Conditional forwarding setup?

Fred_Durst · June 11, 2022, 12:51am

Hi all,

I installed Pi-hole with unbound and it works well. Of course only my firewall IP address is displayed, but for better analyzing I would like to see each real IP address behind the request, so I try to setup Conditional forwarding.

Network

Different V-LAN (192.168.10.0/24, 192.168.20.0/24, 192.168.30.0/24, 192.168.40.0/24)

My Sophos Firewall Home runs at IP 192.168.20.15 and for each V-LAN at x.x.x.1

Each Client uses the Sophos as DNS Server, the only DNS entry in the Sophos is the Pi-hole at 192.168.20.20

For testing I added one DNS host Entry which looks like 192.168.10.10 > desktop.home.local

Pi-hole DNS Settings

Local Network: 192.168.0.0/16
IP of DHCP: 192.168.20.15
Domain Name: local

Expected Behaviour:

The expected behaviour is that the Client shows up with the IP/Hostname

root@Pi-hole:~# dig -x 192.168.10.10 @192.168.20.15

; <<>> DiG 9.16.1-Ubuntu <<>> -x 192.168.10.10 @192.168.20.15
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51273
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;10.10.168.192.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
10.10.168.192.in-addr.arpa. 60  IN      PTR     desktop.home.local.

;; Query time: 0 msec
;; SERVER: 192.168.20.15#53(192.168.20.15)
;; WHEN: Sat Jun 11 00:27:28 UTC 2022
;; MSG SIZE  rcvd: 76

Actual Behaviour:

Each entry in the Pi-hole logs shows the Sophos IP 192.168.20.15

Debug Token:

https://tricorder.pi-hole.net/KvNCW6OW/

Bucking_Horn · June 11, 2022, 11:04am

By chance, your debug log demonstrates that Pi-hole is correctly forwarding requests to your 192.168.20.15, but that does not return a name for its own IP:

*** [ DIAGNOSING ]: Pi-hole log
-rw-r--r-- 1 pihole pihole 16K Jun 11 00:27 /var/log/pihole.log
   -----head of pihole.log------
   Jun 11 00:24:55 dnsmasq[21435]: query[PTR] 15.20.168.192.in-addr.arpa from 127.0.0.1
   Jun 11 00:24:55 dnsmasq[21435]: forwarded 15.20.168.192.in-addr.arpa to 192.168.20.15
   Jun 11 00:24:58 dnsmasq[21435]: reply 15.20.168.192.in-addr.arpa is NXDOMAIN

However, all you can expect here is that the name for that 192.168.20.15 IP would be shown.

As that IP is your Pi-hole's sole client, that would suggest that your Sophos Firewall Home (or whichever device is handling VLAN configuration) is NATing traffic between its VLANs.

There's nothing Pi-hole can do here - you'd have to address this with your VLAN configuration.
One way around that may be to add static routes from respective VLANs to Pi-hole's IP, provided your VLAN config would support that.
But this really is a routing/networking issue.

Likely unrelated, but worth looking into:

Note that *.local FQDNs are reserved for usage by the mDNS protocol and should not be used with DNS.
You want to verify that your local domain (may also be labeled as search domain or search suffix ) is named anything but .local in your router.

system · July 2, 2022, 11:05am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.