Custom port for custom upsteam server?

Help Community Help
1

Hi,

I have got a PiHole VM (Debian 10.7) and a OPNsense VM as my main router.
Right now I'm using this setup:

1.) Unbound working as forwarding DNS server on my OPNsense. For that Unbound will listen on port 53 on all 8 subnets except for WAN. If it is a local hostname unbound will resolve it, if not unbound will forward the DNS request to my PiHoles. TCP/UDP connections to destination port 53 into the internet are blocked, except the source is one of my PiHoles.

2.) PiHoles will receive DNS requests from unbound and will filter them. If domains are not filtered by PiHole, PiHole will ask a DNS server on the internet.

But now I want to use a DNScrypt proxy as a third step:

3.) Instead of asking a DNS server on the internet PiHole should forward the DNS requests (that didn't got filtered) to my OPNsense on Port 5353 where a DNScrypt proxy is running. The DNScrypt proxy will use DNSCrypt or DNS over HTTPS to resolve the DNS query.

But how it is possible to change the port PiHole is using when forwarding DNS requests? I could set my OPNsense VMs IP as custom upstream server but that way Unbound would listen if PiHole is using port 53 and it would cause a loop. I somehow need to tell PiHole to use 192.0.42.2:5353 as custom upsteam server instead of 192.0.42.2:53.

Any idea how to do this?

Edit:
Looks like I found the solution in another tutorial.
Instead of "192.0.42.2:5353" you need to use "192.0.42.2#5353" for the custom upstream server.
Everything seems to work now. :slight_smile:

2

Nice setup u have :slight_smile:

Some suggestions:

  1. Have as few services on ur router as possible. Get a PC to be your server and use it for any service that's not related to routing.

  2. Instead of having Unbound as ur DNS service and it forwarding to Pihole, get Pihole as ur DNS server and configure DHCP/SLAAC to report Pihole. Then Pihole forwards to OPNsense's Unbound queries for ur LAN domain. I see u have many VLANs, maybe put your server on a specific VLAN that's lean and accessible to all others.

  3. I use DNSCrypt and it's very good. As I said, install it on your server, not on the router.

There are some tutorials to setup, I used https://www.linuxuprising.com/2018/10/install-and-enable-dnscrypt-proxy-2-in.html. By default, DNSCrypt listens on 127.0.2.1:53, that's very sad and I had to change it on /lib/systemd/system/dnscrypt-proxy.socket.

U can use settings.php?tab=dns to set a custom upstream DNS server.

  1. Make dig tests and watch DNSCrypt and Pihole logs to assure queries are properly using them.

  2. Disable DNS cache on DNSCrypt and all devices.

3

I see you found this already :slight_smile:

As dnsmasq, we also use # as port separator to keep things simple in the backend (: are obviously also valid characters in IPv6 addresses)

4

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.