Blocked that hard-coded google dns garbage.

  • jubilationtcornpone@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    7
    ·
    1 year ago

    I have a firewall rule to dst-nat any outgoing DNS requests not coming from piHole back to the piHole server. That way all devices on the LAN are forced to use piHole for DNS and can’t bypass it. I don’t have an OPNSense firewall but I would think it should be able to do that as well.

    • astrsk@artemis.camp
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      I’ve been having some issues with random IoT devices bypassing my pihole despite it being a router-level DNS for all my devices. Can you go into more detail about dst-nat and how I might be able to improve catching requests so they can routed to pihole for filtering? My router is running openwrt and pihole is on a VM in my hypervisor that’s directly connected to the router. This is the first time I’m hearing about dst-nat.

      • jubilationtcornpone@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        6
        ·
        1 year ago

        NAT TLDR

        Your router is, at it’s core, a very advanced traffic cop and NAT – Network Address Translation – is it’s primary function. You have multiple devices on your local network (LAN) that need to communicate with other non-local servers via the WAN (i.e. the internet). Now you have a problem. Your ISP assigns you (usually) a single IP address on their network which is on a different subnet than your LAN. Devices on your local network and devices on the WAN are not aware of one another and cannot communicate with each other directly. So, requests have to be routed to the correct destination via your router.

        SRC-NAT

        Let’s say you’re trying to pull up a website on your computer. Your computer sends the request to the router. Your router alters the IP packet headers so that the request source address, and therefore the address that the server responds to, is your WAN IP instead of the requesting devices LAN IP. Your router then forwards the packet to the destination server, tracks the connection, and forwards the response back to your computer.

        DST-NAT

        Let’s say you’re hosting a web service on your home server that you want to make available publicly. You would set up a dst-nat (often called port forwarding) rule in your router/firewall which will tell your router to redirect any requests received at the WAN IP on port 80 or 443 to your home server’s IP address. Unlike SRC-NAT, your router doesn’t replace the source IP address. Just the destination. Your server knows that the requesting device is not on your LAN subnet and will forward the response back to the gateway (your router) which is already tracking the connection and will forward the response back to the requesting device via the WAN.

        Routing DNS with DST-NAT

        Since DST-NAT is just changing the destination IP address and routing the packet to the new destination, this can be done internally in some situations as well. To redirect DNS requests, you would set up a rule in your router/firewall to grab outbound UDP packets that originated from the LAN, do not originate from your internal dns server, and have a destination of port 53 and redirect/dst-nat them to the IP address of your choice. The new destination can be an internal or external IP address and the requesting device won’t know the request was redirected. OpenWRT’s documentation actually has a section that deals with DNS redirection which you can find here. The DNS redirection part is near the bottom of the page.

    • Silejonu@kbin.social
      link
      fedilink
      arrow-up
      0
      ·
      1 year ago

      I suspect DoT and DoH still go through, though? I mean you can always block the port 853 for DoT, but DoH is another story.

      • jemikwa@lemmy.blahaj.zone
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 year ago

        Yeah you’d need an L7 application layer filtering firewall to catch DoH since it would detect the SSL packet signature on port 53. Unfortunately that balloons the cost of the device past a reasonable level for a home aficionado.
        A workaround for now would be to block known public servers that use DoH like Google DNS, since a lot of devices are adding features to enable DoH by default at the OS level

  • redcalcium@lemmy.institute
    link
    fedilink
    English
    arrow-up
    4
    ·
    edit-2
    1 year ago

    I configured my Asus router with asuswrt-merlin firmware to route all DNS traffics to my Adguard instance to catch those apps and devices with hard-coded DNS. Those routed DNS queries appear in adguard as originating from my router’s IP address, so I can easily see what apps and devices trying to bypass my dns. Turns out the main offender is Netflix.

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    1 year ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    DNS Domain Name Service/System
    IP Internet Protocol
    IoT Internet of Things for device controllers
    NAT Network Address Translation
    PiHole Network-wide ad-blocker (DNS sinkhole)
    SSL Secure Sockets Layer, for transparent encryption
    TCP Transmission Control Protocol, most often over IP
    UDP User Datagram Protocol, for real-time communications
    VPN Virtual Private Network

    [Thread #267 for this sub, first seen 8th Nov 2023, 04:10] [FAQ] [Full list] [Contact] [Source code]

    • rentar42@kbin.social
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      One more confusion: If DNSSEC is enabled it actually switches to TCP, since DNSSEC requires messages that are much bigger than what UDP can transfer.

    • StrawberryPigtails@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Not familiar with Rokus, but it depends on what your filtering. Mostly it’s to block needless analytics tracking. I use a pair of PiHoles for much the same purpose.

    • AdventuringAardvark@lemmy.oneOP
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      1 year ago

      No, you can block ads with a pihole. This is because Roku hard codes its dns server as 8.8.8.8. Pihole doesn’t handle IP addresses, only DNS.

      • Illiterate Domine@infosec.pub
        link
        fedilink
        English
        arrow-up
        0
        ·
        1 year ago

        Interesting. I set an adblocking dns via DHCP and, as far as I know, the Roku respects it. Ads are blocked and I can see it failing to delivery telemetry in my dns logs (most persistent thing on the network).

        I set a rule to catch outside dns to see if anything, the roku included, has been misbehaving.

  • randombullet@feddit.de
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    I do a DNS redirect on my Mikrotik router.

    It’s going to suck when DoH and DoT becomes more prevalent.

    • Possibly linux@lemmy.zip
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I think the solution is to avoid tech that you don’t control. Its a hard pill to swallow for some but at the end of the day there are tons of ways a device could bypass networking restrictions