Discussion Thread Pi-Hole Sticky

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next
Author Message
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Wed Jul 07, 2021 18:41    Post subject: Reply with quote
Yes right dd-wrt offers a lot of built-in functionality.
But it should be obvious that if you outsource basic functions like DNS resolution and caching you have to outsource unbound as well.

The Raspberry Pi installation and configuration is quite simple.
There are actually also external sources for this.

https://docs.pi-hole.net/guides/dns/unbound/

This is exactly how I installed it:


Code:
raspberry4:~$ sudo apt install unbound


Create the file /etc/unbound/unbound.conf.d/pi-hole.conf with the following content:

Code:
server:
    # If no logfile is specified, syslog is used
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0

    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    #root-hints: "/var/lib/unbound/root.hints"

    # Trust glue only if it is within the server's authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 1472

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1

    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10


Code:
raspberry4:/$ sudo service unbound restart


Configure Unbound in the Pi-Hole (see picture)

So for me unbound works with the mentioned dd-wrt settings
Sponsor
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Thu Jul 08, 2021 8:57    Post subject: Reply with quote
So I have tested a bit, theoretically it is also possible to use unbound on the router.
But this is quite complicated because the automatically generated configuration files do not fit.

So I will definitely not go into the variant and also advise against using such constructions.

Sense and purpose of the thread is also to keep everything as simple as possible
PavelVD
DD-WRT User


Joined: 26 Jul 2019
Posts: 109

PostPosted: Thu Jul 08, 2021 18:09    Post subject: Reply with quote
My Pi-Hole configuration option in the home network has been used for several months. The settings are shown below in the picture.
Comments:
Pi-Hole is installed on Orange PI PC+ on Armbian 21.05.6 Focal system with Linux 5.10.43-sunxi.
The only upstream DNS server for Pi-Hole is the router's SmartDNS - 192.168.1.1#6053.
The configuration file for SmartDNS is picked up when starting from an external HDD - /jffs/etc/smartd.conf
SmartDNS accesses the server exclusively via the TLS protocol.
Static DNS 1/2/3 is registered, but in fact - no-resolv (this is not visible in the picture).
Maybe something is wrong, but everything works.

_________________
Linksys WRT1900ACSv2
Automatically adjustable temperature, always within the range of 59-68°С.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Thu Jul 08, 2021 20:13    Post subject: Reply with quote
as KP69 noted, you can run various extra DNS services (via Entware) like Unbound, SmartDNS, Stubby and DNScrypt on router side and keep it in one place...

The only advantages for PI DNS are, a better handling with more graph/menu's (GUI) and extra CPU power just for DNS..

Me, personally i prefer all in one place, as a better and easier control and handling....but will invest in PI soon just to scratch the surface...and try an idea that is in my mind...

Thanks for the guide..!!

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Fri Jul 09, 2021 12:15    Post subject: Reply with quote
Alozaros wrote:
as KP69 noted, you can run various extra DNS services (via Entware) like Unbound, SmartDNS, Stubby and DNScrypt on router side and keep it in one place...

The only advantages for PI DNS are, a better handling with more graph/menu's (GUI) and extra CPU power just for DNS..

Me, personally i prefer all in one place, as a better and easier control and handling....but will invest in PI soon just to scratch the surface...and try an idea that is in my mind...

Thanks for the guide..!!


You can also install everything from your list on the Raspberry then you have everything also on one host / in one place.


https://github.com/pymumu/smartdns/releases
https://github.com/DNSCrypt/dnscrypt-proxy/releases/
https://dnsprivacy.org/wiki/pages/viewpage.action?pageId=3145786

https://github.com/NLnetLabs/unbound
https://github.com/NLnetLabs/unbound/tags

Is just the advantage of a complete Linux distribution, there you can install everything you want and if it is not in the package repositories available (or if you want to use a newer version) you can build it yourself

You can also do other nice things with the Raspberry.
For example you can use it as a NAS:

https://cdn.shopify.com/s/files/1/0021/1497/7894/files/IMG_13_jpg_480x480.jpg?v=1575685587

There is also the Raspberry Pi Compute Module with IO board, which has even a PCIe slot, so you can also run HW Raid controllers or WLAN cards on it.

https://www.jeffgeerling.com/sites/default/files/images/desk-storage-lab-pi-hba-hardware-raid.jpg

You can also use the Raspberry 4 as a complete router (supposedly capable of 800mbit via wireguard)
Either with the one network port and VLAN's or you add a USB-NIC or a card on the IO board.

There are thousands of other things you can do with the Raspberry e.g. use it as a desktop replacement.

Everyone as he likes
05dyna
DD-WRT Guru


Joined: 25 Jan 2008
Posts: 968

PostPosted: Wed Jul 14, 2021 20:30    Post subject: Reply with quote
I finally made it to my friend house with a RasPi-3 I prepared with Pihole and unbound. I used example #1 at my friends and rebooted his EA8500 with build r46885 and no Pihole DNS. I tried it a few times without success so I ended up just doing it the quick & easy way of just pointing their main computer’s network adapter DNS entry to Pihole’s IP which was not the goal Mad
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Wed Jul 14, 2021 21:40    Post subject: Reply with quote
Well, if you look at the network information on the computers, you can see which DNS is being used.
Sometimes the clients have to be rebooted or at least disconnected from the network to renew their DHCP lease.

in the first example "dhcp-option=6,192.168.1.110" is added to the dnsmasq.conf of the router

Code:
root@DD-WRT:~# cat /tmp/dnsmasq.conf | grep n=6

dhcp-option=6,192.168.1.110


this means that the client sends all DNS requests directly to the Pi-Hole and has the same effect as a manual configuration of the DNS in the client.
05dyna
DD-WRT Guru


Joined: 25 Jan 2008
Posts: 968

PostPosted: Wed Jul 14, 2021 22:16    Post subject: Reply with quote
Thanks, it didn't occur to me to reboot the client because in windows I could change the network adapter dns entry to pihole, google, quad 9 or even auto without a reboot. I'll try that next time, probably in a few days.

EDIT/Update:
I was able to test this again today and ho1Aetoo was 100% spot on, we did need to reboot the clients
foz111
DD-WRT Guru


Joined: 01 Oct 2017
Posts: 704
Location: Earth

PostPosted: Mon Dec 13, 2021 11:05    Post subject: Reply with quote
Not sure if something has changed in DD-WRT, i have been running Raspberry Pi with Unbound and Pi-hole for a while, i had No DNS Rebind disabled in router because of endless logs with possible DNS bind attacks from x.x.x.x (what ever the correct wording was) last time i had it enabled.
Another thread got me thinking, i have had another attempt at it, added in to Additional Dnsmasq Options

rebind-domain-ok=/pi.hole/

enabled No DNS Rebind rebooted and it seems to have cured the endless logs, this maybe nothing new but last time i messed about what ever i changed always gave me endless logs.
But this seems to have done the trick so far at least.
It may help someone else

_________________
Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.

No one can build you the bridge on which you, and only you, must cross the river of life!
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Mon Dec 13, 2021 11:31    Post subject: Reply with quote
Quote:
rebind-domain-ok=/pi.hole/


doesn't work for me and I already wrote you via PM that "stop-dns-rebind" can be deactivated on the router as you can activate it on the pi-hole itself (on the pi-hole itself is running dnsmasq).

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1240341#1240341
foz111
DD-WRT Guru


Joined: 01 Oct 2017
Posts: 704
Location: Earth

PostPosted: Mon Dec 13, 2021 12:11    Post subject: Reply with quote
ho1Aetoo wrote:
Quote:
rebind-domain-ok=/pi.hole/


doesn't work for me and I already wrote you via PM that "stop-dns-rebind" can be deactivated on the router as you can activate it on the pi-hole itself (on the pi-hole itself is running dnsmasq).

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1240341#1240341


Yes i have received the PM thanks, i popped this in on Friday and been fine all weekend hence the (not sure if something has changed in dd-wrt part of message)
now running r47695 previously not working on 44719

_________________
Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.

No one can build you the bridge on which you, and only you, must cross the river of life!
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Mon Dec 13, 2021 13:50    Post subject: Reply with quote
it is not clear to me how this should work because the option "rebind-domain-ok" excludes FQDN's from the rebind check.
So you would have to deposit all 1000 dubious domains individually.

Code:
--rebind-domain-ok=[<domain>]|[[/<domain>/[<domain>/]
    Do not detect and block dns-rebind on queries to these domains. The argument may be either a single domain, or multiple domains


The second dnsmasq option "rebind-localhost-ok" ignores localhost addresses as answers (127.0.0.0 - 127.255.255.255)

Code:
--rebind-localhost-ok
Exempt 127.0.0.0/8 and ::1 from rebinding checks. This address range is returned by realtime black hole servers, so blocking it may disable these services.


The default blocking mode of the Pi-Holes is "unspecified" for years, that means all blocked requests are answered with 0.0.0.0 - so that doesn't work either.

https://docs.pi-hole.net/ftldns/blockingmode/

In my network there is also no "pi.hole" and I do not know who should query it.
The DNS servers are queried by IP and then try to resolve the queried FQDN's -- only a "pi.hole" will not be there.

Besides, there are a lot of outdated bullshite how-to's on the internet (especially the dd-wrt FAQ's on the Pi-Hole pages - that's all I'll say about that).

The only thing the entry "rebind-domain-ok=/pi.hole/" does is that if you have "stop-dns-rebind" enabled on the router you can access your Pi-Hole via the domain name.

http://pi.hole/

otherwise this will be blocked

Code:
daemon.warn dnsmasq[10968]: possible DNS-rebind attack detected: pi.hole


but does not change the log spam with the 1000 other blocked domains

Code:
daemon.warn dnsmasq[10968]: possible DNS-rebind attack detected: www.google-analytics.com
daemon.warn dnsmasq[10968]: possible DNS-rebind attack detected: tags-cdn.deployads.com
daemon.warn dnsmasq[10968]: possible DNS-rebind attack detected: www.google-analytics.com
daemon.warn dnsmasq[10968]: possible DNS-rebind attack detected: www.google-analytics.com
daemon.warn dnsmasq[10968]: possible DNS-rebind attack detected: www.google-analytics.com
daemon.warn dnsmasq[10968]: possible DNS-rebind attack detected: tags-cdn.deployads.com
daemon.warn dnsmasq[10968]: possible DNS-rebind attack detected: www.google-analytics.com
daemon.warn dnsmasq[10968]: possible DNS-rebind attack detected: www.google-analytics.com
daemon.warn dnsmasq[10968]: possible DNS-rebind attack detected: tags-cdn.deployads.com
daemon.warn dnsmasq[10968]: possible DNS-rebind attack detected: www.google-analytics.com
daemon.warn dnsmasq[10968]: possible DNS-rebind attack detected: www.google-analytics.com
unlucky1
DD-WRT User


Joined: 09 Mar 2013
Posts: 75

PostPosted: Tue Jan 04, 2022 3:15    Post subject: Reply with quote
I see your examples are for a PPOE ISP connection. I have static connections so it's a little different but I have it working in a configuration similar to your 2nd example. In this configuration, the Pi Hole keeps rate limiting the router's DNS requests. I'm currently up to 200000 in 60 seconds in /etc/pihole/pihole-FTL.conf (default is 1000/60) and it's still hitting the limit.

So, do you see those types of errors? Or, how did you mitigate them? I see that it could be set to 0/0 and essentially disable that "feature" but not sure what the ramifications would be.

What are the Pros and Cons between the two examples you presented?

I like the added reporting feature that comes with the first example but worried about the rate limiting and no backup DNS if the Pi Hole goes down.

I like the simplicity and having a backup DNS option if the Pi hole goes down in example 2 but miss out on the individual client reporting.

_________________
TP-Link TL-WDR4300 v1 (NAS) - r54682
Buffalo WZR-600DHP (Gateway, NAS, DDNS, DHCP) - r54682
Netgear R7800 (Gateway, DDNS, DHCP, DNSMASQ w/Pi Hole) - r54682
Netgear R7800 (AP) - r54682


Last edited by unlucky1 on Tue Jan 04, 2022 11:23; edited 1 time in total
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Tue Jan 04, 2022 8:55    Post subject: Reply with quote
Leave the fields "Router IP > Gateway" and "Router IP > local DNS" empty.

Do not use "local DNS" for the Pi-Hole but use "Static DNS 1-3" only.

do not use "Conditional forwarding"

and no i don't have 200.000 request in 60sec
so it should come to your mind that something is wrong configured and running in a loop Smile
unlucky1
DD-WRT User


Joined: 09 Mar 2013
Posts: 75

PostPosted: Sun Jan 09, 2022 12:52    Post subject: Reply with quote
ho1Aetoo wrote:

and no i don't have 200.000 request in 60sec
so it should come to your mind that something is wrong configured and running in a loop Smile


Yes, that's why I came here for advice. Seems I had to dig deeper into my overall network setup, too.

This is what works for Static WAN, from WAP to Pi Hole:

WAP:

Setup > Basic Setup
WAN Connection - Disabled
SFE and STP - Disabled
Local IP - 192.168.1.6/24 (your IP may vary)
Gateway - 192.168.1.1
Local DNS - 192.168.1.1
DHCP Type - DHCP Forwarder
DHCP Server - 192.168.1.1 (Gateway Router to ISP)

Setup > Advanced Routing
Operating Mode - Router

Services > Services
SmartDNS Resolver - Disable
Dnsmasq - Disable


Gateway:
Setup > Basic Setup
Connection Type - Static IP
WAN IP Address - x.x.x.2/xx (provided by ISP)
Gateway - x.x.x.1 (provided by ISP)
Static DNS 1 - 192.168.1.x (Pi Hole address on LAN)
Static DNS 2 - Alternate DNS 1 (your choice may vary)
Static DNS 3 - Alternate DNS 2 (your choice may vary)

SFE and STP - Disabled

Local IP - 192.168.1.1/24 (This is the Gateway to the ISP)
Gateway - 0.0.0.0
Local DNS - 0.0.0.0

DHCP Type - DHCP Server
DHCP Server - Enable
Use DNSMasq for DNS - Check
DHCP-Authoritative - Check
Forced DNS Redirection - Uncheck

Setup > Advanced Routing
Operating Mode - Gateway

Services > Services
SmartDNS Resolver - Disable
Dnsmasq - Enable
Cache DNSSEC data - Disable
No DNS Rebind - Disable
Query DNS in Strict Order - Enable
Add Requestor MAC to DNS Query - Disable
RFC4039 Rapid Commit support - Disable

Pi Hole:
Settings > DNS > Upstream DNS Servers
Select Upstream DNS of your choice or select Custom DNS and add your DNS of choice

Advanced DNS settings
Never forward non-FQDN A and AAAA queries - Checked
Never forward reverse lookups for private IP ranges - Checked
Conditional forwarding - Unchecked

_________________
TP-Link TL-WDR4300 v1 (NAS) - r54682
Buffalo WZR-600DHP (Gateway, NAS, DDNS, DHCP) - r54682
Netgear R7800 (Gateway, DDNS, DHCP, DNSMASQ w/Pi Hole) - r54682
Netgear R7800 (AP) - r54682


Last edited by unlucky1 on Sun Jan 09, 2022 21:08; edited 1 time in total
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next Display posts from previous:    Page 2 of 8
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum