Web proxy settings cause LAN clients to bypass DNS pi-hole

gvelim · 10 June 2021 12:49

Hi,

I have more or less the following setup

[Name Resolution] :: LAN Client → PiHole (Blocked Domains) → FW (Blocks 53 but PiHole) → DNS provider
[Web Traffic] :: LAN Client → Web Proxy → FW (Blocked ports: 80, 443) → Internet

Scenario A: LAN Client System Proxy via PAC autoconfig

System Proxy is set to autoconfigure using the http://x.x.x.x:81/proxy.PAC url
Chrome cannot open blocked domains
You can see the LAN client’s domain trail in PiHole
You can see the same domain trail in WebProxy Logs

Scenario B: LAN Client System Proxy via explicit ENV values

System proxy is set explicitly via HTTPS_PROXY, etc environment variables
Chrome now opens also the blocked domains
You cannot see the LAN client’s domain trail in PiHole
You can see the same domain trail in WebProxy Logs

I understand that in scenario B… the LAN client passes GET “domain.name” to the proxy and the proxy does the DNS resolution instead.

How can I make scenario B behave as scenario A ?

gvelim · 10 June 2021 16:42

Resolved it in the following way …

Configure Web Proxy to use the Local DNS server by adding the line → dns_nameservers w.x.y.z into the following file which is incl. in the squid.conf
```
/var/ipfire/proxy/advanced/acls/include.acl   
```
Enable Outgoing FW connection into the local DNS (green subnet)

image1922×280 26.8 KB
Restart Web Proxy from the web interface

paolorossi · 11 June 2021 11:50

Hi I’m not a big expert and I wanted to ask you if you can give me more details on the modification you made

it is not clear to me how you have configured the dns server and how you have configured the include.acl file

thank you

dodelathon · 12 June 2021 00:54

I ran into the same thing, but eventually after a little trial and error I got it working. You just need to enter the IP of your local DNS server where he wrote w.x.y.z in the include.acl file through ssh/terminal. This forces the proxy to go through your local DNS server.

As for PiHole, there’s a few tutorials online (I watched Craft computing’s one) on how to configure PiHole. You have 2 options with PiHole:

Run it as its own recursive DNS server that blocks ad traffic.
To have it act kinda like a DNS proxy(?) in that it’ll filter out ads but will rely on an external DNS server to resolve Domains.

Setting it up recursively helps reduce your reliance on google or other larger providers. That said, I’m pretty sure IPfire does that part anyway if you don’t give it a DNS server in the Domain Name System tab (And you disable the Use ISP servers option).

PiHole also lets you configure it as a DHCP server if need be, But I don’t think that’s the most popular use case.

Sorry, there’s a lot of text there, hopefully that helps a little bit

paolorossi · 15 June 2021 13:56

thanks for the informations
I try to see if they can make it work