Page 1 of 2 12 LastLast
Results 1 to 10 of 12
  1. #1
    Newbie
    Join Date
    Dec 2020
    Posts
    9

    Default Is there an official guide on how to implement PIHole as THE dns solution

    I have a pihole set up as a recursive DNS sever on my network. I want to make sure I have all the settings in Untangle set correctly so it uses the PIHole instead of (or in addition to) the adblocker app.

    Currently I have:
    Config/Network/Internal DHCP DNS override set to the PIHole ip.
    Config/Network/ByPass Rules - bypass dns sessions is enabled.
    Config/Network/DNS Sever with 3 static dns IPs: 1-pihole ip, 2-8.8.8.8, 3-9.9.9.9.

    Is there anything else? If this is all there is to set, is there any point to enabling the Ad blocker app?

    Thanks,
    Robert

  2. #2
    Untangler
    Join Date
    May 2008
    Posts
    365

    Default

    I don't point untangle to my pi-hole. Seemed to cause a dns loop.

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,033

    Default

    Why would there be an official "Untangle" guide, to implementing PiHole on a network?

    Untangle's stated objective is to make things as easy as possible, implementing a 3rd party DNS filtration system is the opposite of easy.

    But, back to sanity checking your configuration, that third item on the list makes no sense and isn't doing what you think it's doing, just delete them.

    Using DHCP DNS override is how you configure clients on your network to use another DNS server, so yeah that's how you do that. Pihole does the rest on its own, but your use of that generic bypass rule means any client on your network can simply ignore DHCP and use whatever DNS it wants. So while this configuration works, it has no access control built into it.

    Of course the default Untangle DNS configuration lack that as well, so if it's not really a problem just something to be aware of should you care. If not, onward.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Master Untangler TirsoJRP's Avatar
    Join Date
    Oct 2010
    Posts
    459

    Default

    Recently enabled PiHole for a site using untangle free.

    1 - Since they use AD that server is handling internal DNS and pihole as forwarder. I don't care about individual host reporting, for now.

    2 - After #1 is working, proceed to block all DNS except for PiHole.

    A far more aggressive setting is to use port forward to force all DNS request passing through your firewall to PiHole. Haven't play too much with it and I'm not sure if it is possible with Untangle.

    Quote Originally Posted by frosterrj View Post
    Config/Network/Internal DHCP DNS override set to the PIHole ip.
    Config/Network/ByPass Rules - bypass dns sessions is enabled.
    Config/Network/DNS Sever with 3 static dns IPs: 1-pihole ip, 2-8.8.8.8, 3-9.9.9.9.
    Robert
    1 - Correct
    2 - Wrong, any device can use external DNS and Untangle will simply ignore it. That includes malware that ignores the host dns settings.
    3 - Just as sky-knight said, delete that.
    Last edited by TirsoJRP; 02-03-2021 at 07:30 AM.

  5. #5
    Untanglit DobermanTech's Avatar
    Join Date
    Jul 2019
    Location
    TX
    Posts
    15

    Default

    Setting up Pihole is fairly easy, but there are nuances depending on what exactly you want to do. As TirsoJRP and sky-knight indicated, you have the easy part done: Config—>Network—>Internal DHCP DNS override set to the internal Pihole IP.

    Important to note for the following - I do not use Google DNS:

    Now the fun part…just because you say to use it, doesn’t mean everything will. For example, Roku and most FireTV devices are hard coded to use 8.8.8.8 and they do not respect your above configuration.

    So next logical step is to setup a firewall rule to not allow that:
    Destination Port is 53
    Destination Address is NOT <enter IP Addresses you have Pihole pointing to so they don’t get blocked>
    Action Type: Block


    Done….well, hang on….now the Roku and other devices are freaking out and trying to ping 8.8.8.8 many many times throughout the day. Maybe you care, maybe you don’t…but for me that crap is filling my Firewall block report and I don’t want to look at it anymore.

    Next step, at least for me, was to see if I could send those hard-coded requests to Pihole anyway.

    Config—>Network—>Port Forward Rules:
    Protocol is TCP or UDP
    Destination Port is 53
    Source Interface is Internal
    Destination Address is 8.8.8.8,8.8.4.4,208.67.220.220 (Note: these are the only hard-coded DNS IPs I currently have an issue with)
    New Destination: <internal Pihole IP>
    New Port: 53

    Now, IF you want to see these redirects in the Reports—>Network—>Port Forwarded Sessions…you’ll need to turn on “Log Bypassed Sessions” in the Advanced tab. After a lot of searching on these forums I discovered that internal to internal traffic like this is considered bypassed, so you have to explicitly log it to ensure it’s working. Leave logging on, leave logging off…totally up to you.

    Again, this Pihole setup is working well for me right now…but it depends on what all you’re trying to accomplish.
    RonV42 and .Marcus. like this.

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,033

    Default

    You skipped a step...

    You can't specify a firewall app rule, for bypassed traffic. And due to the nature of the way Untangle works against how DNS works, I find it most effective to adjust the bypass rule so that it's source IP limited, then simply have a firewall app rule that blocks everything destined for a WAN interface, over TCP or UDP, and destined to port 53.

    There's no need for an exemption in the firewall rule because bypassed traffic won't be processed by the firewall app.

    Now you can instead use filter rules instead of firewall rules, as all traffic including bypassed traffic is subject to them. But that needs to be clear here, because we have two firewalls in Untangle. And again those are the Firewall App, and IPTables as configured via Filter Rules.
    CMcNaughton likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Newbie
    Join Date
    Jan 2020
    Location
    NorCal
    Posts
    3

    Default

    interesting discussion - however I'm curious about this option:
    Config/Network/Internal DHCP DNS
    is that an option after v15?
    here's what I see: Screenshot_2021-03-08 Untangle - red.png

  8. #8
    Untangler
    Join Date
    May 2008
    Posts
    365

    Default

    What is the screen shot showing?

  9. #9
    Newbie
    Join Date
    Jan 2020
    Location
    NorCal
    Posts
    3

    Default

    I'll type in what it's showing it's showing, in a row ( in case you are on a phone or something )
    Interface -
    Hostname -
    Services -
    Port Forward Rules -
    NAT Rules -
    Bypass Rules -
    Filter Rules -
    Routes -
    DNS Server -
    DHCP Server -
    Advanced -
    Troubleshooting -

    [EDIT]
    what it's not showing is the item folks were writing about

  10. #10
    Untanglit DobermanTech's Avatar
    Join Date
    Jul 2019
    Location
    TX
    Posts
    15

    Default

    On the Interface Tab, click the edit pencil icon for your Internal LAN port...that will open a modal and you’ll see the DHCP Configuration tab.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2