Pi-hole in Docker container on Purple/Gold - do requests come from Firewalla or per-client?

Follow

Daniel S

• March 04, 2022 15:48

I'm looking into getting a Purple or Gold, and per the current documentation, using an external device for Pi-hole will mean that all requests to it will be shown as coming from a single Firewalla IP address, meaning I can't use any per-client rules on Pi-hole.  Is this behavior the same when running Pi-hole in an internal Docker container on the Firewalla in router mode, or does running it in Docker allow the client IP addresses to be passed to the Pi-hole instance?

0

• 

  Undercover Nerd

  • April 21, 2022 06:20

  I setup Pihole on a Firewalla Purple following the official instructions and every request looks like it's coming from the Docker Network created during setup. It's annoying, still trying to figure it out

  0

  Comment actions Permalink
• 

  Mason

  • April 22, 2022 20:28

  TL;DR - yes, you can configure things such that pihole will get requests directly from client devices, but doing so means disabling a nontrivial amount of firewalla features that work specifically because DNS is going through the firewalla's IP. All you have to do is

  1. make sure the client ends up with your pihole's ip address as it's DNS server (you can double check individual client's network configurations to confirm)
  2. Disable DNS Booster for the clients that you want to communicate directly with the pihole instead of being 'proxied' through firewalla. (this is what prevents some handy firewalla features from working, )

  
  Details:
  With DNS Booster off, the firewalla treats DNS traffic like most other traffic, and will apply firewall rules then (if allowed) route it along to the intended target (your pihole), who will see the client device as the source and behave like one would expect.
  
  With DNS Booster on, firewalla is intently watching for any traffic coming in for routing to port 53 (the DNS port), and instead redirects that traffic to the firewalla itself. The inner workings of firewalla contain their own caching DNS server, and this is where some functionally is applied.
  For example, part of firewalla's AdBlock feature functions very similarly to pihole, where it has a blocklist of domain names it'll refuse to resolve DNS for.
  Once the firewalla has performed any dns-based logic on the dns traffic coming in, if it decides its ok to resolve the DNS request, it'll again behave very similarly to the pihole:

  1. firewalla checks to see if it already has cached the appropriate answer to the DNS query it intercepted. If so, it responds to your client with the answer without having to go looking anywhere else.
  2. If firewalla doesn't have the answer cached, the firewalla will ask the original DNS server your client was targetting for the answer (this is a new request, whose source is the firewalla, and the target is your pihole). The pihole will do its own thing then answer your firewalla.
  3. The firewalla will cache what it got from the pihole, and then separately respond back to the original client device.

   

  1

  Comment actions Permalink
• 

  Daniel S

  • April 23, 2022 03:28

  Mason, thanks for the answer.  That's the information I was looking for.  Pihole has DNS caching built in as well, so it sounds like I probably wouldn't lose much (if anything) by turning off DNS Booster, at least until Firewalla supports the same detailed per-client customization and tuning of DNS and CNAME that my Pihole setup uses, assuming it ever does support it.  Thanks for the detailed write-up!

  0

  Comment actions Permalink
• 

  Mason

  • April 23, 2022 18:38

  No problem! Something else I remembered that was important for my own use case: when DNS Booster is on for a client, then firewalla's interception of DNS traffic also includes devices that are hard coded to external DNS servers.

  A particularly useful case is my Chromecast and my local-only Jellyfin media server. Chromecast hard codes Google DNS servers, so it completely ignores your home DHCP handing out the pihole address.
  My Jellyfin server has a valid SSL certificate (from LetsEncrypt), but is not exposed outside my network, and there are no DNS entries for it for Google's DNS servers to resolve. Instead, my PiHole has a local DnS entry to point to the server's internal IP.

  Since the Chromecast by default goes straight to Google, it can't find my Jellyfin server when I try to cast to it.

  However, if DNS Booster is turned on for the Chromecast, then my FWG intercepts the DNS traffic intended for Google, and tries to find a local cache before forwarding to the LAN's configured DNS (my PiHole), and I can successfully cast my Jellyfin media!

  0

  Comment actions Permalink
• 

  Alak

  • August 27, 2022 00:42

  Turning off DNS Booster also breaks the resolution of local device names using search domain on your LAN.  For example you will no longer be able to use things like roku.lan, tivo.lan, yamaha.receiver.lan instead of the IP addresses of your LAN devices.  Using these hostnames requires DNS Booster to be enabled so that DNS requests are intercepted by Firewalla and those names get resolved.

  0

  Comment actions Permalink

Please sign in to leave a comment.