Does anyone know, how i can FORCE every Client on the LAN, to use Pihole (with Unbound as upstream)?
Current Setup looks like the following:
Opnsense VM on Proxmox
Pihole with Unbound as an LXC on the same host
What i try to accomplish:
If Client → Pihole → Website
If Client → !Pihole → Forced to Pihole (or Blocked) → Website
I tried some stuff but it doesnt work as Intended. Either i get no Name Resolution at all or Clients can still override the DNS. I am fairly new to OPNSense and that much customization, but maybe someone wants to take the time to explain how i can force DNS Querries to Pihole, which then Upstreams to Unbound which uses Root DNS.
I would use DHCP to assign the DNS server you want and just block DNS ports to everything else. Unless someone is manually changing the DNS server this will force things to use the default DHCP assigned DNS server.
I don’t know specifically but there are ways to intercept and redirect/alter DNS requests but this won’t work with DNSSEC or any kind of encrypted DNS.
Yeah, i set the DNS Server in the DHCP section in OPNSense, but if i specify another DNS Server on my Machine, i can just bypass PiHole. I want to mitigate that. No other DNS should be usable, except for 192.168.2.11, which is my PiHole/Unbound combo.
Is there any specific set of rules i have to set ?
Atm, with my little knowledge, i can accomplish a block of 1.1.1.1, if I specify that exact IP in the Rules, but whenever i just block UDP/53 i can access my PiHole anymore, but any other DNS Server just fine and sites load. Something isnt quiet right here…
I haven’t used opnsense so I don’t know the specifics but so long as you block port 53 and allow it to your DNS server that should work. If you block port 53 and DNS is still working then likely the rule is configured wrong. Post a screenshot if you like and I’ll have a look.
Those rules look like they should work, unless there is something in the automatic rules at the top which is allowing DNS. You could try resetting the state table or restarting the firewall. Sometimes firewall changes won’t take effect because there are still active states for the old rules.
My guess is it’s something in those automatic rules which is allowing it. You could enable logging on all the rules then filter the firewall logs for port 53 or the IP of whatever external DNS server you test and it should tell you which rule is allowing it.
The only thing i can see/imagine is the rule “let out everything from the Firewall/host itself”. Put i cant see any request with Port 53 in there, or I´m blind. I followed the ruleid (?) and saw, OPNsense gave me an Option to disable it, i guess. Did that, but it makes no difference.
Hang on, if that IP in the first rule is the computer you’re using to test then that’s what’s allowing it. That rule should have the pihole server (or whatever DNS server you’ve set in DHCP) as it’s destination not any.
Like this? Because 192.168.2.11 is my PiHole. The Machine I´m on is at 192.168.2.162
BTW, that does, that i cant access any Websites anymore, over the Pihole.
Other DNS still works fine, which is the exact opposite of what we want here, lol
I Just change the DNS in the Network settings on my Machine and run a DNS Leak test on the Website i showed before. If the DNS i specified works just fine, then the Name of it will show up. If It would use my DNS, it would show my IP Address.
Yes, works just fine, but it shouldnt. If i block all DNS Services then the DNS Leak Test site wouldnt resolves names too. It works perfectly fine as a Test, as far as i can tell.
This is, how it should look, even with another DNS Server Specified (blocking would do it too). Here it uses the PiHole with Unbound Upstream
I use Unbound as an Upstream DNS, behind my Pihole. So Pihole just upstreams to 127.0.0.1#5335. And because of Unbound I see my own IP resolving DNS Querries. Unbound upstreams directly to the root Servers, at least it should and thats why i see my own IP, i would guess. Am I wrong with that theory ?
If I block UDP Port 53 i cant access the Internet at all. IPs works, but hostnames not, as intended. If I enable the rule which is called “Allow PiHole”, then i can access everything just fine BUT also with external DNS Services like Quad 9.
WAN Feb 27 15:06:09 90.153.xx.xx:6879 9.9.9.9:53 udp let out anything from firewall host itself (force gw)
lan Feb 27 15:06:09 192.168.2.162:50097 9.9.9.9:53 udp Allow PiHole
