I have used pi-hole for a while and love its amazing “just works” factor but I missed some real DHCP features // some proper packet filtering / blocking features that only a proper firewall can do so here goes:
Assumption here: Static IP for LAN interfaces of firewall and the pi-hole
standard install, LAN and WAN, source NAT/PAT – so far so good. So the Firewall advertises itself as DNS via DHCP and gets fed by upstream DNS. let’s fix that.
next step would be to disable the DNS resolver inside the firewall but I kinda use it for registering reverse DNS records for DHCP leases.. which the pi-hole then queries (more about that later) – so let’s leave it on and just add this (Services > DNS resolver)
(Caution: Apparently this breaks things when operating the firewall in python mode.)
Now we have a setup, we just need to tell our DHCP server to not announce itself but the pi-hole as DNS resolver. This is done here (Services > DHCP server)
Default is to advertise its own LAN interface.. so let’s change that. Why 2 IP adresses? I found out that some (all?) Android mobile phones add 184.108.40.206 (google) if you only adverise one single DNS resolver. so that’s that. But more on Google later.
pi-hole is surprisingly easy to use and set up, it works out of the box. All there is to do is to change/set up the upstream DNS servers and the reverse DNS lookup for LAN IPs.
that will take care of one thing: in the “query log” window, you will not see the IP adresses of the client but the hostnames from DHCP – see previous chapter ^ ^
This is where the nice things stop. Till now we have been friendly and allowed our friends at Google and Cloudflare and whatnot to gather our data and sure.. with emerging technologies like DNS over TLS, DNS over HTTPS, QUIC and what not.. it is important to ask yourself a few questions:
- what do I want to achieve here?
- why am I doing this?
- do I just want ads blocked or browse securely / not give away my data to X to do Y
here is my take on this: Block as many ads as possible while still allowing privacy to exist. DNS over HTTPS allows Firefox to bypass censorship and control by a totalitarian regime.
But also Google Chrome can use UDP to port 443 and tunnel DNS through, bypassing my DNS server and the entire thing was for nothing. (Remember: Google is not your friend, they harvest your data (LOTS of it) for profit. Make it as hard as possible for them, they don’t pay you after all)
Advanced DNS / Firewall stuff (here be dragons)
Step 1: redirect all DNS traffic to the firewall.
Anyone who is trying to bypass the pi-hole’s adresses (manual DNS, hardcoded DNS resolvers (Android, I am talking about you!) will bypass our solution, let’s redirect those back to the firewall. sneaky. from the pfsense manual
Firewall > NAT > Port Forward.
Create a rule for TCP/UDP trying to reach port 53 EXCEPT when it’s on the LAN, AND NOT the pi-hole itself. Redirect that to the firewall’s IP and disable reflection. (wonderful application of inverted matches :)
the filter rule will be created automatically
Step 2: Firewall Rules
it is important to set the rules in the right order, remember: Top to bottom, once there is a match, the filtering stops.
Firewall > Rules > LAN
So what have I done here?
- allow pihole to access the internet unfiltered
- allow all DNS traffic from LAN to the firewall (created by the NAT policy before)
- reject all other DNS traffic
- reject DNS over TLS (port 853)
- reject DNS over HTTPS to Google and Cloudflare (220.127.116.11, 18.104.22.168, 22.214.171.124, etc…)
- reject UDP traffic to port 80 or 443 (used by chrome/QUIC)
see the pfsense manual for more information on blocking external DNS
So now I have achieved (I think) the best of both worlds. I enjoy near-perfect ad blocking while using a real firewall for my LAN. sure. pfblockNG is amazing (and I use it for IP blocking!) but the adblocking is just sub-par.
Step 3: pfblockNG
That one is a litte more tough to set up. I used a lot of reddit posts and blogs to get it working as there a ton of settings. I ended up using the Tier1 IP blocklists and the DNS blocklists of BBcan177 (thanks, whoever you are!)
basically it can make pi-hole redundant but I am using VMs so… why bother? :)