What’s about if I have unbound on pihole, so I want to make my pihole be the DNS server in the whole network?
So the clients connect to ipfire and have ipfire as DNS (blue, green) → ipfire has pihole (red) as DNS. Does it makes sense?
Firewall rule: ipfire-red to pihole (red) for 53 (tcp / udp)
The thing is, I have no free ports for DMZ, so I think, the only good solution is to have pihole in the red network (just connected to the provider router).
It’s about, what @trash-trash wrote:
“The right use of Pi-hole, were at eth red side, to resolve IPFire outgoing DNS requests, same idea as if you are using an external DNS service …
So you will be then able to use the benefits of both, of IPFire and of Pi-hole .
Make sure that clients be forced to use IPFire as the DNS and there the Proxy in none transparent too .”
So my network is like this:
Clients (DNS IPFire, with blocking rules for DNS requests to red) → IPFire (DNS PiHole) → PiHole (DNS unbound + hyperlocal / forgot to mention it!) and Router in red network → Internet
So PiHole does not guide the whole traffic through, but the DNS-Requests of the IPFire and has unbound and hyperlocal running.
meanwhile I get pihole within GREEN working. But how can I use pihole as DNS server for ipfire within GREEN? If I just set the IP of the pihole in the list of DNS servers in ipfire, I get an error.
Or, is it better just to use ipfire in recursor mode and use ipfire directly in client settings?
Go to the PiHole WebGUI and go to the DNS settings. Set the Upstream DNS Servers - Custom 1 (IPv4) and enter the IP address for the GREEN. In my case the IPFire GREEN IP address is 192.168.60.1.
ok, thanks both of you!
All clients have static settings, so I don’t use DHCP.
So, I think I don’t need this entry.
Till now, I use unbound on pihole. Does it make sense, to change pihole-DNS to the ipfire-DNS instead and set then ipfire to recursiv (as I understand it IS unbound). So that the ipfire goes out and not the pihole?
And does it make sense not to use unbound, but some external DNS servers with TLS?
As I understood pihole doesn’t work with DNSSEC if I choose ipfire as upstream DNS. Is it a fact?
#edit:
I tested now the ipfire as upstream DNS in pihole and it seems to work with DNSSEC only if I set some DNS servers within ipfire. If I want to use ipfire in recursiv mode, it doesn’t work.
The question is, is it better to use it in recursiv mode (like unbound) or to use some TLS DNS?
how can I realise it with ipfire and pihole?
ipfire without set DNS servers is in recursive mode (so unbound), isn’t it?
But if I set the ipfire as upstream DNS in pihole and let ipfire be in recursive mode, I get no connection. I get connection just if I set DNS server in ipfire.
Screenshots are not so easy in QubesOS.
I have exactly the same page, but another DNS servers (two of them).
Also TLS, also strict, also status OK and working.
sorry, the communication between the devices is also rather restricted. So screenshots or pics cost rather much time. As I said, I have exactly the same as you above, just another DNS servers. Just everything else is exactly the same.
yes, without pihole DNS on ipfire works. BUT recursive mode doesn’t work and I know why. I blocked the direct access to the DNS in RED. In order to avoid DNS leaks, which want to bypass ipfire. So if I want to allow the recursive mode, I suppose, I must allow the direct access for DNS in RED, isn’t it?
The thing is, I block BLUE/GREEN/ORANGE to RED-DNS. But I don’t block ipfireRED to DNS in RED. Logs shows me blocked access from ipfireRED to some IP within the network I did not set. Is it the thing of recursive mode. So do I need a firewall rule for that?
I block direct access from GREEN/BLUE/ORANGE to any DNS in RED. This avoids DNS leaks, because all clients should use internal DNS server (ipfire or pihole or whatever). But this seems not to be a problem.
Now I don’t use pihole as DNS server. Just ipfire itself. And I get no connection to the most sites. The strange this is, I get connection to the forum here
Maybe it has something to do with some cache on ipfire??
Do I need some firewall rule to use recursive mode of ipfire?
I see some strange DROP_INPUTs for DNS to some IPs, I don’t have, f.e. 199.7.83.42 or 192.112.36.4
This behavior seems to disappear if I activate one of the DNS servers within ipfire and leave the recursive mode.