undefined | Better HN

0 pointsstevepike5y ago0 comments

Can you explain (or share a link) to some proposal for how to enable my pihole to securely talk to upstream resolvers but force all embedded devices on my network to go through the pihole? Anything that lets my pihole sidestep my ISP seems like it'd also work for my xbox.

0 comments

judge20205y ago

> force all embedded devices on my network to go through the pihole

You can only do this for the devices that respect your DHCP-provided DNS config. Even if you redirect all port 53 traffic on your network to your pihole, a device can make its own (DoH or non-DoH) https connection and gets DNS responses via that, bypassing your pi-hole.

This was discussed extensively a few days ago on a thread about "72% of smart TVs and 46% of game consoles hardcode DNS settings":

https://news.ycombinator.com/item?id=25315172

quicksilver035y ago

If you control DHCP and know the MAC address of those embedded devices, you can serve them a non-existing gateway so that they simply won't have a path outside of your home network.

Of course, that assumes IPv4, whereas with IPv6 and SLAAC I believe the only way is to firewall them out.

GoblinSlayer5y ago

If they won't ask you to drink a verification can to proceed.

RossM5y ago

Using Cloudflare with DoH is documented here: https://docs.pi-hole.net/guides/dns-over-https/

You essentially run a little proxy server on your pihole setup, and configure pihole to use it as your upstream dns resolver.

E.g., a proxy server running at 127.0.0.1:5053 which uses the Cloudflare ipv4/ipv6 DNS over HTTPS endpoints. This can also use other DoH endpoints as desired:

    /usr/local/bin/cloudflared proxy-dns \
      --port 5053 \
      --upstream https://1.1.1.1/dns-query \
      --upstream https://1.0.0.1/dns-query \
      --upstream https://2606:4700:4700::1111/dns-query \
      --upstream https://2606:4700:4700::1001/dns-query

cassianoleal5y ago

That only does the part where the PiHole uses DoH. It doesn't stop individual devices from using it, and it doesn't force them to go via the PiHole.

topranks5y ago

DNScurve never got far in the IETF but I like it:

https://tools.ietf.org/html/draft-dempsky-dnscurve-01

It’s being worked on again. The “client side” (from client to resolver) got all the attention in recent years. Even though it’s arguably less important than encrypting resolver to Auth traffic (as the resolver can often be close.).

Cynics say this is because there was money behind DoH which pushed it through standardisation, as the big providers are hungry for the data.

arguably the less important part of the equation

1vuio0pswjnm75y ago

I have used CurveDNS forwarders at home as an experiment for many years now. I have never had any problems. I cannot see why authoritative DNS providers would resist offering DNSCurve as an option. It is relatively easy to set up and does not require replacing or modifying any DNS software.

TrueDuality5y ago

I don't have any resources handily available for that. I would be truly surprised if pi-hole's don't support DoH though so I'd just try searching for something like "enabling DoH on a pihole" or similar.

Basically sounds like you've already done the hardest parts. Your router is redirecting all DNS traffic to your pi-hole, this will prevent any normal unencrypted DNS traffic from leaving your local network. You pi-hole will be in turn making all the DNS requests. If you turn on DoH for the pi-hole all the DNS requests on your network will be encrypted.

hrez5y ago

Nothing would prevent DOH to use <randomIP>:<randomPORT> as a resolver. Be it an application or a device. Pi-hole will never see it.

j / k navigate · click thread line to collapse