I’m using a Raspberry Pi (RPi) Pihole server (NOT a resolver), primarily for my TV in order block telemetry and tracking. I’ve learned that my Amazon Fire Stick TV streaming device uses hardwired DNS when it can’t reach my Pihole. I don’t know if it uses the hardwired DNS at times when the Pihole is functioning.
Advice from the Pihole forum is to block outgoing DNS requests at port 53 except from Pihole, then log the results. I’ve read the Surf SOHO Mkiii user manual, and it tells me how to create a new firewall rule, but not much about when or why I need to do it. I’d appreciate some guidance.
That’s under Content Blocking > Application Blocking, not a firewall rule.
I think the best way is via DNS proxy and service forwarding whereby and DNS request from devices on your network will get forwarded and proxied by the SOHO to your DNS resolver.
Problem is having it locally hosted doesn’t work as it creates an endless loop it seems. That has been my experience anyways. Unless Peplink has enabled a fix in the firmware for this. It would have to ignore the dns proxy and forwarding if the request is coming from the designated DNS resolver on the LAN.
@MartinLangmaid had suggested putting my PiHole at the time on a spare WAN and setting an outbound policy but I haven’t gotten around to it. I have since moved to NextDNS CLI on my raspberryPi but principle still applies.
You would still want to service forward DNS to proxy in this case to avoid any device on your network from overriding their DNS resolver.
If I recall correctly the SOHO doesn’t have a spare WAN port, but has a USB wan? If so test out with supported USB ethernet adapter and connect the raspberryPi to USB WAN with the adapter. I haven’t tested this though.
I should have said that my IoT-D VLAN is a separate VLAN from my family’s normal use - it has only Internet of Things on it. Does that make a difference?
Stego, I have to say I barely understand the solution (if it is) that I outlined; I have no possibility of anything more complicated.
I don’t see how blocking the streaming device from sending out DNS requests will help.
What you need i think is to service forward DNS requests to DNS proxy… but dont think that will work if your DNS resolver is on the LAN… which is i why I referred to @MartinLangmaid post…
I’ll have to take some time to try that out at some point on my B20x with USB WAN.
Advice would be welcome. If I’m mistaken, I could use an explanation. If I can’t do it with a firewall rule as Stego says, I don’t think the Pihole will do me much good.
Your PiHole is the resolver in that it intercepts DNS requests to apply its filtering. Anything on the blacklist is resolved to 127.0.0.1, which basically black holes the request.
But valid DNS requests are forwarded to your configured upstream Dns resolver. In this case you mention Quad9.
The issue you’re having is a streaming device seems to be bypassing your PiHole and using its own hard coded resolver. It’s very possible that’s the case.
I think the PiHole forum post stating to create a firewall rule for outbound DNS requests and log them was simply a diagnostic method of confirming whether or not the device is indeed using its own DNS resolver.
I wouldn’t deny the request otherwise it could break the streaming device internet access. But create an allow rule and log it.
You could also look at “active sessions” under the status tab and see if anything is currently using DNS services. Fire up your device and see if it pops up under DNS active sessions.
Coming back to your PiHole and DNS service forwarding and proxying. This is the only way to override any hardcoded DNS client request. Here’s another post from @MartinLangmaid that explains this concept further :
The thing is your DNS resolver needs to be on a WAN connection, not LAN. So pointing back to your PiHole won’t work.
@stego, thanks for the hints, especially “Active Sessions” for DNS calls.
Here’s a few of the things I discovered using TCP/UDP allow:
When the Pihole is engaged, all the DNS calls come from UDP Pihole.
While Pihole is disengaged, DNS calls go to UDP 8.8.8.8, Google.
With the “Allow” firewall rules, there are calls from the Fire Stick streaming device to Google Cloud, presumably for content delivery.
For Firewall rules I have to choose any port any source; choosing Fire Stick IP and/or Port 53 prevents entries to the Event Log/Firewall from updating.
It’s a separate issue from firewall rules, but I’ve blocked QUIC and adware in Content Blocking. Thanks.
My conclusion is that things aren’t as bad as I originally thought. It appears that as long as Pihole is working, DNS calls go though it, while a failed Pihole means I have an immediate backup for DNS calls. That’s not great, but it is a backup.
This gives me time to work on the proxying idea, though I don’t have a spare LAN, so I might be out of luck there.