What I have changed since installing Pi-hole:
Added some blocklists.
I exposed pihole web admin through my Nginx reverse proxy to be able to modify it with flutterhole when I am outside my LAN. (I have domain name: https://pihole.atomflare.tk)
I freed up the por 53 inside my system and I made sure I can still have name resolutions using pihole container.
I set up Pihole as my local DNS server in my router
Apart from that, I made sure that my laptop uses pihole as DNS server, otherwise, it will use the router (the router anyways should redirect to mi pihole dns server):
EDIT: I have noticed a suspicious behaviour, which leads me to believe that I am having dns leaks.
If I try to access a website that is in my blocklist I get this answer by chrome:
Which is the expected behaviour since such page is in the block list.
The problem is that few seconds later (and sometimes by just hitting the Reload button) it loads the site. My hypothesis is that it targets pihole at the first request, but it attempts a second request, but this time with another dns, even though I have no other dns selected but pihole in hole LAN (I set up pihole as the local DNS at wherever device I allowed to to do so, including my router of course). This behaviour happens in all my client devices in my LAN
Your information is suggesting that your clients have two options to by-pass Pi-hole:
i) via your router's IPv4 address
Your screenshot of your laptop's IPv4 settings shows you are explicitly configuring your router's IP as alternative DNS server
This can be easily mitigated by removing 192.168.1.1 from your settings.
ii) via IPv6
Your nslookup results show that your client uses an IPv6 address.
It is very likely that that address belongs to your router (as it does not resolve to pi.hole nor your Pi-hole's regular hostname).
To avoid IPv6 by-passes, you've got to configure your router to stop advertising its own IPv6 address.
Please consult your router's documentation and support to find out how to do so.
If your router doesn't offer such a configuration option, consider disabling IPv6 altogether.
If your router doesn't support that either (or you have to rely on IPv6 for other reasons), clients will continue to by-pass Pi-hole via IPv6.
i) Ok, I did so and strangely to my understanding improvements have taken place.
In general I tend to keep the router as a secondary DNS, thinking that my laptop will only use it in case the primary (PiHole) fails. It is strange to me since the router is now supposed to redirect DNS requests to 192.168.1.57, which is pihole and no other DNS else. Does this mean that in devices where I don't have the access to manually input the DNS ip, I will get by-passed via IP4?
ii) That ip is the IPv6 of PiHole container. And now that I recall, I've placed it my router settings, in my router DNS configuration (my router has 2 places for DNS entries, one that makes sense, located with the DHCP settings and this other one):
I really appreciate your help. But, do you think I am leaving something I may have to configure on my Pihole system? Or is it just regarding the configurations of the clients and the router?
Are you positive that you indeed configured your router to redirect DNS requests to Pi-hole's IPv4 address?
Note that commonly, a redirect would affect DNS traffic for public target IPs exclusively, i.e. DNS requests to your router's private IP would still reach it.
That would depend on your router's IPv4 configuration.
Did you configure your router to
a) use Pi-hole's IPv4 as its upstream DNS server
b) distribute Pi-hole's IPv4 as DNS server via DHCP
c) both?
I very much doubt that.
Note that Docker is IPv4 only by default, and your debug log shows that your Docker Pi-hole has no IPv6 address:
*** [ DIAGNOSING ]: Networking
[✓] IPv4 address(es) bound to the eth0 interface:
172.20.0.2/16
[✗] No IPv6 address(es) found on the eth0 interface.
As expected, from my Android phone client and others I still get ads, and be able to access blocklist sites.
My current laptop seems promising after removing the router entry as alternative DNS.
I am a bit sceptical about my router configuration, It doesn't seem transparent. I am actually more positive about my pihole setup.
I did only a).
I pretty sure my router supports disabling DHCP.
What are the benefits of changing my DHCP to my Pihole?
I see.
So, in order to prevent DNS leaks due to ipv4 and ipv6 by-pass, what can I do? (I preferer not to disable ipv6)
Is there any anything I can set up in my ipv6 configuration in PiHole?
Thank you for your help!
EDIT: Well, I managed to fix it. The answer was to set Pihole as the DHCP server instead of the router. Since the provided router by my ISP, was not transparent, and it had indeed DNS leaks (google and ISP's DNS).
The process of setting up DHCP is straight forward. However, If you happen to have an environment similar to mine (running pihole from within a Docker container) you may need to perform some tweaks. In my case I've used this approach: GitHub - chriscrowe/docker-pihole-unbound: Run Pi-Hole + Unbound on Docker, however I changed my docker compose to this:
version: '3.7'
services:
pihole:
container_name: piholeDNS
image: cbcrowe/pihole-unbound:latest
hostname: 'pihole'
domainname: 'your.domain.com'
network_mode: 'host' # This makes the container act like an actual process from a networking perspective. Note that you may need to have a volume for the web server to change free port 80
cap_add:
- NET_ADMIN # This is only one really necessary, to have more networking control
- CAP_SYS_NICE
- CAP_NET_RAW
ports:
- 53:53/tcp
- 53:53/udp
- 8083:8083/tcp
- 5335:5335/tcp
- 547:547/udp
- 67:67/udp
environment:
TZ: 'your time zone'
WEBPASSWORD: 'password'
DNS1: 127.0.0.1#5335 # Hardcoded to our Unbound server
DNS2: 127.0.0.1#5335 # Hardcoded to our Unbound server
DNSSEC: "true" # Enable DNSSEC
dns:
- xxx.xxx.xxx.xxx # The DNS host's ip (so the system hosting the container uses pihole too)
volumes:
- /media/volumes/piholeDNS/etc:/etc/pihole:rw
- /media/volumes/piholeDNS/dnsmask:/etc/dnsmasq.d:rw
- /media/volumes/piholeDNS/unbound:/etc/unbound:rw
- /media/volumes/piholeDNS/lighttpd:/etc/lighttpd:rw # To persist the configuration of changing port 80
restart: always
Thank you all for your support. And thank you for your assistance @Bucking_Horn
