frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

Open in hackernews

Configuring Split Horizon DNS with Pi-Hole and Tailscale

https://www.bentasker.co.uk/posts/blog/general/configuring-pihole-to-serve-different-records-to-different-clients.html
46•gm678•4h ago

Comments

leipert•2h ago
> Chromecasts ignore local DNS... grrr

Can’t you force traffic to 8.8.8.8 / 8.8.4.4 (especially port 53) to hit your PiHole instead?

joombaga•2h ago
I think you can just block Google's servers and it'll use the DHCP-configured DNS server.
temp0826•1h ago
Iptables can be used to dump any traffic destined for port 53 to a dns server of your choosing, but I don't know if something like that exists in consumer routers. (Blocking a baked in doh client is a lot more complicated...)
Melatonic•1h ago
Yeah it would depend on your equipment - but basically if stuff pins and IP instead of doing DNS you would have to block the IP's of all the common resolvers (or at least the ones it will try)
VTimofeenko•32m ago
Why not forbid going outside on port 53 and (optionally) redirect to the local DNS servers:

(nftables syntax)

ip saddr != @lan_dns ip daddr != @lan_dns udp dport 53 counter dnat ip to numgen inc mod 2 map { 0 : 192.168.1.1, 1 : 192.168.1.2 } comment "Force all DNS traffic to go through local DNS servers"

watersb•1h ago
My older Kindle Fire HD 10 flips over to DNS over HTTPS if it can't see Google on port 53.

I've tried to add a couple of rules in iptables on my Ubiquiti Dream Machine (UDM), but the out-of-box configuration on the UDM is pages and pages to iptables rules. I can modify that config via a shell interface (a shell script with four iptables command lines), but it doesn't play with the web based GUI, and I have yet to figure out how the UDM handles such traffic.

Yes, I've simply blocked all traffic for 8.8.8.8 and 8.8.4.4, via the UDM GUI, the rules are there. The Kindle still shows me ads.

It may be possible to delete the entries for Google DNS on the Kindle via adb commands during boot, but I haven't gotten that far.

Someday I will get around to setting up a homelab network enough to learn iptables etc without blacking out my home network. As any network outage bring immediate screams from the house, I have to treat the firewall configuration as critical infrastructure: brittle. Don't touch.

ectospheno•1h ago
Hagezi and others provide reasonable DoH block lists.
api•9m ago
On my LAN I send all DNS traffic to pi.hole with iptables. Won’t help if they DoH tunnel it though.
dolmen•1h ago
The post says:

> Side note: for those wondering, Tailscale is Canadian and can't see the content of connections (although if you're worried about this it's also possible to self-host using Headscale).

However this is no longer the case. From Tailscale's Terms of service "Schedule A", "New customer accounts on or after September 3, 2024" are bound to "Tailscale US Inc., a Delaware corporation"