Pi-Hole and IPFire, which way round?

As mentioned here Pi-Hole does:

“Verify DNSSEC signatures, discarding BOGUS domains”

Hi,

it filters DNS records. That is no possible with DNSSEC.

I understand that. That’s why it can only verify them.

Anyway, to contribute to the question asked, I use Pi-Hole behind my Firewall that has transparent proxy enabled with no problems.

Thanks for all the responses guys.

@nik7 I don’t have problems with transparent, but IP Fire proxy content filtering does not work for Android devices, as they do not pick up the WPAD settings, and I don’t want to go around configuring each device (especially guests).

Ok - I thought that pi-hole didn’t work at all.
Now your situation is more clear to me.

Although I might sounds really anti pi-hole all the time (and which I am for many reasons) I would like to say that I generally agree with this functionally and that IPFire should provide something similar too.

It is just quite difficult with DNS and maybe a solution could be to strengthen the web proxy feature. There could be a couple of options…

1 Like

Ill only be using pihole as a monitor of what going on really, the IP Fire content filter is a better way of managing blocks via categories. Who know, might end up ditching Pihole. Just trying various solutions to manage blocked all the crap :smile:

Michael Tremerms

Nov '19

Although I might sounds really anti pi-hole all the time (and which I am for many reasons) I would like to say that I generally agree with this functionally and that IPFire should provide something similar too.

It is just quite difficult with DNS and maybe a solution could be to strengthen the web proxy feature. There could be a couple of options…

I’m interested.
Ipfire the pi-hole buster. :smile:

1 Like

Can you please go into more details Michael? What is the risk if (i dont really understand what can go wrong besides some Software breaking that does DNSSEC)? And is there a better alternative that uses RPZ?

Yes, a little. I probably should write a longer article for the blog, but I not want to sound too miserable about technology out there and constantly piss off other people who are working hard on their software projects.

The problem I see with Pi-Hole is that it is sitting someone in the middle of the network and is just catching DNS packets and depending on a blacklist won’t forward the queries any more.

It acts as an authoritative name server on behalf of other domains. The deliberately send you a spoofed response and tell you that “some-porn-site.com” does not exist although it might exist. That is exactly the same method that an attacker would use to lead you to a faked website and not the one of your bank.

You don’t see that the DNSSEC validation process fails because no DNS resolver in a mobile or desktop operating system validated the signatures. But IPFire does. We at least make sure that the firewall has received a correct and valid, non-spoofed response. Transport over the local network might still be under control of an attacker, but that is a lot less likely.

When Pi-Hole sits in front of IPFire, it simply won’t forward any DNSSEC signatures to unbound which then cannot validate a DNS response. It will instead send a NXDOMAIN response for domains that should be blocked. Those need to be signed, too, because otherwise an attacker could just filter DNS queries and not respond to them. Your browser will receive a different error code which is SRVFAIL in case of the signature not being validated, but will unfortunately show you the same error page which says that the website “was not found”.

That is a huge problem and a “bug” in the browsers that Pi-Hole is taking advantage of. Hopefully operating systems will soon validate DNSSEC signatures and this will no longer work.

I think that the proper way is to use the proxy which will let the browser know that something has been filtered and present a proper error message that says exactly that to the user, too. This is not complicated to configure at all and complies with Internet RFCs.

Breaking DNS is a sensitive issue for me. There are many players who break it in one way or the other. Unfortunately DNS is becoming more and more important because we put more and more information into DNS records that are simply needed to run the Internet.

I want to be able to access the whole Internet - wherever I am.

And although I see the point of filtering porn websites in a school, there is a better way how to do that and breaking DNS isn’t it.

EDIT: I also had a look at pi-hole’s code and thank god I was sitting down…

6 Likes

Sorry for bringing this Topic back.

What i am missing the most is the overview about what my network is doing. Would be really great if Ipfire could do that too.
And whats the best way to setup Ad filtering for my Network? There is this Guide

https://www.kuketz-blog.de/hardware-und-netzwerkaufbau-ipfire-teil1/

but its getting old and i dont know if this is still the best way to do it.

Hi,

Well, DNS filtering won’t help.

Force your clients to use IPFire’s proxy, and set up an URL filter. IPFire supports both out of the box, there is no need to tamper with DNS.

Thanks, and best regards,
Peter Müller

1 Like

And can i do that? All i find is about the DNS Proxy. Maybe we should start a new Topic because its getting off- topic.

1 Like

Hi,

yes, you can. :slight_smile: Please RTFM:

I’d indeed suggest to start a new topic if there are any questions…

Thanks, and best regards,
Peter Müller

12 posts were split to a new topic: Protect users who get spammy phishing links in emails

I am neither an expert nor have I dealt with DNS. But the problem you describe seems to me to be the lesser of two evils. I see an incredible number of blocked trackers in Pi-hole. I don’t think Squid-Guard can replace that. Maybe I am wrong. There is also CNAME blocking etc. in pi-hole.
I have seen that there is Adguard Home as a plugin for OPNsense, which is comparable to Pi-Hole. OPNsense doesn’t seem to have these concerns.

There are add-ons for Firefox, like Benutzerprofil von Antoine POPINEAU – Add-ons für Firefox (de).

This extension uses DoH, as I found out. Same for DNSSEC/DANE Validator, but you can specify a custom server.

And this is the reason why I get an OK despite Pi-Hole (even if advertising is filtered => www.web.de)?
“Green closed lock: Host is DNSSEC secured and, if present, DANE valid (DANE status is displayed in the popup including usage and issuer common name)”

My configuration (Pi-Hole is in the green zone):

# IPFire Domain Name System
DNS Servers: dns3.digitalcourage.de + dns1.digitale-gesellschaft.ch
DNS Configuration:
Protocol for DNS queries: TLS
QNAME Minimisation: Strict

# Pi-hole DNS configuration:
Upstream DNS Server: Custom 1 (IPv4) 192.168.1.1 (= IPFire DNS server)
Advances DNS settings:

  • Never forward non-FQDNs

  • Never forward reverse lookups for private IP ranges

  • Use DNSSEC

  • Use Conditional Forwarding
    (“If not configured as your DHCP server, Pi-hole typically won’t be able to determine the names of devices on your local network. As a result, tables such as Top Clients will only show IP addresses.
    One solution for this is to configure Pi-hole to forward these requests to your DHCP server (most likely your router), but only for devices on your home network.”)

For my use case I am also in need to find a solution where I can setup pi-hole on my network and get all clients in both green and blue zones to use pi-hole as DNS server automatically (ie. set at router/firewall level). Obviously I do not want to have to setup each client for that.

I am a lot less concerned about not using DNSSEC.

I have had no problems with this for the last few years. I have been using pi-hole since it was first made available. The routers firmware I used made that a very easy thing to implement.

Should I not be able to do this with IPFire, I, regretfully will have to go back to using my previous firmware or other firmware that would allow it.

Could anyone here point me in the right direction or tell me if that is not possible. Again, I am happy not to use DNSSEC but not happy not to use pi-hole. There is no way, as far as I can tell, to use IPFire in a similar way to pi-hole thereby obviating the need to use pi-hole.

Thanks in advance for any help, pointers or clear answer about whether this is possible.

The pi-hole community might be able to help more than the IPFire community:

Hello Jon,

Thanks for your advice.

In this case, the issue is not with pi-hole at all. It is working fine behind OpenWrt, OPNSense routers. I have been using it for many years.

The issue is to allow me to make a decision about which DNS server, and in which fashion (with or without DNSSEC), the IPFire router access DNS. It seems to be out of the hand of the admin of IPFire, sort of like baked into the software.

I did read the posts you pointed me to. Although they are not quite relevant to my use-case (as my current issue is not having 2 subnets to be using pi-hole).

Altough the first post states that pi-hole works perfectly on the wired network, I suspect that is because of the use of managed switches. If not, I wish I knew how this was setup as that is my first issue.

To satisfy using pi-hole on two differents subnets/VLAN which I will look after I succeed in getting pi-hole to work on one subnet, I suspect it may be resolved by pinholing from one zone to another.

If it is the case that pi-hole cannot be used with IPFire, regretfully then, IPFire is not a valid solution for my use case and I will go back to OPNsense or OpenWRT.

Thanks again,

Michel