Pi-Hole and IPFire, which way round?

And can i do that? All i find is about the DNS Proxy. Maybe we should start a new Topic because its getting off- topic.

1 Like

Hi,

yes, you can. :slight_smile: Please RTFM:

I’d indeed suggest to start a new topic if there are any questions…

Thanks, and best regards,
Peter Müller

12 posts were split to a new topic: Protect users who get spammy phishing links in emails

I am neither an expert nor have I dealt with DNS. But the problem you describe seems to me to be the lesser of two evils. I see an incredible number of blocked trackers in Pi-hole. I don’t think Squid-Guard can replace that. Maybe I am wrong. There is also CNAME blocking etc. in pi-hole.
I have seen that there is Adguard Home as a plugin for OPNsense, which is comparable to Pi-Hole. OPNsense doesn’t seem to have these concerns.

There are add-ons for Firefox, like Benutzerprofil von Antoine POPINEAU – Add-ons für Firefox (de).

This extension uses DoH, as I found out. Same for DNSSEC/DANE Validator, but you can specify a custom server.

And this is the reason why I get an OK despite Pi-Hole (even if advertising is filtered => www.web.de)?
“Green closed lock: Host is DNSSEC secured and, if present, DANE valid (DANE status is displayed in the popup including usage and issuer common name)”

My configuration (Pi-Hole is in the green zone):

# IPFire Domain Name System
DNS Servers: dns3.digitalcourage.de + dns1.digitale-gesellschaft.ch
DNS Configuration:
Protocol for DNS queries: TLS
QNAME Minimisation: Strict

# Pi-hole DNS configuration:
Upstream DNS Server: Custom 1 (IPv4) 192.168.1.1 (= IPFire DNS server)
Advances DNS settings:

  • Never forward non-FQDNs

  • Never forward reverse lookups for private IP ranges

  • Use DNSSEC

  • Use Conditional Forwarding
    (“If not configured as your DHCP server, Pi-hole typically won’t be able to determine the names of devices on your local network. As a result, tables such as Top Clients will only show IP addresses.
    One solution for this is to configure Pi-hole to forward these requests to your DHCP server (most likely your router), but only for devices on your home network.”)

For my use case I am also in need to find a solution where I can setup pi-hole on my network and get all clients in both green and blue zones to use pi-hole as DNS server automatically (ie. set at router/firewall level). Obviously I do not want to have to setup each client for that.

I am a lot less concerned about not using DNSSEC.

I have had no problems with this for the last few years. I have been using pi-hole since it was first made available. The routers firmware I used made that a very easy thing to implement.

Should I not be able to do this with IPFire, I, regretfully will have to go back to using my previous firmware or other firmware that would allow it.

Could anyone here point me in the right direction or tell me if that is not possible. Again, I am happy not to use DNSSEC but not happy not to use pi-hole. There is no way, as far as I can tell, to use IPFire in a similar way to pi-hole thereby obviating the need to use pi-hole.

Thanks in advance for any help, pointers or clear answer about whether this is possible.

The pi-hole community might be able to help more than the IPFire community:

Hello Jon,

Thanks for your advice.

In this case, the issue is not with pi-hole at all. It is working fine behind OpenWrt, OPNSense routers. I have been using it for many years.

The issue is to allow me to make a decision about which DNS server, and in which fashion (with or without DNSSEC), the IPFire router access DNS. It seems to be out of the hand of the admin of IPFire, sort of like baked into the software.

I did read the posts you pointed me to. Although they are not quite relevant to my use-case (as my current issue is not having 2 subnets to be using pi-hole).

Altough the first post states that pi-hole works perfectly on the wired network, I suspect that is because of the use of managed switches. If not, I wish I knew how this was setup as that is my first issue.

To satisfy using pi-hole on two differents subnets/VLAN which I will look after I succeed in getting pi-hole to work on one subnet, I suspect it may be resolved by pinholing from one zone to another.

If it is the case that pi-hole cannot be used with IPFire, regretfully then, IPFire is not a valid solution for my use case and I will go back to OPNsense or OpenWRT.

Thanks again,

Michel

This is what I have. PiHole (DNS) is non-DNSSEC and IPFire (DNS) has DNSSEC enabled.

no managed switches. I am using a Netgear GS-116 Unmanaged Switch.

Get pi-hole to work as expected on the green network first.

I’m not sure I understand your issue besides all is OK with OPNsense or OpenWRT and doesn’t work with IPFIre.

I’ve never used these before so I don’t know why the difference.

I see what the misunderstanding is, I think.

I can get pi-hole to work, if each client points at pi-hole.

I would have thought that setting DNS server in the DHCP to pi-hole would force each client connected to that sub-net to automatically be directed to pi-hole which in turn gets its DNS from IPFire. That is not the case! Setting the Primary (and only) DNS server to point to pi-hole in DHCP configuration seems to have no effect at all for any clients (which all have a static ip set on the DHCP server. They all go straight to the IPFire gateway unless they are all individually set to point to pi-hole).

OK, rebooting everything on the network seems to have fixed the problem.

So I can now use pi-hole on the green zone.

The next step is to use it on the blue zone as well. I can think of two possible ways of doing this:

  1. A make a pin-hole in the firewall from blue to green for port 53 and for the sub-net of the blue zone only and change the Primary DNS for the blue zone to point to the ip address in the green zone.

  2. Since the green zone, by default can connect to the blue zone, I put the pi-hole server in the blue zone and get the DNS config for the green zone to point to the pi-hole in the blue sub-net. No need for any pin-holes.

The second alternative seems the better one from a security viewpoint. But the question is, is this possible?

Note:

When reading through the Community posts you will see that PiHole is not recommended due to security issues. Since the pi-hole filters DNS records, DNSSEC is not possible from the client to the external DNS server (hope I explained this correctly).

I know you are not using DNSSEC but in my opinion you should.


The only way I was able to get everything to work with green AND blue zones was this:

https://discourse.pi-hole.net/t/dual-subnet-network-wired-wireless/46961

This is the same link I sent (above). Pi-hole has two zone or two subnet ability built into it. In my opinion you may be making this more difficult than you want.

2 Likes

Why don’t you use DNSSEC for Pi-Hole? It works.

"*Use DNSSEC

Validate DNS replies and cache DNSSEC data. When forwarding DNS queries, Pi-hole requests the DNSSEC records needed to validate the replies. If a domain fails validation or the upstream does not support DNSSEC, this setting can cause issues resolving domains. Use an upstream DNS server which supports DNSSEC when activating DNSSEC. Note that the size of your log might increase significantly when enabling DNSSEC. A DNSSEC resolver test can be found here."

https://bilderupload.org/bild/234588729-bildschirmfoto-2021-10-02

EDIT: mod added image to replace link.

On the security concerns of using Pi-Hole:
See above. + I had once tried to observe which sites use DNSSEC. I have barely found some.
On the other hand, between 15 and 20 percent of queries are blocked in Pi-Hole (currently 16.7%; 8 525 305 domains on blocklist). Among them will be many trackers that compromise privacy (especially on devices where the use of blockers is restricted).
Without Pi-Hole, those would go through for the most part.
Makes me wonder which is more insecure?

In addition, you can find articles and opinions on the net that DNSSEC has failed [1]. One site has even described DNSSEC as counterproductive [2]. Even though I don’t share this opinion at the moment, I wonder if the right balance is being made here.

SquidGuard I would probably use (where possible). The problem seems to be that there are not so many and good blacklists for it. I have seen there are scripts to convert typical lists so that Squid understands them. That seems to me to involve a lot of tinkering though. And the scripts probably don’t always work or break. If I find time, I’ll take a look at it.

That was my impression after a quick research

[1] Golem.de: IT-News für Profis
[2] 14 DNS Nerds Don't Control The Internet — Quarrelsome

I have described my Pi-Hole configuration above.
I use the DHCP server from IPFire. In the DHCP configuration I have entered the IP address of the Pi-Hole under Primary DNS. This works and the clients automatically use Pi-Hole.

Please report.

I’ve tried it but it did not work for me when PiHole Upstream DNS Servers was pointed to the IPFire DNS server. I’ll try again in the future and report back.

Hello Stefan,

Yes, that what I have done as well and it all started to work as expected but some devices needed a reboot, that is all.

I will report when I have tried to put pi-hole in blue and access it from green and blue.
I

There is also AdGuard Home as an alternative. AdGuard Home supports OOTB “Running as a DNS-over-HTTPS or DNS-over-TLS server” [1].
“Both can be configured to use any DNS resolver you wish – though AdGuard Home also offers the ability to use DNS-over-TLS and DNS-over-HTTPS for the upstream.” [3]

I have not tried it myself yet.

[1] https://github.com/AdguardTeam/AdGuardHome/wiki/Comparison
[2] Ad-Blocking with DietPi: Pi-hole vs. AdGuard Home – DietPi Blog
[3] Pi-hole vs AdGuard Home - Which is best? • NetWeaver

Have you tried this out?

Hello,
In the old forum (IPFire Community) somebody posted a dns_blocklist.sh that can consume Pi Hole lists (hosts formats) but is also capable to consume AdBlock lists.

I have used it for many years and I have to say it is more effective than Pi Hole (I stopped using Pi Hole after discovered this).

The source:

Needless to say again, you can use as many input lists as you like: I have added about 10 lists that contains hosts or IP addresses, and another couple being from AdBlock lists ( browser add-on blocking lists)

Hope it helps!
H&M

Late edit: this post Pakfire for DNS Blackholing? - #21 by whypenguinsquint contains more details about several hosts lists used to feed this DNS Blocking script…
Hope it helps!

Late, late edit: I just added Youtube Ads blocking list for Pi Hole to my IP Fire and it works! GitHub - kboghdady/youTube_ads_4_pi-hole: YouTube script to add the new Ads list for Pi-hole

5 Likes