Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
General Apps
VPN and DNS
Pihole & Unbound & Static routes.... Stopping Devices using hardcodedDNS (be your own DNS server with unbound)
Message
<blockquote data-quote="kC77" data-source="post: 967757" data-attributes="member: 92796"><p><h3>Ive been using a pihole for years, love it and couldnt be without it! but only recently added "unbound" a secure DNSSEC recursive server onto my pi... just wanted to share something I have done that forces ANY device or user that tries to use a common public dns server ip through my pihole/unbound</h3><p>just because your dhcp server will give out the pihole as its DNS server does not mean all devices will actually honour that and use the pihole for DNS, also anyone can manually change their DNS to bypass.... the below may help if you want to stop this,</p><p></p><p>(some mobile devices and especially google chromecast & mini devices for example are hardcoded to use <a href="https://8.8.8.8/8.8.4.4." target="_blank">8.8.8.8/8.8.4.4.)</a>) you will likely NOT see anything from these devices in your pihole, there are other devices out there which no doubt do the same (huwawei etc.)</p><p></p><p>Now this is how I have my DNS configured to ensure that there is not or cannot be any DNS leaks, additionally that anyone on my network even if they try to set as a common public dns server cannot bypass the pihole. (they could if its an obscure or public dns... or they could just dial a vpn!)</p><p>Firstly setup unbound on your pi, in recursive mode... this way YOU are your own recursive DNS server, you no longer need ANY public dns servers</p><p><a href="https://docs.pi-hole.net/guides/dns/unbound/" target="_blank">unbound - Pi-hole documentation</a></p><p></p><p>Next step (you will need to have a router that can support static routes (most do!)</p><p>Gather a list of all the public DNS servers you can find... <a href="https://1.1.1.1/1.1.1.2/8.8.8.8/8.8.4.4" target="_blank">1.1.1.1/1.1.1.2/8.8.8.8/8.8.4.4</a> etc ect there is a LOT but just get the most common/popular ones and create static routes for each</p><p>e.g</p><p>route <a href="https://1.1.1.1/" target="_blank">1.1.1.1</a>/32 to next hop 192.168.x.x (with this being your pihole ip)</p><p>route <a href="https://1.1.1.1/" target="_blank">1.1.1.</a>2/32 to next hop 192.168.x.x (with this being your pihole ip)</p><p>etc... etc...</p><p>do this for ALL the common public dns providers you can. yes its a bit of work, but once done, you have less chance of any device leaking through a hard coded public DNS server, and also stops users on the network bypassing your pihole .</p><p>e.g if someone wanted to bypass the restictions in your ad/blocklists (for example they wanted to get on a porn site and you had the porn blocks in place) - they could easily just manually change their dns server to a public one .. (or they could of course just dial a vpn!)</p><p></p><p>with the static routes in place at your router level... no matter if they set their device to use <a href="https://1.1.1.1/" target="_blank">1.1.1.1</a> their dns traffic would still get routed through the pihole.</p><p></p><p>#another Better option (no need for all the routes) but depending on your router/skill level is to use DNAT to direct ALL udp53 to the specific IP of your pihole/unbound server</p></blockquote><p></p>
[QUOTE="kC77, post: 967757, member: 92796"] [HEADING=2]Ive been using a pihole for years, love it and couldnt be without it! but only recently added "unbound" a secure DNSSEC recursive server onto my pi... just wanted to share something I have done that forces ANY device or user that tries to use a common public dns server ip through my pihole/unbound[/HEADING] just because your dhcp server will give out the pihole as its DNS server does not mean all devices will actually honour that and use the pihole for DNS, also anyone can manually change their DNS to bypass.... the below may help if you want to stop this, (some mobile devices and especially google chromecast & mini devices for example are hardcoded to use [URL='https://8.8.8.8/8.8.4.4.']8.8.8.8/8.8.4.4.)[/URL]) you will likely NOT see anything from these devices in your pihole, there are other devices out there which no doubt do the same (huwawei etc.) Now this is how I have my DNS configured to ensure that there is not or cannot be any DNS leaks, additionally that anyone on my network even if they try to set as a common public dns server cannot bypass the pihole. (they could if its an obscure or public dns... or they could just dial a vpn!) Firstly setup unbound on your pi, in recursive mode... this way YOU are your own recursive DNS server, you no longer need ANY public dns servers [URL='https://docs.pi-hole.net/guides/dns/unbound/']unbound - Pi-hole documentation[/URL] Next step (you will need to have a router that can support static routes (most do!) Gather a list of all the public DNS servers you can find... [URL='https://1.1.1.1/1.1.1.2/8.8.8.8/8.8.4.4']1.1.1.1/1.1.1.2/8.8.8.8/8.8.4.4[/URL] etc ect there is a LOT but just get the most common/popular ones and create static routes for each e.g route [URL='https://1.1.1.1/']1.1.1.1[/URL]/32 to next hop 192.168.x.x (with this being your pihole ip) route [URL='https://1.1.1.1/']1.1.1.[/URL]2/32 to next hop 192.168.x.x (with this being your pihole ip) etc... etc... do this for ALL the common public dns providers you can. yes its a bit of work, but once done, you have less chance of any device leaking through a hard coded public DNS server, and also stops users on the network bypassing your pihole . e.g if someone wanted to bypass the restictions in your ad/blocklists (for example they wanted to get on a porn site and you had the porn blocks in place) - they could easily just manually change their dns server to a public one .. (or they could of course just dial a vpn!) with the static routes in place at your router level... no matter if they set their device to use [URL='https://1.1.1.1/']1.1.1.1[/URL] their dns traffic would still get routed through the pihole. #another Better option (no need for all the routes) but depending on your router/skill level is to use DNAT to direct ALL udp53 to the specific IP of your pihole/unbound server [/QUOTE]
Insert quotes…
Verification
Post reply
Top
