OPNSense + Pi-Hole + Firewall: SmartTV says no!

Started by hakuna, December 03, 2021, 05:45:24 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 03, 2021, 05:45:24 AM Last Edit: December 03, 2021, 05:47:29 AM by ratoloko
Long history short, I have been using Pi-Hole + Unbound Recursive DNS as my DNS server and everything works amazingly well. No matter what, I am not changing that!

I have these firewall rules in place: (I hope the images are showing)







The goal is to force any device requesting DNS, DoT and DoH to be redirected to Pi-Hole instead.
Everything was supposed to be working as expected but when checking Sensei under DNS Transactions Heatmap, I see:


  • PIHOLE01: OK
  • PIHOLE02: OK
  • SMART TV: 100% WRONG

No matter what I do, I cannot block my tv from accessing 8.8.8.8 or 8.8.4.4
Any other device is fine.

I have tried every possibility and I just cannot sort this out, it is driving me nuts  :(
I really hope someone can help me somehow.

Thank you
December 03, 2021, 06:05:55 AM #1
I have a similar setup to yours, and here is my config: https://forum.opnsense.org/index.php?topic=24413.msg117229#msg117229

I don't have separate block rules for DoT or DoH (will though probably introduce them at some stage). But I am not sure about your block rules being outbound rules - more efficient to have them inbound into the local interfaces from the local network
December 04, 2021, 01:21:54 AM #2
Keep reading all the way!

I am so out of options that I deleted my rules and used yours.
At first, I thought nothing was working coz yeah, I deleted the rules and it takes time for Sensei to refresh everything.

This morning things are looking as they should but still, my TV still calling Google DNS.
I don't think I can block that, it is the Netflix App making dozens of requests to

Code Select
api-global.netflix.com
nrdp.prod.ftl.netflix.com
nrdp50-appboot.netflix.com


Either way, I am keeping yours since they are way cleaner rules than the one I was using.

But then, the link below I saw a comment saying that if you manually add DNS to the device "it bypasses" Pi-Hole and I understand now what is happening: there is no bypass!


  • added 8.8.8.8 as DNS into my smartphone
  • everything works as expected
  • but it DOES NOT access 8.8.8.8 right way, it is redirected to Pi-Hole

I had a shell tailing Pi-Hole logs
Code Select
pihole -t Then I tried to access everything.
Sensei does show my smartphone IP address calling 8.8.8.8 but it is Pi-Hole the one passing the requests through.
The same thing was happening with the TV and I couldn't understand why.
This time tho I was looking into these little details and everything was working before, no changes were required and I feel dumb lol

Regarding DoT and DoH it actually works great, I have followed this https://labzilla.io/blog/force-dns-pihole to set up everything.



If you run
Quotetelnet 1.1.1.1 443
it should eventually fail, meaning, the rules are working.
December 04, 2021, 01:20:42 PM #3 Last Edit: December 04, 2021, 01:24:06 PM by annoniempjuh
i have pihole in a separated vlan and created for every LAN interface this rule:


you can also just use "floating rule"...

i don't use DOT and DOH, so i created 2 rules in WAN firewall rules that blocks 853 en 5053.
also i have set in Zenarmor (Sensei) that it needs to block DOH and DOT.
December 04, 2021, 11:31:26 PM #4
Quotei don't use DOT and DOH, so i created 2 rules in WAN firewall rules that blocks 853 en 5053

@annoniempjuh would you mind sharing what your block rules look like?
December 04, 2021, 11:39:58 PM #5
@ratoloko the issue might be that you are specifying the source ports, I believe those are randomized during local routing and then changed properly for the destination. Make all source ports * (any) and only specify 53 for the destination.

Additionally, if you are blocking outside DNS shouldn't you also port forward to the pihole so it can resovle? What happens when the block works successfully, how will the TV resolve DNS?
December 05, 2021, 04:23:44 PM #6 Last Edit: December 05, 2021, 04:26:41 PM by annoniempjuh
Quote from: baz on December 04, 2021, 11:31:26 PM
Quotei don't use DOT and DOH, so i created 2 rules in WAN firewall rules that blocks 853 en 5053

@annoniempjuh would you mind sharing what your block rules look like?

just this:

for port 5053 its the same rule config.
DOH is blocked with Zenarmor (Sensei)
It is possible to block know DOH servers on port 443 but i found out that sometime it also blocks legitimated traffic...
December 05, 2021, 05:02:24 PM #7
Unless it has changed recently, Zenarmor just blocks DOH requests based on destination IP address so not much different than using an OPNsense alias for DNS server lists.
December 07, 2021, 05:18:10 AM #8
Quote from: baz on December 04, 2021, 11:39:58 PM
@ratoloko the issue might be that you are specifying the source ports, I believe those are randomized during local routing and then changed properly for the destination. Make all source ports * (any) and only specify 53 for the destination.

Additionally, if you are blocking outside DNS shouldn't you also port forward to the pihole so it can resovle? What happens when the block works successfully, how will the TV resolve DNS?

Regarding the TV and ports, my goal is to block it from contacting Google DNS directly but as I mentioned to Greelan, I believe I have been looking into everything the wrong way and everything is working as expected.
His/Her rules are cleaner than the ones I was using and it uses * instead of 53 so we are good.

Netflix is the smart TV app making those calls and those calls are being processed by Pi-Hole and I could see that by checking its log.
Regarding Sense, I use it in passive mode just to see what is going on, I have no rules, I have no kids to worry about, etc.

Regarding DoT and DoH, it is easy to block DoT but you cannot block DoH (443).
Also, I am not sure what could happen if you fully block them, the rules I am using only allow Pi-Hole to access them, easy to create exceptions, etc.
Print
Go Up Pages1
User actions