of the pi-hole?

if I set to udp I get a response timout error and if I set to tcp cant not resive replays from 192.168.1.16@53 tcp

I have configured my pi-hole according to these instructions Unfortunately still the same problem

https://bartonbytes.com/posts/configure-pi-hole-for-dns-over-tls/

see image

It works after a little messing around and reading the internet


I would suggest that you update DHCP (and all clients with a static IP) to use your Pihole as your primary DNS server. Then configure the Pihole to use IPFire as the downstream DNS server.

This has a few benefits over your current arrangement:

  1. The PiHole has an excellent interface for showing what is blocked from which client, unlike IPFire.
  2. The PiHole currently doesn’t support “DNS Security” or encrypted DNS queries. While IPFire does.

Another possibility would be to use the PiHole itself as DHCP and call it IPfire as DNS runs great here.

I have recently equipped the pihole with unbound and am happy about very, very fast answers regarding DNS. https://docs.pi-hole.net/guides/unbound/

In Ipfire you can set DNS’server according to the wiki

https://wiki.ipfire.org/dns/public-servers

Hey,

yes, you really do not want to use Pi-Hole. Especially not in front of IPFire.

The DNS stack in IPFire validates all DNS responses (it can) and makes sure that nobody spoofed them. Pi-Hole breaks this, their code quality is horrible you can achieve the whole thing a lot better by using the proxy and filter your stuff there.

1 Like

meanwhile it works exactly as before

there are several reasons why i use pi hole as dns

1 I have an active directory as the first dns the ip of the ad server must be set

ipfire is configured as dns forwarding in the active directory

2 the pi hole filters excellent advertising no comparison with the ipfire filter

3 I see every client via ntopng with ip and mac what kind of traffic caused it etc

from a security point of view, I see no problem

I think it has even increased in security since the requests are now sent via TLS

I have now changed my dns configuration and I think this is the safest way

the ipfire has dns server via tls and all clients first get the active directory dns, which then forwards to the internal ip of the pi-hole to filter the websites. The second dns in the dhcp of the ipfire is the ip of the pi-hole, so all traffic goes through it dns server the ipfire because the ipfire ip is configured in the pi-hole as upstream server

it runs perfectly

thus the pi-hole runs behind the ipfire and not in front of it

So I put my pihole as primary DNA in ipfire and secondary the ipfire. Furthermore my clinets have fixed IP addresses assigned by DHCP and in the pihole the ipfre is entered as DNS resolver. So the pihole still works and in case of failure I have the other DNS servers

1 Like

Blockquote So I put my pihole as primary DNA in ipfire and secondary the ipfire. Furthermore my clinets have fixed IP addresses assigned by DHCP and in the pihole the ipfre is entered as DNS resolver. So the pihole still works and in case of failure I have the other DNS servers

don’t put the pihole befor ipfire. Put it BEHIND.

Ipfire->pihole → clients. 3 Way’s:

1.use ipfire as DHCP ang put pihole’s ip in it.
2. use piholes own DHCP and ipfire for it’s DNS
3. use STatic ip’s put pihole and IPFire for Clients DNS or ipfire for pihole’s DNS

Yes I do it the same

my ipfire is DHCP server and in the DNS entry in the DHCP server is the pi hole and of course my active diretory server is entered which then forwards dike requests to the pi-hole

1 Like

I can confirm that now. pi-hole no longer shows dns names but only IP addresses but works otherwise

Have had this issue on numerous boxes after upgrade. For some reason the DNS service has an invalid config on startup. To check:-

For example:-
/etc/rc.d/init.d/unbound status
unbound is running with Process ID(s) 22297.

If its not running do a:-
/etc/rc.d/init.d/unbound restart
Stopping Unbound DNS Proxy… [ FAILED ]
Starting Unbound DNS Proxy… [ OK ]

Then go in and check the service is now running on your DNS settings.

I have not tried to reboot machine to see if it sticks.
Will check later when nobody is on.

HTH
Cheers
Joe.

My list work very good and dns load balancing is very good

Yes, we had one box that did work ok after upgrade. This also was a box that had ISP defined DNS servers. So maybe something to do with that.

To me, the whole DNS resolution in core 141 fails.

I logged my error in this post

Anyway,
If your Pi-hole does not work, you can use a script in IPFire that collects multiple DNS block lists and add them to IPFire unbound block list → same logic as Pi does.

Here is one article about this script

Yeah, ISP DNS servers are really bad sometimes.