Configuring Split Horizon DNS with Pi-Hole and Tailscale

(bentasker.co.uk)

69 points by gm6788 hours ago

4 comments

  • elashri3 hours ago
    I do force all plain DNS on port 53 to my local dns (Adguard home + unbound on a gl-inet router). And I block common DoH addresses. There are many lists on Github. I collect them using github action to have one big list of their IP and addresses and block them.<p>This is not a bullet proof solution in case there is a semi known custom DoH an application use. But it is the best that I can do without Enterprise network gear and more complex setup that I would like to maintain.
    • baby_souffle2 hours ago
      Would you be willing to share the list sources you use?
      • metadat1 hour ago
        And perhaps automate pushing to a gist or repository?
      • bozhark2 hours ago
        Seconded
    • TacticalCoder56 minutes ago
      [dead]
  • dolmen4 hours ago
    The post says:<p>&gt; Side note: for those wondering, Tailscale is Canadian and can&#x27;t see the content of connections (although if you&#x27;re worried about this it&#x27;s also possible to self-host using Headscale).<p>However this is no longer the case. From Tailscale&#x27;s Terms of service &quot;Schedule A&quot;, &quot;New customer accounts on or after September 3, 2024&quot; are bound to &quot;Tailscale US Inc., a Delaware corporation&quot;
    • doctorpangloss2 hours ago
      It can’t see the contents of connections but it records all the metadata. You know a lot about what the contents are going to be based on the ports. The default configuration of Tailscale will also collect all your DNS requests.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;tailscale&#x2F;tailscale&#x2F;issues&#x2F;16165">https:&#x2F;&#x2F;github.com&#x2F;tailscale&#x2F;tailscale&#x2F;issues&#x2F;16165</a>
  • leipert6 hours ago
    &gt; Chromecasts ignore local DNS... grrr<p>Can’t you force traffic to 8.8.8.8 &#x2F; 8.8.4.4 (especially port 53) to hit your PiHole instead?
    • gerdesj3 hours ago
      Its a trick one. Traditional DNS runs over port 53&#x2F;udp and fails over to 53&#x2F;tcp for large queries&#x2F;results. That&#x27;s easy to deal with on a packet filter firewall.<p>Then in the name of ... something, something, security ... DNS over http(s) was invented. Now you can balkanize DNS by requiring certain SSL certificates be involved. To my knowledge this hasn&#x27;t been abused large scale yet but it could.<p>Let&#x27;s go easy on the tinfoil and simply redirect outbound traffic to 53&#x2F;udp and tcp to a PiHole or other DNS server under your control.<p>If you insist on the tin foil, you will probably need to look into a MitM proxy such as Squid - look into &quot;bump&quot; and &quot;spice&quot;.
    • watersb5 hours ago
      My older Kindle Fire HD 10 flips over to DNS over HTTPS if it can&#x27;t see Google on port 53.<p>I&#x27;ve tried to add a couple of rules in iptables on my Ubiquiti Dream Machine (UDM), but the out-of-box configuration on the UDM is pages and pages to iptables rules. I can modify that config via a shell interface (a shell script with four iptables command lines), but it doesn&#x27;t play with the web based GUI, and I have yet to figure out how the UDM handles such traffic.<p>Yes, I&#x27;ve simply blocked all traffic for 8.8.8.8 and 8.8.4.4, via the UDM GUI, the rules are there. The Kindle still shows me ads.<p>It may be possible to delete the entries for Google DNS on the Kindle via adb commands during boot, but I haven&#x27;t gotten that far.<p>Someday I will get around to setting up a homelab network enough to learn iptables etc without blacking out my home network. As any network outage bring immediate screams from the house, I have to treat the firewall configuration as critical infrastructure: brittle. Don&#x27;t touch.
      • OptionOfT1 hour ago
        With the UDM you can do DNS masquarade to redirect traffic destined for 8.8.8.8:53 to your local pihole &#x2F; AdGuard instance.
      • ectospheno4 hours ago
        Hagezi and others provide reasonable DoH block lists.
    • temp08265 hours ago
      Iptables can be used to dump any traffic destined for port 53 to a dns server of your choosing, but I don&#x27;t know if something like that exists in consumer routers. (Blocking a baked in doh client is a lot more complicated...)
      • Melatonic4 hours ago
        Yeah it would depend on your equipment - but basically if stuff pins and IP instead of doing DNS you would have to block the IP&#x27;s of all the common resolvers (or at least the ones it will try)
        • VTimofeenko4 hours ago
          Why not forbid going outside on port 53 and (optionally) redirect to the local DNS servers:<p>(nftables syntax)<p>ip saddr != @lan_dns ip daddr != @lan_dns udp dport 53 counter dnat ip to numgen inc mod 2 map { 0 : 192.168.1.1, 1 : 192.168.1.2 } comment &quot;Force all DNS traffic to go through local DNS servers&quot;
    • joombaga5 hours ago
      I think you can just block Google&#x27;s servers and it&#x27;ll use the DHCP-configured DNS server.
    • api3 hours ago
      On my LAN I send all DNS traffic to pi.hole with iptables. Won’t help if they DoH tunnel it though.
  • snvzz1 hour ago
    I use headscale and took the high road: Tailscale IPs all the time.<p>Why trust the wires at all. Just run all traffic through VPN, even if it&#x27;s in the same LAN.<p>This way, I know all traffic is encrypted. I don&#x27;t have to worry about SMB or the like being plaintext.