It’s about, what @trash-trash wrote:
“The right use of Pi-hole, were at eth red side, to resolve IPFire outgoing DNS requests, same idea as if you are using an external DNS service …
So you will be then able to use the benefits of both, of IPFire and of Pi-hole .
Make sure that clients be forced to use IPFire as the DNS and there the Proxy in none transparent too .”
So my network is like this:
Clients (DNS IPFire, with blocking rules for DNS requests to red) → IPFire (DNS PiHole) → PiHole (DNS unbound + hyperlocal / forgot to mention it!) and Router in red network → Internet
So PiHole does not guide the whole traffic through, but the DNS-Requests of the IPFire and has unbound and hyperlocal running.
ok, thanks both of you!
All clients have static settings, so I don’t use DHCP.
So, I think I don’t need this entry.
Till now, I use unbound on pihole. Does it make sense, to change pihole-DNS to the ipfire-DNS instead and set then ipfire to recursiv (as I understand it IS unbound). So that the ipfire goes out and not the pihole?
And does it make sense not to use unbound, but some external DNS servers with TLS?
As I understood pihole doesn’t work with DNSSEC if I choose ipfire as upstream DNS. Is it a fact?
I tested now the ipfire as upstream DNS in pihole and it seems to work with DNSSEC only if I set some DNS servers within ipfire. If I want to use ipfire in recursiv mode, it doesn’t work.
The question is, is it better to use it in recursiv mode (like unbound) or to use some TLS DNS?
sorry, the communication between the devices is also rather restricted. So screenshots or pics cost rather much time. As I said, I have exactly the same as you above, just another DNS servers. Just everything else is exactly the same.
yes, without pihole DNS on ipfire works. BUT recursive mode doesn’t work and I know why. I blocked the direct access to the DNS in RED. In order to avoid DNS leaks, which want to bypass ipfire. So if I want to allow the recursive mode, I suppose, I must allow the direct access for DNS in RED, isn’t it?
The thing is, I block BLUE/GREEN/ORANGE to RED-DNS. But I don’t block ipfireRED to DNS in RED. Logs shows me blocked access from ipfireRED to some IP within the network I did not set. Is it the thing of recursive mode. So do I need a firewall rule for that?
I block direct access from GREEN/BLUE/ORANGE to any DNS in RED. This avoids DNS leaks, because all clients should use internal DNS server (ipfire or pihole or whatever). But this seems not to be a problem.
Now I don’t use pihole as DNS server. Just ipfire itself. And I get no connection to the most sites. The strange this is, I get connection to the forum here
Maybe it has something to do with some cache on ipfire??
Do I need some firewall rule to use recursive mode of ipfire?
I see some strange DROP_INPUTs for DNS to some IPs, I don’t have, f.e. 184.108.40.206 or 220.127.116.11
This behavior seems to disappear if I activate one of the DNS servers within ipfire and leave the recursive mode.