Gold Router Mode: External Pi-hole and DNS services
Hi all,
I'm loving my new Gold! Very happy I got one. I want to use a pi-hole on an external device but I do not want to hinder Firewalla's DNS features, especially the network names that it can assign – "my-pc.lan" for example. I'm mainly concerned about those network names.
I don't care much about seeing per device stats on the pi-hole.
Case A:
If I use pi-hole on an external device as the DNS server for each of my network devices, will that hinder any network names assigned by the Gold?
Case B (assuming Case A above does hinder the network names):
I read some posts that suggested the creation of a LAN Segment and giving the pihole a static ip under that LAN. Then one can use that address as the DNS server for other LANs. Could I forgo the creation of a new LAN (and usage of a physical port just for this LAN) and simply use the pi-hole's static IP as the DNS server for any of my Segments?
Further, if I set the pi-hole's address as the DNS server for a given Segment, it will push that configuration to my downstream devices using DHCP, meaning that I have to go to each device and set the Gold's address as the DNS server in order to keep the Gold's DNS based features. Otherwise, my devices will send all DNS requests to pi-hole directly and break Gold's DNS features, right?
Thanks in advance for the help and my apologies for my lack of knowledge here.
-
Case (A) should not be an issue; The Gold (and red/blue) layers DNS together. Queries always go to Gold (Ad block + LAN name + cached DNS) then go to your official DNS provider.
" https://help.firewalla.com/hc/en-us/articles/360051284214-Firewalla-Gold-FAQ-and-Known-Issues
Gold with Pi-hole not resolving some of the DNS entries?
If client DNS is set to pihole's IP address
Since client and pihole are in the same network, the DNS traffic is directly sent to the pihole and will not go through layer 3 (IP layer) of Gold. Therefore, DNS interception on Gold will not take effect and DNS-based features will not work.
If client DNS is set to Gold's LAN IP
DNS traffic from the client will first be sent to Gold. All kinds of DNS-based features will work and if DNS cache is not hit on Gold, it will be further forwarded to pi-hole in the local network for resolution.
Here is an alternative way to make domain block work with pihole in the network:
-
Create another local network segment on Gold
-
Move the pihole to the newly created network
-
Change the DNS server in the old network's DHCP options to the new IP address of pihole
This way, all DNS traffic from other devices to pihole will go through Gold and DNS-based features will work properly.
"
-
-
Thanks for the quick reply! That page you linked to is what I had in mind.
Follow-up:
A: Say Segment 1 has pi-hole's address as DNS server in DHCP settings. Pi-hole is on Segment 2.
This means that my client will get pi-hole's address when it gets network information from DHCP. Under this setup, all DNS traffic from Segment 1 goes through Gold because it needs to make it to Segment 2. I expect all features to work correctly here, right?
B: Now say Segment 1 has pi-hole's address as DNS server. Pi-hole is on Segment 1.
(Avoiding the usage of a Gold port just for pi-hole)
This means that Gold's DNS based features won't work because traffic is sent directly to pi-hole..My question is, if I go and manually enter Gold's IP address as my client's DNS server, will the Gold then receive AND forward DNS requests back into the pi-hole under Segment 1?
C: Set up pi-hole up-stream from Gold.
Can Gold forward requests to an upstream DNS server? Assuming there's no rules blocking this. To me, this seems like the simplest way to go since I'm ensuring all DNS traffic will definitely go through Gold.
-
To throw a wrench in all this....if you have DoH or any of the DNS-based filtering turned on (adblock, family protect, etc), it appears that the FWG intercepts and sends DNS requests to its own DNS upstream server, and this can't be changed (this is per @Firewalla's comment in a different thread we were discussing this, so I hope I'm not misunderstanding-- https://help.firewalla.com/hc/en-us/articles/360051625034/comments/360005369034).
I think we really need option C, where we can define an upstream DNS server.
-
Thanks for the comment @Hans Hong.
I’m gonna give option C a shot. I think this will come down to the hardware setup people have. I need to use a modem/router device from my ISP in order to authenticate, so I have a router upstream from the Gold that can hand out addresses to the Gold and the pihole. This makes it so that my WAN connection is static IP and I can enter the address of my preferred DNS server. Hope it works out!
I suspect not everyone has this setup though.
Please sign in to leave a comment.
Comments
4 comments