Using pi-hole for total control of evil devices

I have just been pointed to pi-hole as an almost-solution to what I want to do, but I also just discovered that its days are presumably numbered thanks to DoH.

What I want to do is have a thing like pi-hole, but with the extra feature that whitelisted DNS lookups are then fed to a firewall as the only approved IP addresses. I think this also effectively fixes the DoH problem because with this setup a device cannot just use any old IP address that it happens to know.

So is there any thought of extending pi-hole to do this, or is there an easy way for an external program to obtain the IPs that the pi-hole DNS has dished up so they can be added to a routing table somewhere? (Ideally it needs to be done very quickly)

Pi-hole is a filtering DNS forwarder.
As such, it is not involved in blocking IP addresses, nor does it block or even see all traffic - it is blocking resolution of domains as requested via DNS exclusively.

You'd have to develop that yourself.

You could extract whitelisted domains from the domainlist table of Pi-hole's gravity database.

You could then retrieve IPs for those domains and add them to your firewall's ruleset.

Note that retrieving IP addresses for domains may not be as straight-forward as it would seem: DNS server for larger companies may not answer a complete set of IP addresses for a given domain, so results may differ depending on things like your geo-location or the time when you requested resolution.

Not sure if I understand your question correctly, This is what I read:

You want to ensure a device (assume a pc) uses a specific IP to approach a specific service. For example, when browing the NYT.com, you want the device to use 151.101.193.164, nothing else (NYT.com resolves to 151.101.193.164, 151.101.65.164, 151.101.1.164 and 151.101.129.164)

This is, in my opinion, one of the main advantages of using pi-hole, as opposed to, for example AdguardHome, since pihole-FTL (the binary that eventually does all the work) is based on dnsmasq. Apart from the features pi-hole offers in the web interface, all of the functions dnsmasq offers, are available to a pihole user, the user just needs to create an additional dnsmasq configuration file, that achieves what he wants. All of the options are described in the dnsmasq manual .

To achieve the example above, you would simply add a configuration file (or add to an existing) a line, using the syntax -A, --address=/<domain>[/<domain>...]/[<ipaddr>], this is just one of the many posibilities dnsmasq offers.

This method needs a warning: If the address of NYT.com changes, you will no longer be able to read the paper...

  • pi-hole already has some protection on board against DOH, read here (firefox canary domain) and here (icloud private relay).
  • again a warning, this is not supported in any way by the pi-hole team, so don't ask for support here. I've been consolidating all DOH lists I could find, this to generate an IPv4, IPv6 and sqlite3 database, containing all DOH information I could extract, hosted on GitHub, report issues here. The documentation also contains a method to generate a custom pi-hole blocklist (don't forget to exclude (whitelist?) the exceptions). I've been using the firewall entries, checking on a daily base to verify devices, browsers and apps don't use DOH entries, none so far, so the time pi-hole will be useless hasn't arrived by far.

Although it would be possible to create such an extention, you would need to reload the firewall rules, every time a new (allowed or blocked?) address is detected. I don't really think this is desired, the firewall rules would be reloading all the time.

1 Like

DoH looks like a nightmare. It's an outrage that it is being done.
So stopping it is like stopping viruses by having a list of them. A method that doesn't work.

The ultimate killer is that, correct me if I am wrong, as I see it an ordinary web server could offer DoH services too. So we could end up where you cannot identify DNS traffic by any means.

I appreciate that updating firewall rules is clunky - with existing firewalls not designed for that (hence my wondering if pi-hole had any thoughts of expanding?). For what I am thinking about it may not be so bad - if I am lucky.

If Linux technical documentation was better I might have a go at it but I am an old systems programmer from the days when the documentation was bigger than the code and interfaces were simple.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.