Now i search for a way, to redirect any(!) DNS Request to my Pi-hole. Yes, any. DNS, DNSSEC, DoH, what ever exists.
IPv4 TCP/UDP * * 10.13.12.2 53 (DNS) * * Redirect DNS to this Firewall IPv6 TCP/UDP * * fd00:10:13:12::acab 53 (DNS) * * Redirect v6 DNS to this Firewall IPv4+6 TCP ! This Firewall * ! LAN address 853 * * Reject hardcoded DoT-DNS access IPv4+6 TCP ! This Firewall * DNSServer_merged 443 (HTTPS) * * Reject hardcoded DoH-DNS access
chrome.cloudflare-dns.commozilla.cloudflare-dns.comdoh.opendns.comdoh.dns.sb185.222.222.222185.184.222.2222a09::2a09::12a07:a8c0::89:ec712a07:a8c1::89:ec71dns.nextdns.io
You need to c+p every line seperated
Hey,im using Pi-Hole with over 50 Million Domains to block nearly everything in my Homenetwork, what a "normal User" would call "the Internet".Any Microsoft Service, any Amazon Service, any Google Service, any Alphabet Service, any Facebook Service, any Tiktok Service, Alibaba, Tencent, Spotify, Nextflix, Paypal, Reddit, and so on. simply everything wich isnt Open Source or known personal data horders. Every Guest who visits me, know this and know they must use they own mobile data plan if they want to use these services.But today i found out, that this dont always work. A Guest showed me his new Samsung Phone and after few minutes fideling he suprisingly ask me when i stop blocking facebook/whatsapp. I said i never did.After a hour of research and experiments, i/we found out that facebook/whatsapp is indeed blocked, if visited by a browser, but it seems that the facebook/whatsapp clients got a update with hardcoded dns into it, wich i cant block because it seems to use DoH (dns over https). Sure i could export the Pi-Hole blocklists to IP, and block all ~50 Millions IP adresses with opnsense firewall rules. But this is a massive work wich would take me hundreds of years maybe (or is there a function in opnsense where i can import a txt file with ips wich then get blocked?)Now i search for a way, to redirect any(!) DNS Request to my Pi-hole. Yes, any. DNS, DNSSEC, DoH, what ever exists. Or maybe you experts know a better way to accomplish that what i want.Thank you for you help.
You are kidding me. alone your links you provided, are so long i cant read them all in my left lifetime
If you have a choice, maybe take a look at AdGuard Home for adblocking.AdGuard Home has the option to block services like Facebook with one click.
Only the custom servers needs to be added one by one, the provided lists are added by URL, there ist one alias for every URL and one alias for the custom servers. All those aliases are merged in the "final" alias, used in FW rules:
I do this more simply thusly:1) Outbound NAT rules to redirect port 53 TCP/UDP to Pihole (Log to locate devices trying to bypass your DNS and remove them from your network).2) Outbound NAT rules to redirect port 853 TCP/UDP to Pihole(Log to locate devices trying to bypass your DNS and remove them from your network).3) Zenarmor tick rule to block DNS over TLS (Zenarmor has a logging interface automatically)4) Zenarmor tick rule to block DNS over HTTPS5) LAN rule to block 8853 UDP out (Dont bother logging any chrome browser will trigger log).6) LAN rule to block 443 UDP out (Dont bother logging any chrome browser will trigger log).7) LAN AllowList Alias to allow out CND networks if required8 ) LAN BlockList Alias to block outbound IP's on lists (LOG THIS RULE SO YOU CAN SEE WHEN IP's BLOCKED): https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt https://raw.githubusercontent.com/pallebone/TheGreatWall/master/TheGreatWall_ipv4 https://raw.githubusercontent.com/oneoffdallas/dohservers/master/iplist.txt https://raw.githubusercontent.com/jpgpi250/piholemanual/master/DOHipv4.txt https://raw.githubusercontent.com/cbuijs/accomplist/master/doh/plain.black.ip4cidr.list List of manual IP's I have found: Manual added DOH IP's: 1.1.1.1,1.0.0.1,1.1.1.2,1.0.0.2,1.1.1.3,1.0.0.3,104.17.64.4,104.17.65.4,203.107.1.4,193.161.193.99 Manual added DOH ranges: 101.36.166.0/24,203.107.1.0/24Note : AllowList I have had to open so far contains this port/ip combinations:Allow out port 443: 151.101.66.133, 151.101.2.133, 151.101.130.133, 172.67.75.103, 104.26.2.13, 185.199.108.153, 185.199.109.153, 185.199.110.153, 185.199.111.153, 104.26.3.13, 151.101.194.133, 216.239.34.21, 44.235.246.155, 151.101.65.195, 104.26.4.174, 172.67.70.80, 104.21.39.13, 172.67.170.203, 151.139.128.10, 104.26.5.174, 151.101.1.195, 141.193.213.21, 172.67.212.2, 104.21.85.239, 44.236.72.93, 104.16.132.229, 141.193.213.20, 217.64.148.8, 104.21.68.104, 96.126.123.244, 45.33.20.235, 44.236.48.31, 216.239.36.21, 216.239.38.21, 104.19.155.92, 104.21.15.239, 167.172.139.120, 216.239.32.21, 90.155.62.13, 90.155.62.14, 95.216.25.250, 162.159.138.85, 162.159.137.85 172.224.62.11 172.224.63.11 172.224.63.19 23.227.38.65Allow out port 123: 69.1.1.251, 129.250.35.250, 129.250.35.251, 162.248.241.94, 194.36.144.87, 95.216.24.230, 45.76.113.31, 94.16.114.254Allow out port 80: 151.101.66.133, 151.101.194.133, 151.101.2.133, 151.101.130.133, 141.193.213.20, 172.67.70.80, 104.26.4.174, 184.168.131.241, 17.253.85.204, 162.159.138.85, 162.159.137.85With this combination I have not been able to find a way to bypass the block unless an IP is added to the allowlist (required if you want to access a site that is a CDN).I occasionally update this page with new IP's or lists I find (the DOH stuff is near the end): https://github.com/pallebone/PersonalPiholeListsPAllebone
Ok, after hours of fideling im now frustrated and need a break.After i found out, that zenarmor works, but sadly not to 100%
