NGINX with DNS over TLS = only localhost

Help
, ,
21
  • I had the same issue, when running Pihole on a VPC, as there is proxy in between.
  • All my android clients were showing up as localhost
  • What you need is to make NGINX as transparent proxy, so it would forward the source IP to Pihole.
  • Following are the changes you need to make, in order to get this working.
  • This code is for Ubuntu 18.04 LTS. Please change syntax accordingly.
# =================================
# =================================
# Enabling NGINX Transparency Proxy
# https://www.nginx.com/blog/ip-transparency-direct-server-return-nginx-plus-transparent-proxy/
# =================================
# =================================
# Edit DNS-Over-TLS server block (e.g. /etc/nginx/streams/dns-over-tls)
# Replace upstream DNS IP with Server Interface IP on which pihole is listening
  server [XXXX:XXXX::XXXX]:53;            # For IPv6
  server X.X.X.X:53;                      # For IPv4

# Add the NGINX Proxy Bind to your server block
  proxy_bind $remote_addr transparent;

# =================================
# Run NGINX as Root, instead of www-data

sed -i 's/www-data/root/' /etc/nginx/nginx.conf
# =================================
# Add IPtables marking rules to tag DNS response packets
# You can use any number to tag the packets within kernal

# For IPv6
ip6tables -t mangle -A OUTPUT -p tcp --sport 53 -j MARK --set-xmark 7

# For IPv4
iptables -t mangle -A OUTPUT -p tcp --sport 53 -j MARK --set-xmark 7

# =================================
# Add IP rules to divert DNS response packets to NGINX
# We need this so NGINX can intercept the DNS response and send over TLS tunnel
# I used table 99, but you could use any number

# For IPv6
ip -6 rule add fwmark 7 lookup 99
ip -6 route add local ::/0 dev lo table 99

# For IPv4
ip rule add fwmark 7 lookup 99
ip route add local 0.0.0.0/0 dev lo table 99

# =================================
# Restart NGINX service

service nginx restart
# =================================
# Save IP6tables & IPtables rules

apt install iptables-persistent -y

ip6tables-save > /etc/iptables/rules.v6
iptables-save > /etc/iptables/rules.v4
# =================================
# Ignore localhost queries (Optional), as I don't care what my VPC is doing.

echo "IGNORE_LOCALHOST=yes" >> /etc/pihole/pihole-FTL.conf
service pihole-FTL restart
# =================================
1 Like