Redirect all traffic from Green to PiHole

sujan · 20 June 2021 09:38

Hi Team,

I have an IPF setup which include RED, GREEN,BLUE and ORAGNE.
I am planning put PiHole as DNS apart from IPF.
IPF and PiHole are in Green network.
I wants to send all traffic from clients in Green Network to PiHole for the local DNS queries and PiHole will perform DNS upstream to IPF.
I am not sure whether this is the perfect approach or not. So kindly advice about the best approach and how to redirect all traffic to PiHole from all clients?
What are Rules need to be create in IPF.

Please assist.

Best Regards,

Sujan

ip-mfg · 20 June 2021 11:00

What is the use of this construction? I always think of it before I start to give input in trouble shooting.
For me the DNS proxy in ipfire work perfectly, so why to change that?

sujan · 20 June 2021 12:22

Hi,

I agree with you. I just want to test the PiHole functionalities in my Home Lab along with IPFire. That’s all.

Bets Regards,

Sujan

jon · 20 June 2021 16:34

Hello Sujan - Welcome to the IPFire Community!

When reading through the Community posts you will see that PiHole is not recommended due to security issues. Since the pi-hole filters DNS records, DNSSEC is not possible from the client to the external DNS server (hope I explained this correctly).
See:

Having said that…
What you have proposed above is what I have setup for my GREEN network.

Client (DNS) → PiHole (DNS) → IPFire (DNS) → to external DNS Server

This works fine but as I said it is not secure.

To force clients to a specific DNS server see:
https://wiki.ipfire.org/configuration/firewall/dns

The below is being testing but has not been released:

Hope this helps,
Jon

trash-trash · 21 June 2021 03:47

The DNS at Pi-hole, do just filter (domains and sub domains) .
The DNS at IPFire, do filter (domains, sub domains and also URL’s / site paths) by URL-Filter .

When clients (ex. an PC) requests resolving a domain to its IP at Pi-hole;
and get the IP of that requested domain reported by Pi-hole,
clients pass through IPFire either then, when Pi-hole resolves its outgoing DNS requests at the DNS of IPFire (in your case the eth green IP) .
Meant is : The URL-Filter of IPFire is useless … Clients reaches at this way not allowed URL’s, when an specific site path is not allowed .

Furthermore :
By using Pi-hole on eth green and blue, disturbs the LOG of Proxy at IPFire and you will not be able check every client communication and requested URL’s at IPFire Proxy-Logs .
The LOG will show just the IP of Pi-hole as a client, that requested a domain .

The right use of Pi-hole, were at eth red side, to resolve IPFire outgoing DNS requests, same idea as if you are using an external DNS service …
So you will be then able to use the benefits of both, of IPFire and of Pi-hole .
Make sure that clients be forced to use IPFire as the DNS and there the Proxy in none transparent too .
Needed links for configuration were added by Jon .

Now you can argue about DNSSEC and trusting DNS services, of your router, of your Pi-hole, of your ISP, of governments, of authority, of DoH, and of all others at Internet …
Whom you like to trust ??? No one !

By the way, I use two firewalls, where Pi-hole is behind the first one, and gets DNS resolved by first firewall .

Clients (DNS F-2) → Firewall-2 (DNS Pi) → L3-Switch + Pi (DNS F-1) + others → Firewall-1 (DNS external) → Router → external DNS

BR

sujan · 23 June 2021 09:38

Thank you Trash for the briefing and guidelines.

sujan · 23 June 2021 09:40

Thank you everyone. ip-mfg , jon , trash-trash for your prompt responses and proper guidelines and support.

bbitsch · 23 June 2021 10:00

I would prefer Jon’s suggestion.
IPFire’s DNS gives you the security of DNSSEC.
PiHole brings it’s special functionalities based on the security of IPFire.

Remains the problem of forcing the clients to PiHole. This can’t be done by the recommendations from the Wiki.
Further the forcing mechanism in testing can’t do it either. It is based iptables REDIRECT ( on IPFire! ). Don’t know whether this functions with ‘backwards redirects’. And I can’t test it because I do not have a PiHole device.

trash-trash · 23 June 2021 10:59

DNSSEC at Pi-hole

jon · 23 June 2021 15:56

This was to be my next “test”. Did this work OK for you? Any odd issues?

sujan · 24 June 2021 08:51

Hi Team,

Please not below comments form Trash-trash. This is a valid point.

May be due to new feature - DNSSEC in new Pihole version, we can enable DNS upstreaming from PiHole to IPFire. But log perspective there is a drawback.

So As Trash-Trash said, I think we will put PiHole in Red, and enable DNS forwarding in IPFire.

Waiting for other’s confirmation too finalize the design.

Best Regards,

Sujan

peppetech · 1 July 2021 02:09

I don’t think Pi-hole is meant to be exposed on outside Firewall.
So RED would be outside Firewall.

I would like to know if anyone figured out a reliable way how to block rogue DNS servers and possibly block DoH servers as well.

I think Pihole can do it using Domains. e.g. bad.DNS.com but whatabout using IP addresses?

By the way, there is this awesome dude Dirk who keeps track of all the DoH servers:

anon87475738 · 3 January 2022 11:04

Furthermore :
By using Pi-hole on eth green and blue, disturbs the LOG of Proxy at IPFire and you will not be able check every client communication and requested URL’s at IPFire Proxy-Logs .
The LOG will show just the IP of Pi-hole as a client, that requested a domain .

I cannot confirm this. Since yesterday I use the proxy for some clients and I can not observe something like this.

IPFire is configured as follows:
My configuration (Pi-Hole is in the green zone):

# IPFire Domain Name System
DNS Servers: dns3.digitalcourage.de + dns1.digitale-gesellschaft.ch
DNS Configuration:
Protocol for DNS queries: TLS
QNAME Minimisation: Strict

# IPFire DHCP configuration
Primary DNS: 192.168.1.100 <= Pi-hole

# Pi-hole DNS configuration:
Upstream DNS Server: Custom 1 (IPv4) 192.168.1.1 (= IPFire DNS server)
Advances DNS settings:

Never forward non-FQDNs
Never forward reverse lookups for private IP ranges
Use DNSSEC
Use Conditional Forwarding
(“If not configured as your DHCP server, Pi-hole typically won’t be able to determine the names of devices on your local network. As a result, tables such as Top Clients will only show IP addresses.
One solution for this is to configure Pi-hole to forward these requests to your DHCP server (most likely your router), but only for devices on your home network.”)

Source: Pi-Hole and IPFire, which way round? - #34 by anon87475738