No worries. I have a few sites blocked. Might be something on my end. I’m working through it. I am however having a problem where you put the basic rules into OPNsense for pi hole… any idea where those are? Im trying to fix mine…
Think I got it but have to wait for wife to get home.
Also my phone is no longer receiving calls via wifi instead of 4G… Im looking into it now.
Yeah something has to be amiss on my end… Something has changed with my Unbound server… the number of CNAME’s available using DIG or DELV has changed recently… I started looking at this because since I did the updates a week or so ago including, the new DNS list for pihole, I started to get errors like this on my wife’s devices and mine (Cell phone calls dropped and services hanging or not working at all-IE Texts and images sent)-
2022-04-25 10:47:51 A iphone-ld.origin-apple.com.akadns.net SamanthasiPhone.HSSTnet Blocked (external, NULL) IP (2.5ms)
The Blocked (external, NULL) was the only thing blocked by pihole. Turns out it was the upstream server (IE- Unbound) throwing that error back at Pi-hole. This means my previous conclusion that using DNSmasq on OPNsense Firewall was disabling the ability to filter pihole add lists by clients. That option on pihole is working fine. I just updated my root list for unbound but the number of CNAME records was the same as before (but not like the FIRST time I did it.
Heres a comparison of delv to check recursive resolver via unbound on the local device-
**delv** [ **@127** ](http://twitter.com/127) **.0.0.1 -p 50053 internetsociety.org A +rtrace +multiline**
;; fetch: internetsociety.org/A
;; fetch: internetsociety.org/DNSKEY
;; fetch: internetsociety.org/DS
;; fetch: org/DNSKEY
;; fetch: org/DS
;; fetch: ./DNSKEY
; fully validated
internetsociety.org. 300 IN A 104.18.16.166
internetsociety.org. 300 IN A 104.18.17.166
internetsociety.org. 300 IN RRSIG A 13 2 300 (
20210418094324 20210416074324 34505 internetsociety.org.
vSNyWVP0EivHHRAyiqvwJqV+5N2FgUlrBq++xzsmdafn
4zhz4CGuIBWbljDSxD2bmJYDFxfHOtR9QDX9YEHc2Q== )
delv @127.0.0.1 -p 50053 internetsociety.org A +rtrace +multiline
;; fetch: internetsociety.org/A
;; fetch: internetsociety.org/DNSKEY
;; fetch: internetsociety.org/DS
;; fetch: org/DNSKEY
;; fetch: org/DS
;; fetch: ./DNSKEY
; fully validated
internetsociety.org. 30 IN A 104.18.16.166
internetsociety.org. 30 IN A 104.18.17.166
internetsociety.org. 30 IN RRSIG A 13 2 300 (
20220427171934 20220425151934 34505 internetsociety.org.
QRBk5o15H7JrPu39j3U0cRMAVlV76aCUcjh9ZziKlDSk
8adBwoFU/iyeOAvZVPtS39zAdteZ/iQw5LOQG0W2Dw== )
It looks like the number of reference records dropped from 300 to 30!
Is this something to worry about? I dunno it’s just something I noticed as different.
I’m (for shits and giggles) going to revert pihole and reset the clients lists to see what happens at home. It may be just too strict a list. I was able to fix my phone…
Never mind I’m still left with why the wife’s phone would still be messing up if I can see the query log isn’t forcing the phone to use the pihole filters and is only populating errors with Blocked (external, NULL)
I just refreshed my root.hints file using
wget https://www.internic.net/domain/named.root -O /etc/unbound/root.hints
the restarted the unbound service. See if I keep getting the NULL errors. I only have unbound as my piholes only upstream DNS.
Anyone have ideas? It is Verizon service…wondering if they still have some bugs they are fixing from their server crash a few days ago.
well I cant tell you much off that because mine is fine
kdig -d @<TLD-REDACTED>.net internetsociety.org +dnssec +opt +tls +stats +all +multiline +authority +answer +adflag +qr +opttext +header
;; DEBUG: Querying for owner(internetsociety.org.), class(1), type(1), server(<TLD-REDACTED>), port(853), protocol(TCP)
;; TLS session (TLS1.3)-(ECDHE-SECP521R1)-(ECDSA-SECP384R1-SHA384)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 46397
;; Flags: rd ad; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: NOERROR
;; PADDING: 76 B
;; QUESTION SECTION:
;; internetsociety.org. IN A
;; Sent 128 B
;; Time 2022-04-26 12:35:59 MDT
;; To 2600:3c04::f03c:92ff:fec6:2030@853(TCP) in 179.8 ms
;; TLS session (TLS1.3)-(ECDHE-SECP521R1)-(ECDSA-SECP384R1-SHA384)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 46397
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 3; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: NOERROR
;; QUESTION SECTION:
;; internetsociety.org. IN A
;; ANSWER SECTION:
internetsociety.org. 285 IN A 104.18.17.166
internetsociety.org. 285 IN A 104.18.16.166
internetsociety.org. 285 IN RRSIG A 13 2 300 20220427193516 (
20220425173516 34505 internetsociety.org.
2629Ht8SikvBOaK97H7ge7DuSho/amPyHZTLrS7P
8/Tqzi3xYO8BEkNYqk4Fa2ajnL3vftULaRX1ko4q
L7Mv0g==
)
;; Received 195 B
;; Time 2022-04-26 12:35:59 MDT
;; From 2600:3c04::f03c:92ff:fec6:2030@853(TCP) in 114.6 ms
So what I am thinking here is its one of two things
Just saw this dont know how I missed it…lol
It seems to be workingish with the old list. I haven’t had much time to trouble shoot because wife has been taking off work… frustrating…
I have unbound running on pihole. So Pihole points to 127.0.0.1:xxxx for internal port.
unbound config looks like this
# include additional configuration files (query data minimization for privacy and DNSSEC for security purposes)
# qname-minimisation.conf adds to server section
# qname-minimisation: yes
# root-auto-trust-anchor-file.conf adds
# auto-trust-anchor-file: "/var/lib/unbound/root.key"
include: "/etc/unbound/unbound.conf.d/*.conf"
server:
verbosity: 0
statistics-cumulative: yes
# RPi3 has a quad-core CPU, so let's enable 4 threads
num-threads: 4
# Listen on port 50053 on every interface
interface: 0.0.0.0@50053
# Can enable faster resolutions in multithreaded configuration
so-reuseport: yes
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: ::0/0 refuse
access-control: ::1 allow
access-control: ::ffff:127.0.0.1 allow
# Allow queries from local lan (useful for testing, but can be
# omitted if queries will come only from Pi-hole running on the
# same host
access-control: 192.168.0.0/24 allow
root-hints: "root.hints"
private-address: 192.168.0.0/24
private-domain: "your_local_domain"
# Enable prefetching of cache elements that are queried when the
# remaining life is less than 10% of the original TTL
prefetch: yes
domain-insecure: "your_local_domain"
# Enable serving expired cache entries for at most 1-hour if
# it is impossible to refresh them
serve-expired: yes
serve-expired-ttl: 3600
# Enable reverse resolution of local DNS names
local-zone: "0.168.192.in-addr.arpa." nodefault
unblock-lan-zones: no
insecure-lan-zones: no
python:
remote-control:
# This can be used for querying Unbound about its internal statistics
control-enable: yes
control-interface: 0.0.0.0
control-port: 8953
# In my case, I have forward and reverse resolution for my home domain
# setup on my router 192.168.0.254, so I want to forward local resolutions'
# queries to it
forward-zone:
name: "your_local_domain"
forward-addr: 192.168.0.254
forward-zone:
name: "0.168.192.in-addr.arpa"
forward-addr: 192.168.0.254
AND I also thing I grabbed the wrong list lol
I had used this blindly… I’ll have to put in my network specifics… I think this is causing me issues… I’m sorry man. I’m still a noob. lol Now that I have better knowledge I think I may be able to fix it. 
Thanks to your and @ThatGuyB’s tutelage. Thank you both again.
@here
Mentioning me in a comment not really related, for some free upcummies. Not a bad strategy, I must say.
Well you did help me with firewall and to understand some more dns useage and how it functions.
You havent seen the lounge huh 
I did and I ignored it
Sorry I will attempt to refrain
I do not condone this appeasement 
lol So I checked my lists… something was messed up or not clearing on my end when I tried your list…
Mine looked like this:
Processed adlist (351 entries)
Processed adlist group assignments (351 entries)
Processed blacklist (exact) (30 entries)
Processed blacklist (regex) (55 entries)
Processed black-/whitelist group assignments (15481 entries)
Processed whitelist (exact) (15384 entries)
Processed whitelist (regex) (12 entries)
OK
[✓] Creating new gravity databases
[✓] Storing downloaded domains in new gravity database
[✓] Building tree
[✓] Swapping databases
[✓] The old database remains available.
[i] Number of gravity domains: 15509940 (6359632 unique domains)
[i] Number of exact blacklisted domains: 43
[i] Number of regex blacklist filters: 54
[i] Number of exact whitelisted domains: 15412
[i] Number of regex whitelist filters: 11
[✓] Cleaning up stray matter
[✓] FTL is listening on port 53
[✓] UDP (IPv4)
[✓] TCP (IPv4)
[✓] UDP (IPv6)
[✓] TCP (IPv6)
[✓] Pi-hole blocking is enabled
SO it had a few MORE than yours and I couldnt clear it…spending today learning to clear it and restore defaults.
I need to look back at your blocking all russian DNS’s.
Im honestly slammed at work … its been hard for me to even pay attention to my posts outside some lounge fun
fairly simple to do
Yeah no worries I’m not asking I know its here somewhere lol I can search it
I never did get DoT to work. It works via lan, but not remotely.
linode
[Interface]
Address = 10.0.0.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -A FORWARD -o %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -D FORWARD -o %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 1990
PrivateKey =
[Peer]
PublicKey =
AllowedIPs = 10.0.0.2/32
Endpoint = ip:1990
PersistentKeepalive = 25
Pihole
[Interface]
Address = 10.0.0.2/24
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -A FORWARD -o %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -D FORWARD -o %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 1990
PrivateKey =
[Peer]
PublicKey =
AllowedIPs = 10.0.0.1/32
Endpoint = ip:1990
PersistentKeepalive = 25
nginx
# DNS upstream pool
upstream dns {
zone dns 64k;
server 10.0.0.2:53;
}
# DoT server for decryption
server {
listen 853 ssl;
ssl_certificate /etc/letsencrypt/live/mysite.com-0001/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mysite.com-0001/privkey.pem; # managed by Cert$
proxy_pass dns;
}
And yes I allowed 853 through on linode nginx side.
What is wrong with this setup?
let me grab my configs and we can start comparing okay?
perfecto
lets see here
❯ cat stream.d/00-dnsTLS.conf
# DoT server for decryption
server {
access_log /var/log/nginx/dnsOverTLS-querylog proxy;
listen 853 ssl;
listen [::]:853 ssl;
proxy_pass 10.31.85.1:19253;
proxy_connect_timeout 30s;
preread_timeout 50s;
ssl_session_tickets on;
ssl_session_timeout 4h;
ssl_handshake_timeout 30s;
}
# Reg DNS
server {
access_log /var/log/nginx/dns-querylog proxy;
listen 53;
listen 53 udp;
listen [::]:53;
listen [::]:53 udp;
proxy_pass 10.31.85.1:19253;
proxy_connect_timeout 30s;
preread_timeout 50s;
ssl_session_tickets on;
ssl_session_timeout 4h;
ssl_handshake_timeout 30s;
}
Main stream config
## STREAM BLOCK
stream {
log_format proxy '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time "$upstream_addr" '
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
include /etc/nginx/stream.d/*.conf;
error_log off;
access_log /var/log/nginx/streamLog proxy buffer=256k;
ssl_certificate <path>/cert.crt;
ssl_certificate_key <path>/privkey.key;
ssl_dhparam <path>/dhparam.pem;
ssl_trusted_certificate <path>/cert.crt;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers !AES128:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp521r1:secp384r1;
access_log off;
...
}
So could you dump your firewall rules on all relevant machines?
Is UDP 53 open on this?
Can you do normal DNS externally?
pihole instance
To Action From
-- ------ ----
[ 1] 53/tcp ALLOW IN Anywhere
[ 2] 53/tcp (v6) ALLOW IN Anywhere (v6)
linode
To Action From
-- ------ ----
[ 1] 1288/tcp ALLOW IN Anywhere
[ 2] 8615/udp ALLOW IN Anywhere
[ 3] 25565/tcp ALLOW IN Anywhere
[ 4] Nginx HTTPS ALLOW IN Anywhere
[ 5] Nginx Full ALLOW IN Anywhere
[ 6] Nginx HTTP ALLOW IN Anywhere
[ 7] 853/tcp ALLOW IN Anywhere
[ 8] 1288/tcp (v6) ALLOW IN Anywhere (v6)
[ 9] 8615/udp (v6) ALLOW IN Anywhere (v6)
[10] 25565/tcp (v6) ALLOW IN Anywhere (v6)
[11] Nginx HTTPS (v6) ALLOW IN Anywhere (v6)
[12] Nginx Full (v6) ALLOW IN Anywhere (v6)
[13] Nginx HTTP (v6) ALLOW IN Anywhere (v6)
[14] 853/tcp (v6) ALLOW IN Anywhere (v6)