Limit access to your Pi-hole with iptables on Ubuntu/Linux

If a VPN is not feasible, you're better off with a solution that supports DoT (e.g so you can just add the URL to the Private DNS field on Android (other OS's may vary)

I have set up DoT on my own network with some rules in traefik to recieve the request and forward it onto my Pi-hole.. I probably haven't done it very well, however, so I wont share how I've done it here!

However, a quick google turns up this:

(haven't 100% vetted it, but it looks like a good starting point)

Looks cool. Will check it out. Thanks for sharing.

It’s not supposed to be a “super secret secure can’t crack me” solution, it’s a personal, do-it-smartly-if-you-want type thing. Example is: I go to my family members house. I visit the php page to add the ip. I throw the pi-hole on their router dhcp as primary dns with cloudflare as backup. Rinse and repeat.

I’m not doing the vpn route because I can dhcp the pihole - I can throw it on my router and all devices on my lan use the pihole.

I’m not handing out the addip php page Willy nilly, and I wouldn’t advise anyone to do such. I’m also not worried about getting my traffic sniffed at my sister and laws house and would never add an IP address that I didn’t trust. Keep an eye on iptables and remove old entries and you’ll be fine. Realistically, isp dhcp addresses don’t change very often around here so not really worried about a former ip being allowed for too long either but something to be aware of surely.

Btw, I’ve been running this setup for 2+ years now with 0 issues.

Zero issues for you. :wink:

Not joking: Do you have IPv6 connectivity at home? Note that IPv6 rules will have to be added as well (or, at the very least, you should set the IPv6 INPUT policy also to drop). IPv6 is managed using ip6tables

Zero issues for anyone. I keep a close eye on it, and never have any clients show up save for the random scanners (shodan etc) every once in a while.

I'm not using ipv6 at home and it is not enabled on the pihole machine either.

Screen Shot 2020-09-14 at 10.40.02 AM

I'm just being cautious here, not trying to say what you do is crap :slight_smile:
Only to raise awareness for possible copycats that may not be well-aware of how to handle firewalls properly.

Just out of personal interest: How do you deal with dynamic IP addresses? Or do they all have static assignments?

So whenever they recognize that DNS is dead, they have to manually navigate to the address quoted above to re-register their IP with your server, right?

Be aware that there is nothing like such a "fallback" as you described here:

See this excellent explanation:

My expectations were different, too, but I can only confirm this on all sorts of network hardware I used to own myself.

The DNS may leak how you configured it.

1 Like

Oh interesting, I didn't know about that dns issue....thanks for bringing it up, will have to investigate.

Historically, over the last couple of years anyway, I've just let things run until adds started showing. When I start seeing ads (at my or family members house), I would check if the IP changed and if so would re-visit the addip php page.

Like mentioned in another reply, around here with my local ISP's, it's pretty rare for the DHCP IP address assigned to the cable modems to change. Typically only happens after power outage or it's manually triggered by support or myself trying to fix a connection issue or something. But that is how I've been doing it--DHCP changes, ads start appearing, re-add the IP to the pihole.

Are you certain that the primary/secondary isn't just a linux thing? I'm getting conflicting info:

That is not how it works, both DNS servers are equal and valid, but the order in which you specify them determines how a client will ask them, the only time a client will ask the secondary is if the primary doesn't respond or isn't there, if the primary doesn't know it doesn't send you to the second, the primary will do a lookup for you then reply with the address.

I presume your talking bout Windows ?
If it were that simple:

The DNS Client service keeps track of which servers answer name queries more quickly, and it moves servers up or down on the list based on how quickly they reply to name queries.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197552(v=ws.10)?redirectedfrom=MSDN#part-2-querying-a-dns-server

And this bit:

1 Like

Interesting, thanks. So I guess that only leaves Apple products? Do they honor primary/secondary dns? My Mac Pro seems to honor the settings in the network preferences. Also seems OK on my iPhone/iPad.

I typically only use iOS devices at home (except for a single pc which has uBlock origin and a FireTV), so maybe that's why I haven't had any issues with primary/secondary settings so far.

Does it matter ?
Only thing that matters is that different products have different implementations and you want to provision for all.
You cant have all Apple products at your home or in an enterprise.

EDIT: One that probably goes unnoticed from that link you posted previously:

Mike400
Mace
Mike400 This person is a Verified Professional Sep 5, 2017 at 7:15 PM

Also, when you have multiple DNS servers make sure they're configured to transfer all their zones back and forth.

Sure you can. Unless my dog started gaming while I'm at work...and if you have a small business, you can make your employees use whatever you want.

BUT, again, this is a hobby-do-it-if-you-want thing that I did and shared hoping maybe someone might find it useful. If you don't think it's useful, don't do it. :man_shrugging:

Or use ZeroTier does not req any open ports.

3 Likes

Well you said it was intended to "share with friends and family.".
I reckon they dont all share the same view on choosing hardware.
And you already mentioned not everything being Apple at your place:


Yes you can but Apple doesnt have enterprise capable servers, switches, routers, load-balancers, telephone systems, and so on that are essential for your business.

EDIT: Dell PowerEdge, HP ProLiant DL380 G7, NetApp FAS6200 ... they dont sound really Apple like :wink:

Again, for the nth time, this is not an enterprise solution. It’s a hobbyist, do-it-if-you-want use for the pihole. Use it or don’t. Make it better if you want. Or don’t use it at all!

It works for me and has for the last 2+ years. I’ve set up a couple family members and friends houses with it as well over the last 2+ years. Haven’t had any issues. Just my anecdotal experience, your mileage may vary.

Very cool. Will check it out. Thanks for sharing.

I see this advanced a bit, however, let me share some more insight I got over the past couple of years: The primary/secondary thing was never really "only use the secondary if the primary failed" in any product I have seen in my network. I first couldn't believe in @DL6ER's ultimate statement that such a thing does not exist, but the more I looked, the clearer the picture got.

Windows/Microsoft changed how they do it from XP to 7 and then 8. I don't have Windows at home, but I can only recommend to take a good look at the mentioned Windows version and/or the article timestamp. Otherwise, you may take something serious they have changed - again - meanwhile. I cannot say how it is done currently.

Pi-hole has settings to behave in three ways:

  • always use the fastest among the configured DNS servers (the default)
  • always send everything to all and just use the first reply (may be a little faster sometimes, but creates a notable amount of extra queries)
  • always respect the order of the servers as in /etc/resolv.conf (this is the true: "if 1 fails, ask 2. If 2 fails, ask 3, etc.")

You can stretch my description about "Pi-hole" to the entirety of Linux. It depends on the system, they can theoretically do all three.

I wouldn't give too much value on what they're writing. You should only trust technical descriptions or talking to people you can assume they know what they do. I do believe that the Pi-hole people know what they are saying - especially the main developers where one of them wrote the article I linked to above.

Just another example for why this link you found is not a good source:

If the primary lookup fails it falls over to the root DNS servers. These are defined and update by most DNS servers.

The root DNS servers only know one thing: What other (!) name servers are responsible for the top-level domains (TLDs) such as com, nl, de, etc. They can not provide any further replies, especially, they can not answer full requests like for pi-hole.net

Only special recursive resolvers know how to deal with the root servers. They query Who is net from the root server, then go to the next one, one (sub)domain after another. This is a tedious path and I highly doubt any end-user devices are doing this. This is precisely what the big players (Google, Cloudflare, OpenDNS, etc.) are doing. Not even routers are doing this.

Even when they said "this may be oversimplifying things", this is not the case: It is just plain wrong.

Another example is the last reply (which is the one you quoted). There is no proof and I did technical verification both on Linux and Windows that this is not true. I wouldn't just believe it because they say this. Maybe they expected something else from the "primary/secondary" vocabulary, did some very simple testing and say that DNS does still work when specifying an invalid primary IP address. This does not prove at all that the primary would be used exclusively otherwise.


TL;DR

To my knowledge, all operating systems worth mentioning default to the "measure and use the fastest" approach.

Typically, you cannot change this with the exception of Linux in general and maybe some routers based on Linux (like OpenWRT, etc.).

2 Likes

I'm trying to make it better by pointing out the wrong assumption that all devices will query primary first and only hop to secondary when primary failing.
With your home setup you probably are lucky the primary DNS is quicker responding as the secondary DNS at Google 8.8.8.8.
But whenever there is a glitch or slow response from the primary, the clients could hop to the secondary and stick with that one for a while.
Thats why below is important when configuring multiple DNS servers:

Mike400
Mace
Mike400 This person is a Verified Professional Sep 5, 2017 at 7:15 PM

Also, when you have multiple DNS servers make sure they're configured to transfer all their zones back and forth.

Both DNS servers need to hold the exact same records or you'll get erratic behaviour.
And you cant do zone transfers / sync Pi-hole's blocklists with Google's 8.8.8.8 :wink:

Awesome post and info, thanks.

always respect the order of the servers as in /etc/resolv.conf (this is the true: "if 1 fails, ask 2. If 2 fails, ask 3, etc.")

is this default, or how does one configure this? (sorry if I missed it)

I suppose best bet is to just set the pihole as the singular dns for my home network and set the pihole and an alternate on friends/family and just hope the pihole is faster for them...wonder if I can geo-locate a specific far away Cloudflare resolver...

No,

is the default (hence the "(the default)" :wink: ).

You can get the behavior you want by adding a new config file

/etc/dnsmasq.d/99-dns-order.conf

with the content

strict-order

Quoting the dnsmasq man page:

By default, dnsmasq will send queries to any of the upstream servers it knows about and tries to favour servers that are known to be up. Setting this flag forces dnsmasq to try each query with each server strictly in the order they appear in /etc/resolv.conf

Don't forget to pihole restartdns afterwards.


I'd even say configure the Pi-hole as only server for them. Whenever it does not work, they can click on a stored bookmark. As you said the link is to the static IP of the server, they will not need DNS resolution for this to work. Not perfect, I know, it depends on it they want to be safe or not. With such a fallback, you can never be sure.

No, they all use Anycast. This is implemented by configuring specific routes. Something you cannot circumvent without help of your ISP. And even for them it would be a complex task, I wouldn't believe they will help you with this.

1 Like

default

:facepalm:

strict-order

Awesome, thanks so much. Will set this today.

I'd even say configure the Pi-hole as only server for them

Makes sense. As mentioned, it's very rare for the ISP DHCP leases to change, and a bookmark is a great idea too. I think I'll do as you said.

Anycast

I figured they must be doing something like that, thanks for confirming. I suppose it doesn't matter anyway since I think your idea of just using the pihole as the single dns and using a bookmark is the best idea. If they start complaining about having issues, I'll just set them back to Cloudflares resolvers. Typically for me, the only time I have issues at home is when some random site won't load (usually linked from HN or google news or something), I'm on my phone and will just turn off wifi and use cellular for the page and that works fine for me.

Thanks for all the help in this thread!