I see one year ago there was a Reddit discussion about clients with hard-coded DNS to avoid DNS based adblocking. Supposedly these devices have hard-coded DNS:
Google Cast
Google Home (including Mini)
Netflix on Android (presuming iOS as well)
Roku
Ring Doorbell Pro
Is there a recommended strategy for dealing with this? I know it isn't pi-hole specific, necessarily, but any software, service, client, or app with hard-coded DNS is kinda bypassing the ad blocking service that pi-hole provides entirely which isn't .. great.
I guess it would be best if there was a service you could run on the pi-hole that would forcefully redirect all DNS through the pi-hole?
The best way to handle those devices would be to use some rules on the router or firewall to intercept all traffic to port 53 and give it to the Pi-hole DNS. I think there is a FAQ or two that covers some of the examples for iptables, and there is a blog post about using Ubiquity gear and their configurations.
Right but the problem there is that it's 100% router device dependent, so it varies dramatically by vendor, OS, and all that. On some routers it may not even be possible! It would be nice if there was a generic way the pi-hole could handle this with a standardized software solution, somehow.
Pi-hole would need to see all traffic on the network to be able to intercept and redirect DNS queries. If an IoT device doesn't use the Pi-hole IP for DNS then the Pi-hole will never be aware of the devices DNS queries. You would need some kind of network appliance that sits on the edge of the network and can see all of the traffic outbound through the WAN interface. Or IoT devices that don't intentionally disregard DHCP assigned DNS servers.
Edit: Even if we proxied all the traffic on the network, we'd still be in the situation where the IoT device would just ignore the proxy and go direct for their traffic and requests. We ask that the devices use our supplied DNS address and they intentionally ignore that, so why would they honour the proxy? The problem is that the device manufacturers do not want their traffic blocked or filtered.
If you want to redirect all DNS queries to Pi-Hole and your router does not support this, I recommend changing to a router that can do this (or flashing new firmware if your router supports that). The router is the single device on your network that sees all outbound traffic.
IPv6 should be similar, same ports (UDP/TCP 53). I have an ER-X-SFP and the GUI is horribad for IPv6 rules, you have to do most of that via the CLI tools.
Make sure that you are catching both TCP and UDP, most queries go though UDP for speed and only when the response is larger than a UDP packet can handle does it go via TCP.
I think what the main idea of the discussion is for an idea or a solution that could be abstracted out for use in varying network configurations.
One of the biggest barriers to adoption of Pi-hole is the vast difference in networking. Originally we just did DNS but then we found a lot of small network routers and routers from ISPs locked out users from what I would consider to be basic functionality. That lack of flexibility cuts down on the support requirement for the ISPs as they don't have to allow users to configure their networks but its "not right". So we evolved to use DHCP, but now we're seeing devices locking out users from configuring things.
The problem is that you need to be on the WAN interface to detect attempts to bypass and to intervene but RasPi devices are absolute crap when it comes to routing. I think the tone of my comments here are a bit harsh and I don't want to leave the impression that it's not something we would investigate but instead it's something that I would be very interested in if there were a way to do it. I just don't think there is something that would work from my networking background and experience but I'm happy to be wrong.
I haven't tested that as I don't have one to check (I don't use Raspberry Pi boards anymore) but from the design changes made it looks like the bottleneck is gone. But it would still require that the Raspi be the WAN interface and that you would have to configure the network to use the Raspi in that way to be sure that the IoT devices did not try to circumvent the proxy as they are circumventing the DNS configuration.
I think the pi-hole development team should really start planning for a world where more and more clients and devices are hard-coding DNS IPs, and the pi-hole must become a router for all network traffic to work.
Because in my opinion this outcome is inevitable... I can't say if it will be a significant problem in 4 years, or 10 years, but it is definitely coming.
The good news is the hardware is getting there.. a 1GB or 2GB Pi 4 can definitely handle monitoring all in/out internet traffic on the average home network no problem. We just need pi-hole to keep pace
While a forward rule on the router can work now, soon the devices which want to evade the provided DNS will simply turn to DNS over HTTPS and then no catching or rerouting DNS requests anymore.
Not if my fiber provider requires that I use their router, or else they terminate their service (or I just don't get service in the first place). So my choices are
cancel fiber and downgrade to slower internet
pick an internet provider that allows me to use my own router or pass through to a secondary router (not all do)
make sure the internet provider I choose allows you to make these rather advanced, complex & dangerous configurations (as in the screenshot @falco provided) in their provided router
Unfortunately we don't live in a world with unlimited choices, and sometimes the choices are all compromises.. and then
And then there's that.
I still maintain that a Pi 4 is powerful enough to route all traffic through the network, if need be. And I can't emphasize this enough:
Mark my words: this (and by this I mean hard-coded DNS, with no evasion because you can't touch / configure the provided router) is coming. It is something that should be planned for.
It's not coming - it has been around for decades.
The working and proven ways of mitigating this also haven't changed for decades and have been mentioned here already, and quite a few routers will support redirecting or at least blocking outbound traffic.
With router's that don't, setup a dedicated machine that fences your network off, acting as the only router/gateway, and apply the appropriate network filtering and redirection rules. You have a choice of either assembling the necessary hardware and software yourself or buying it off the shelf.
EDIT: Or get a different router.
