Note that within the FTLDNS beta testing branches, there is a new option available that allows NXDOMAIN blocking. This should solve all these problems if you're willing to try it out.
https://github.com/pi-hole/FTL/tree/FTLDNS#ftls-config-file
I think we'll be writing a blog post about this, too. Would be cool if someone in here could already confirm that it is a solution for this problem.
Just wanted to give some feedback on the new FTLDNS branch which I'm now running as my main DNS.
After changing to BLOCKINGMODE=NXDOMAIN (it took me a while to locate the readme for this, which if anyone else needs is here: https://github.com/pi-hole/FTL/blob/FTLDNS/README.md ) I'm finding that unexplained delays in page loading have gone and that everything is now loading really quickly. For me personally the NXDOMAIN solution seems preferable to the previous pihole IP solution.
Well done to the developers!
I inserted the BLOCKINGMODE=NXDOMAIN
into my /etc/pihole/pihole-FTL.conf and restarted the FTL-Service. But there is no change to recognize. A ping to a blocked DNS-name still resolved to the local IP.
Yes - I ran into that problem initially, but then pihole -up found an update which fixed it for me.
I tried, but updates doesn't work
[i] Checking for updates...
[i] Pi-hole Core: up to date
[i] Web Interface: up to date
curl: (22) The requested URL returned error: 404 Not Found
[i] FTL: update available
[i] Downloading and Installing FTL...curl: (22) The requested URL returned error: 404 Not Found
[β] Downloading and Installing FTL
Error: URL not found
[β] FTL Engine not installed.
[i] Restarting services...
I can't advise on that, but for me (checked just now):
pi@RPi3-DNS:~ $ pihole -up
[i] Checking for updates...
[i] Pi-hole Core: up to date
[i] Web Interface: up to date
[i] FTL: up to date
[β] Everything is up to date!
so maybe something else is broken...
You're probably on a branch that no longer exists. Try running pihole checkout ftl FTLDNS
to get back on a main branch. Then try the pihole -up
again to make sure you have the latest.
I'm on the ftlbranch and want to stay here. I wouldn't change back to the main branch.
Current Pi-hole version is v3.3-130-g2e6a937 Current AdminLTE version is v3.2.1-179-g3fd9b4d Current FTL version is vDev-0f40cd1
@DanSchaper Right know I understand Error updating latest beta ftldns with regex - #5 by Rico_Lino
I did it, all is fine now.
Thank you
Really weird. Your instructions were great, but for some reason, now the https test page loads instead of being blocked. Before, it was blocked, but it took some time. So I read this thread in hopes of speeding things up. Why would I be able to get to the https site after implementing this? I checked the blacklist and the test site is indeed included:
pi@pihole:~ $ pihole -q secure.quantserve.com
Match found in Blacklist
secure.quantserve.com
Match found in Wildcards:
*.secure.quantserve.com
Match found in list.0.raw.githubusercontent.com.domains:
secure.quantserve.com
Match found in list.2.sysctl.org.domains:
secure.quantserve.com
Match found in list.6.hosts-file.net.domains:
secure.quantserve.com
And here's my iptables:
pi@pihole:~ $ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:https reject-with tcp-reset
REJECT udp -- anywhere anywhere udp dpt:80 reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:443 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
What I don't get ...
is it /etc/iptables/rules.v4
or
is it /etc/pihole/rules.v4
like some people used in this thread?
Hi Dan,
Why don't we need to do the same with TCP over 80?
We are doing UDP 80/443, and TCP 443, but why never TCP 80?
Are we missing these?
iptables -A INPUT -p tcp --destination-port 80 -j REJECT --reject-with tcp-reset
ip6tables -A INPUT -p tcp --destination-port 80 -j REJECT --reject-with tcp-reset
Also, I believe you originally had a bunch of accepts in the OP. I guess they are no longer needed?
iptables -A INPUT -p tcp -s 127.0.0.1 --destination-port 80 -j ACCEPT
iptables -A INPUT -p tcp -s 127.0.0.1 --destination-port 443 -j ACCEPT
iptables -A INPUT -p udp -s 127.0.0.1 --destination-port 80 -j ACCEPT
iptables -A INPUT -p udp -s 127.0.0.1 --destination-port 443 -j ACCEPT
ip6tables -A INPUT -p tcp -s ::1 --destination-port 80 -j ACCEPT
ip6tables -A INPUT -p tcp -s ::1 --destination-port 443 -j ACCEPT
ip6tables -A INPUT -p udp -s ::1 --destination-port 80 -j ACCEPT
ip6tables -A INPUT -p udp -s ::1 --destination-port 443 -j ACCEPT
Because rejecting port 80 would not be a wise idea.
No, not if you want to redirect HTTP to HTTPS.
Possibly, from version 5.0 onward we won't touch firewall rulesets. You have to set your own, customized to your specific needs.
Thanks for the clairification!
Is there a way to set up iptables rules in a docker container?
The pihole image based on multiarch/debian-debootstrap has no iptables.
Or does it work to set the firewall rules on the docker host?
Docker sets its own iptables
chain, you'd have to add yours to that chain.
Many thanks, I read the Docker and iptables page linked above but it is not very explantory to a newcomer.
My pi-hole docker container is running inside an lxc/lxd container with security.nesting and security.privileged option enabled. So lxd container acts as a ubuntu host for docker which in turn runs docker container on top of it. I had to do this because of resource constraint as lxd is much lighter than VM.
I believe the rules need to be added to DOCKER-USER chain. However, how to apply it to only the phole/pihole docker container and not others.
One example for ipv4 and ipv6 will be high helpful. I have installed pi-hole and docker just yesterday for the first time, thus a bit new to both docker and pihole. At the moment all I know at the moment is how to create a docker container using portainer.
Would it require recreation of pihole docker container with above iptables rules or it can be applied for a running container.