Token's lvl1 blog- edit -- Token's rantings

Generally speaking, PF should have no say in what pi-hole does and what it logs. Putting the pi-hole separately on a different IP and forcing the LAN hosts to use the host with the pi-hole and PF is out of the question.

All logs that can be collected here will be collected. And no special configuration on the PF side is needed.
All dns query traffic shouldn’t even brush up against a PF host.

Do you want to see something unusual in these logs? Pi-hole will only log dns queries and nothing else… Let PF log the rest of the situation in the network.

D663×551 8.62 KB

Above is a typical simple scheme of this solution.

My router has dhcp which tells hosts on lan your dns servers are xxx.xxx.xxx.xxx and xxx.xxx.xxx.xxx(pihole’s).
On the router I have completely blocked traffic for UDP 53 and I do not answer dns queries … that’s what dedicated dns servers (pihole) are for.

Hosts in the LAN have the settings that their dns servers are these specific piholes and they do not try to ask elsewhere, and even if they wanted to, I block them anyway 53.

My pi-holes use both Quad9 and Cloudflare for upstream DNS over HTTPS. As a result, all dns request traffic from LAN goes to updns encrypted. Of course still udp 53 locally.

In this model, pfsense or any other software has nothing to say. Router/Firewall never gets this traffic. All they know and see is DHCP broadcasting these specific dns(pi-hole) addresses and nothing else.
The actual traffic is between the hosts and the pi-hole machine.

However, as for the router itself and its local dns queries against the upstream. I also force my local pi-hole for the WAN interface. And in the pi-hole logs I can see the requests of the router itself, if there are any dns requests.

The end result is that whatever within my lan does a dns query, including the main router that has a WAN port to the world, I will see in the pi-hole logs that this particular IP has asked for this domain.

So in this configuration there should be no problem with log content in pi-hole. And pfsense itself and dhcp on it should absolutely not affect anything.

I don’t see a problem here… I must have missed something.

Sounds work intensive to not have DHCP.

I found a setting in pfSense in the interface DHCP to assign a DNS server so I plugged the pihole into that, TBD as I’m not going to blow up the leases just yet. Basically, there are 50 guides all with different means of making your diagram a reality as I bet there are a few different legit ways of going about it with my gear + guides being outdated as updates break things, GUIs change, features change etc. That aside, its kind of nuts how many different places you have to tell pfSense “no, no, Look at me. You are not the DNS, I am the DNS now”.

Pihole is working for the most part- its sinking adds. Its that the pihole logs list all queries from host “pfSense.localhost” because pfSense is acting like a proxy I guess, pihole is not aware the query is from the OnePlus6, or laptop, or chromecast etc. I’m just trying to shore that up without breaking stuff.

There are three types of techies I guess:

• Power user types that don’t stop at a turn key Asus/netgate/nighthawk etc all-in-one router/wifi, but actually get into the GUI, add things like Pis with software like Pihole.
• Those that then dabble into the more pre-sumer and homelab’y stuff, trip and fall a lot.
• Essentially sysadmins or programmers and it comes really easy

I’m one foot in the first one, one foot into the second one. Making life painful. If I was rocking my old Asus and a pi3 with pihole, it would probably be pretty smooth sailing. But no, I gotta try and go prosumer/home lab/open source/bells and whistles and yeah, I get pretty tripped up.

Yep going into the LAN’s DHCP GUI and putting pihole’s IP in the DNS setting there did the trick:

vs. the various “answers” found googling.

Next is like you changing the upstream DNS to something like cloudflare- looks to be a one click trick.

Have a reference to where these additional lists can be had?

All the lists I use now are from: Developer Dan, The Block List Project, Dan Pollock, StevenBlack, oisd.nl, firebog.net.

Generally, every now and then I remove those from firebog.net and add them again if there have been changes. I only use this https://v.firebog.net/hosts/lists.php?type=tick list to reduce false positives.

You can use the same ones I use… But adapt it to your own needs.

https://dbl.oisd.nl	
	
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
	
https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts	

https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling/hosts
	
https://someonewhocares.org/hosts/zero/hosts		

https://blocklistproject.github.io/Lists/abuse.txt	

https://blocklistproject.github.io/Lists/ads.txt	
	
https://blocklistproject.github.io/Lists/crypto.txt	
	
https://blocklistproject.github.io/Lists/drugs.txt	
	
https://blocklistproject.github.io/Lists/fraud.txt	

https://blocklistproject.github.io/Lists/gambling.txt	
	
https://blocklistproject.github.io/Lists/malware.txt	
	
https://blocklistproject.github.io/Lists/phishing.txt	

https://blocklistproject.github.io/Lists/ransomware.txt	

https://blocklistproject.github.io/Lists/redirect.txt	
	
https://blocklistproject.github.io/Lists/scam.txt	
	
https://blocklistproject.github.io/Lists/tiktok.txt	

https://blocklistproject.github.io/Lists/tracking.txt	
	
https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt	
	
https://www.github.developerdan.com/hosts/lists/amp-hosts-extended.txt	
	
https://www.github.developerdan.com/hosts/lists/dating-services-extended.txt	
	
https://www.github.developerdan.com/hosts/lists/tracking-aggressive-extended.txt	
	
https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt	
	
https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts	

https://v.firebog.net/hosts/static/w3kbl.txt	

https://adaway.org/hosts.txt	

https://v.firebog.net/hosts/AdguardDNS.txt	
	
https://v.firebog.net/hosts/Admiral.txt	
	
https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt	
	
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt	
	
https://v.firebog.net/hosts/Easylist.txt	

https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext	

https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts	
	
https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts	
	
https://v.firebog.net/hosts/Easyprivacy.txt	
	
https://v.firebog.net/hosts/Prigent-Ads.txt	
	
https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts	
	
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt	

https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt	
	
https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt	

https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt	

https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt	

https://v.firebog.net/hosts/Prigent-Crypto.txt	

https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts	

https://bitbucket.org/ethanr/dns-blacklists/raw/8575c9f96e5b4a1308f2f12394abd86d0927a4a0/bad_lists/Mandiant_APT1_Report_Appendix_D.txt	

https://phishing.army/download/phishing_army_blocklist_extended.txt	

https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt	

https://v.firebog.net/hosts/RPiList-Malware.txt	

https://v.firebog.net/hosts/RPiList-Phishing.txt	
	
https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt	

https://raw.githubusercontent.com/AssoEchap/stalkerware-indicators/master/generated/hosts	
	
https://urlhaus.abuse.ch/downloads/hostfile/	
	
https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser

Find in PF, the WAN interface and its settings.

Change to static if it’s on dhcp. It’s about the addressing of the network you have from the ISP on the WAN port.
Look for the dns servers section there, and enter your dns ip there.

This way your router will query your pihole instead of your ISP dns.

Once we have the entire network forced to use your dns server (pihole) you can start changing the upstream dns for pihole.

In pihole gui, go to settings and dns, you can choose dns servers there. But it’s all unencrypted UDP 53.

If you want your pihole to have DOH, I recommend this guide https://docs.pi-hole.net/guides/dns/cloudflared/ Works 100%

P.S
I would still recommend in the future to use a separate machine for Pi-Hole and not to do it on the router, or at least a separate VM.
Because the tunnel has to work as a daemon in the background and I personally don’t like doing it on the PF machine.

This behavior is usually seen for…

If PF works as a “DNS bridge”, it advertises its IP address as a dns server to hosts on the LAN. Then the hosts on the lan send their dns traffic to PF and PF forwards it/queries its up-dns.

If Pi-Hole is running on a PF machine without any VM separation, then all dns queries that PF generates/forwards will be visible in Pi-Hole as just local, which is what you probably observed.
Why is this happening… it’s because PF forwards this traffic from its local to still local where pi-hole is listening.

In this configuration, the pi-hole will probably never see the correct host lan because it receives requests not from host lan, but directly from PF locals, and that’s why it sees it.

Got into radio recently.

Let the mods begin, towards making new antenna mounting and coax runs easy.

IMG_20230217_1743551920×2560 784 KB

IMG_20230218_1238051920×1440 237 KB

IMG_20230218_1237521920×2560 167 KB

More pics coming. Using big conduit behind the wall and large holes in other places to make additional runs a breeze.

IMG_20230219_1812371920×2560 328 KB

IMG_20230219_1014431920×1440 363 KB

I can’t believe it, for giggles I connected a 5’ish watt baofeng to the roof mounted Ed Fong antenna and hit a repeater about 60 miles away. I’m blown away.

Oof, and I believe the python option of DNSBL I was running on pfsense is compatible with these changes (lists allows wildcards). My tech burnout continues.

I’m ditching oisd and have already switched to https://github.com/hagezi/dns-blocklists

A Linux Mint xfce update failure is forcing me to dance with my ISO USBs again.

Been a long time so I forgot the tricks I had to use because Etcher and various other ISO live image burners seem to do all kinds of things to the USB that makes it not friendly for a re-use with etcher for another ISO/image. For example Windows freaks out right after insert, wants to format, you follow the prompts to format but it fails.

I recall lots of googling, CLI, flirting with the idea of booting up a linux laptop and use linux commands but this last time around I seem to have found a smooth workflow using one Win PC (so documenting for future instances).

Open CMD as admin

diskpart

list disk

select disk X (X is the USB fob)

clean

“DiskPart succeeded in cleaning the disk”

attribute disk clear readonly

Then you can use the SDCardFormatter found here:

GUI of the formatter is self explanitory.

Without the steps above, you have to put in commands to change read-only on the USB, lots of format lines, lots of failures such as:

DiskPart has encountered an error: The system cannot find the file specified

DiskPart has encountered an error: Incorrect function

There are no partitions on this disk to show

etc etc etc.

Burning a Mint 21.1 xfce to live boot into to try and snapshot recover into the older build (trying to retain data). Thankfully must important stuff is in an SMB share, but there is software installed I’d love not to retrace on.

Also burning NixOS gnome 2.3.05 cause I’m amped on the config setup- legit see the possibility of actually keeping various config files on git to make for super fast use-case specific builds without some kind of Kubernetes setup.

And trying the new proxmox 8.0.2 build, maybe this time it will actually work on my ‘gamer’ hardware whitebox build. That would be awesome and just in time for a project.

Exciting

IMG_20230704_1049391920×1440 207 KB

I like to use MiniTool Partition Wizard under Win to fiddle with media partitions, it does the job when Win yells blah blah blah.

So this is stumping me, thought it was simple.

How do I have two virtual NICs in a VMware Workstation VM (Ubuntu), one uses my VPN for all traffic to/from WAN, the other NIC only traffic in my LAN?

I usually do it on the basis of two different addresses and no gateway.

Set the WAN so that you have the Internet, but set the lan with a different address and without a gateway … only then you have to touch the resources in the lan per IP and not per name.
For example, set WAN as 10.0.* and keep lan as 192.168.*
If the vpn changes addresses, adjust vnic1 to this. In addition, on the firewall, block traffic from outside the tunnel if you do not have a killswitch implemented.

Mini but stupid powerfull homelab boxes are here

I gotta shed my ebay enterprise stuff.

Yeah some of the tiny mini micro stuff STH has been covering looks pretty good if you need a few cheap nodes for the homelab.