PiHole as DNS proxy - filter source IP

Piotr · July 12, 2023, 12:21pm

Hi All,

I have configured PI-Hole 5.17.1 on Ubuntu 22.04.2
Pi-Hole is working as DNS proxy for DC controllers (Windows Server 2019).
All IP of workstations (static and reserved) are assigned by DHCP server on DC.
All traffic from wrokstations are going by DNS server on DC to Pi-Hole.
Clients in Pi-Hole are DC servers only,

I would like for selected users (host name or IP) to allow open all web pages, without block by Pi-Hole.

Is it possible this in configurations or by add any plug-in/extension?

Best Regards,

Piotrek

Bucking_Horn · July 12, 2023, 12:45pm

Pi-hole supports client-specific filtering out of the box, but you'd likely have to change your DNS resolution chain.

Currently, your Pi-hole sees all DNS requests as originating from your DC.

That would only work if your DC DNS server would be configured to inject EDNS(0) ECS information into its DNS requests when forwarding them to Pi-hole.
If your DC doesn't support that, then your clients would need to talk to Pi-hole directly, with Pi-hole (conditionally) forwarding requests to your DC.

Piotr · July 26, 2023, 5:33am

How can I check, that our configuration of Pi-Hole on Ubuntu 22.04.2 is using EDNS(0) ECS information?
I checked our DNS Server on Windows Server 2019 by dig and I see, that DNS Server is using EDNS version 0.

yubiuser · July 26, 2023, 6:36am

Pi-hole is using EDNS(0) information (subnet and mac) by default. You could try to run a package capture and inspect the data if they contain EDNS information. See here for a screenshot with that kind of information to expect

You can use Pi-hole's build-in packages capture feature

Bucking_Horn · July 26, 2023, 7:29am

Could you please share the output of that dig, along with the exact dig command you've used?

Piotr · July 26, 2023, 9:08am

root@abpihole:/home# dig +norec +dnssec soa abek.local 172.27.17.11

; <<>> DiG 9.18.12-0ubuntu0.22.04.2-Ubuntu <<>> +norec +dnssec soa abek.local 172.27.17.11
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1101
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4000
;; QUESTION SECTION:
;abek.local.                    IN      SOA

;; ANSWER SECTION:
abek.local.             3600    IN      SOA     abdc1.abek.local. hostmaster.abek.local. 516 900 600 86400 3600

;; ADDITIONAL SECTION:
abdc1.abek.local.       3600    IN      A       172.27.17.11

;; Query time: 4 msec
;; SERVER: 172.27.17.11#53(172.27.17.11) (UDP)
;; WHEN: Wed Jul 26 11:06:18 CEST 2023
;; MSG SIZE  rcvd: 108

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1919
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4000
;; QUESTION SECTION:
;172.27.17.11.                  IN      SOA

;; Query time: 0 msec
;; SERVER: 172.27.17.11#53(172.27.17.11) (UDP)
;; WHEN: Wed Jul 26 11:06:18 CEST 2023
;; MSG SIZE  rcvd: 41

Windows Server 2019 STD (DC and DNS server) is working n 172.27.17.11

Bucking_Horn · July 26, 2023, 11:18am

Note that ECS is a specific EDNS(0) feature.
Your dig is not testing for ECS.

I am not familiar with Microsoft's DNS servers, but there should be three different types of options to configure EDNS(0) Extended Client Subnet (ECS):
a.) to consume ECS information, as received by clients
b.) to forward ECS information upstream, as received by clients
c.) to inject ECS information into DNS requests forwarded upstream, for use by upstream DNS resolvers

As explained, c.) would be required for your scenario to work.

If the MS DC DNS server would not support that, then my earliest advice would apply:

To test whether a DNS resolver would send EDNS(0) ECS information to upstream DNS resolvers (either forwarding or injecting it), those upstream resolvers must be configured to consume ECS information (e.g. Google's DNS server would do so).

Please share the result of the following commands:

dig @172.27.17.11 google.com +subnet=1.2.3.0/24

(Using +subnet may require dig 9.10 or greater.
Your previous output shows 9.18.2, which should have subnet support.)

dig @172.27.17.11 TXT o-o.myaddr.l.google.com

In addition, please be aware that .local is reserved for use by the mDNS protocol and should NOT be used with DNS:

You should configure your router and/or DC for a different local domain, e.g. lan or home.arpa.

Piotr · July 27, 2023, 12:23pm

root@abpihole:/var# dig @172.27.17.11 google.com +subnet=1.2.3.0/24

; <<>> DiG 9.18.12-0ubuntu0.22.04.2-Ubuntu <<>> 172.27.17.11 google.com +subnet=1.2.3.0/24
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57033
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             211     IN      A       142.250.203.206

;; Query time: 20 msec
;; SERVER: 172.27.17.11#53(172.27.17.11) (UDP)
;; WHEN: Wed Jul 26 15:25:07 CEST 2023
;; MSG SIZE  rcvd: 55

root@abpihole:/var# dig @172.27.17.11 TXT o-o.myaddr.l.google.com

; <<>> DiG 9.18.12-0ubuntu0.22.04.2-Ubuntu <<>> 172.27.17.11 TXT o-o.myaddr.l.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28369
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;o-o.myaddr.l.google.com.       IN      TXT

;; ANSWER SECTION:
o-o.myaddr.l.google.com. 60     IN      TXT     "172.253.206.37"
o-o.myaddr.l.google.com. 60     IN      TXT     "edns0-client-subnet 81.219.72.0/24"

;; Query time: 36 msec
;; SERVER: 172.27.17.11#53(172.27.17.11) (UDP)
;; WHEN: Wed Jul 26 15:28:35 CEST 2023
;; MSG SIZE  rcvd: 126

P.S. I must remove at sign before IP in post, because I could not send post - mention error for new users.

Bucking_Horn · July 27, 2023, 4:30pm

You can use @ if you format it as pre-formatted text, e.g. by picking </> from the editor menu (it's tricky to access this when on a smartphone, though).
I have re-introduced the @-sign in your above dig commands.

Your output is somewhat inconclusive, suggesting at most partial ECS support of your DC DNS servers.

The first dig command tests if your DC DNS servers would accept subnet information when a client sends it.
This doesn't seem to be the case:

instead should have returned:

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
; CLIENT-SUBNET: 1.2.3.0/24/0
;; QUESTION SECTION:

The second dig command is meant to test if your DC DNS servers would inject ECS information when forwarding DNS requests.

The first TXT field contains the IP address of the resolver that has sent the query to Google's DNS.

In your case, that is `172.253.206.37`, which seems to be a Google resolver from Google's Warsaw data center.

This can be glimpsed from:

curl --silent https://www.gstatic.com/ipranges/publicdns.json | grep 172.253.206 -A2

which currently returns:

"ipv4Prefix": "172.253.206.32/24",
"service": "Google Public DNS",
"scope": "waw"

That much is expected.

The second TXT field contains the ECS subnet information as received by that resolver, which in turn would have forwarded that information as received by your DC DNS server (provided you did use one of Google's DNS server IPs 8.8.8.8 as your DC's upstream).

It should instead also have produced a warning similar to:

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
(...) Provided ECS includes 32 bits, but no more than 24 are allowed. (...)
; CLIENT-SUBNET: 172.27.17.123/32/0

Since that is missing, that could suggest that either your DC DNS server is not sending any ECS information at all, or it is sending a /24 subnet mask.

To see individual client IPs in Pi-hole, the IP address should not be masked, i.e. your DC DNS servers should use a /32 netmask for requests it forwards to your Pi-hole.

You'd have to configure your DC DNS servers to include that information.

Once you've verified you succeeded, you should then configure Pi-hole to remove ECS information before it forwards DNS requests to upstream public DNS resolvers.
(That could be done via a custom configuration file. I can provide additional advice if your DC DNS servers have been correctly configured for EDNS(0) ECS.)

Alternatively, it may be easier to just apply my earliest advice and rearrange your DNS resolution chain to put Pi-hole before your DC DNS.

Piotr · July 28, 2023, 5:25am

Thank you for complete explain all subjects about EDNS. I know more.
Answer from google with 81.219.72.0/24 can wrong maybe? I have registered 8-addresses subnet from ISP (81.219.72.136/29) and I use only 81.219.219.138 as public IP.

Bucking_Horn · July 28, 2023, 5:44am

Well, what ECS subnet information is your DC DNS server configured to send?

Which of the ENDS(0) ECS configuration options I mentioned does your DC DNS server expose?

Google's "172.253.206.37" would have either used that ECS information as provided by your DC, or it would have used the IP address that it has received the DNS request from and guessed the subnet mask.

system · August 18, 2023, 5:44am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.