New PiHole install not blocking ads properly / no IPv6 DNS assigned

Forums › Desktop computing › New PiHole install not blocking ads properly / no IPv6 DNS assigned

1 | 2 | 3 | 4

20862 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#3126149 11-Sep-2023 16:49

RunningMan:

Not the work computer pushing everything down a VPN tunnel to work (including DNS) is it?

Good idea, but no. VPNs have to be manually enabled, I didn't need them today.

fearandloathing

538 posts

Ultimate Geek
+1 received by user: 207

ID Verified

Lifetime subscriber

#3126151 11-Sep-2023 16:50

Maybe look at Tailscale or Cloudflare zero trust to access internal resources. This is how I acess my internal resources on cgnat.

timmmay

20862 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#3126152 11-Sep-2023 16:52

fearandloathing: Maybe look at Tailscale or Cloudflare zero trust to access internal resources. This is how I acess my internal resources on cgnat.

Good idea, but I think I'll just leave IPv6 enabled and ssh into the server.

I do use CloudFlare zero trust for other things, but don't want the hassle of Tailscale.

Tinkerisk

4810 posts

Uber Geek
+1 received by user: 3673

#3126155 11-Sep-2023 17:04

I don't know what you are doing, but as expected, I only have 3 blocked red entries for biggear.com: one A record, one AAAA record and one https request (nodata). However, I have implemented my pi-hole in a completely different way.

Qui nihil scit, omnia credere debet. - He who knows nothing must believe everything.
Firewalls do NOT stop dragons.
Avoid Big Tech!
In effect we have everything to hide from someone, and no idea who someone is.

timmmay

20862 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#3126157 11-Sep-2023 17:07

Tinkerisk:

I don't know what you are doing, but as expected, I only have 3 blocked red entries for biggear.com: one A record, one AAAA record and one https request. However, I have implemented my pi-hole in a completely different way.

Yeah, something odd is going on with the managed work PC. Home PC works fine, it works the same as yours, three blocked records if I browse to it or two if I nslookup.

boland

559 posts

Ultimate Geek
+1 received by user: 87

#3126158 11-Sep-2023 17:09

timmmay:

Tinkerisk:

I don't know what you are doing, but as expected, I only have 3 blocked red entries for biggear.com: one A record, one AAAA record and one https request. However, I have implemented my pi-hole in a completely different way.

Yeah, something odd is going on with the managed work PC. Home PC works fine, it works the same as yours, three blocked records if I browse to it or two if I nslookup.

I suspect your work PC has got some VPN you don't know about or some other weird settings you can't see / have no control over.

I have learnt to live with ads on my work PC as I'm also not allowed to install browser extensions.

Good luck!

Dyson

Shop now for Dyson appliances (affiliate link).

timmmay

20862 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#3126159 11-Sep-2023 17:12

boland:

I suspect your work PC has got some VPN you don't know about or some other weird settings you can't see / have no control over.

I have learnt to live with ads on my work PC as I'm also not allowed to install browser extensions.

Good luck!

Yeah, could be. They're new, which made me notice them and wonder what's up. Thanks :)

nzkc

1634 posts

Uber Geek
+1 received by user: 1041

#3126166 11-Sep-2023 18:01

As @boland states I suspect your work PC has something on it thats overriding your DNS settings from PiHole. Could be Cloudflare Warp. Also could be your work PC has hard coded DNS servers like googles or Cloudflare - so worth checking for that (though you might not be able to change it).

michaelmurfy

meow
13584 posts

Uber Geek
+1 received by user: 10918

Moderator

ID Verified

Trusted

Lifetime subscriber

#3126168 11-Sep-2023 18:10

Some browsers also have DNS over HTTPS clients embedded and enabled by default now.

Have a look at https://nextdns.io as it may be better suited for you over a self hosted solution. That is what I personally use these days despite having the infrastructure to run PiHole etc. NextDNS also supports IPv6 etc totally fine and works incredibly well with the Fritz!Box.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

timmmay

20862 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#3126169 11-Sep-2023 18:13

nzkc:

As @boland states I suspect your work PC has something on it thats overriding your DNS settings from PiHole. Could be Cloudflare Warp. Also could be your work PC has hard coded DNS servers like googles or Cloudflare - so worth checking for that (though you might not be able to change it).

Yeah, I'll check to see. Though you'd think that it would show up in the ipconfig. There's a bit of corporate stuff in the task bar, I'll have a look.

At this point it's just out of interest, and to learn about what's going on.

timmmay

20862 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#3126171 11-Sep-2023 18:17

michaelmurfy:

Some browsers also have DNS over HTTPS clients embedded and enabled by default now.

Have a look at https://nextdns.io as it may be better suited for you over a self hosted solution. That is what I personally use these days despite having the infrastructure to run PiHole etc. NextDNS also supports IPv6 etc totally fine and works incredibly well with the Fritz!Box.

Yeah, I disabled DNS over HTTPS in the browsers, at least as best I can. Chrome flags and Firefox settings.

You mentioned NextDNS before, I use it for my phone. For home I like having the extra features of Pi Hole / dnsmasq. For example, I have Nginx running to serve a few public websites behind cloudflared, and I have a cname overriding the public DNS, so within the network browsers go straight to the local web server rather than via the internet. I also have Nginx running as a reverse proxy for Home Assistant, Pi Hole, AppDaemon, things like that. Just a bit of a fun project to move everything to docker, I'll put it up on github at some point because it took quite a while to get it all working properly together.

Dyson

Shop now for Dyson appliances (affiliate link).

michaelmurfy

meow
13584 posts

Uber Geek
+1 received by user: 10918

Moderator

ID Verified

Trusted

Lifetime subscriber

#3126173 11-Sep-2023 18:32

You can actually do rewrites in NextDNS if you've only got a few things. What I've done historically is enable NextDNS using DNS over TLS on the Fritz!box and disabled outbound port 53 in a Fritz!box firewall rule (presuming you're still using a Fritz!box).

Alternativally have a local DNS server so you can still do local cnames and just use NextDNS as your upstream web server. If you set this up using DNS over HTTPS behind the scenes then you can block all outbound DNS on your router forcing use of your local DNS servers.

timmmay

20862 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#3126201 11-Sep-2023 20:22

michaelmurfy:

You can actually do rewrites in NextDNS if you've only got a few things. What I've done historically is enable NextDNS using DNS over TLS on the Fritz!box and disabled outbound port 53 in a Fritz!box firewall rule (presuming you're still using a Fritz!box).

Alternativally have a local DNS server so you can still do local cnames and just use NextDNS as your upstream web server. If you set this up using DNS over HTTPS behind the scenes then you can block all outbound DNS on your router forcing use of your local DNS servers.

Yeah, only a few CNAMEs, and using a Fritzbox. I don't think there's enough advantages for me to do NextDNS right now, though it would be a good solution if I was starting from scratch. Pi Hole is set up and mostly working and integrated with the other things, it's just a bit weird with the work computer.

I like NextDNS for my phone as it works when I'm on mobile as well, and as a bonus that's on the free tier.

timmmay

20862 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#3127149 13-Sep-2023 15:14

Looking at my work laptop again, it's not showing a IPv6 DHCP server. My wife's work laptop isn't either, but both are allocated IPv6 addresses. Both are using the PiHole IP for DHCP, DNS for IPv4. Both have DHCPv6 IAID and DHCPv6 Client DUID. Search tells me "The DUID identifies the client system (rather than just an interface, as in DHCPv4), and the IAID identifies the interface on that system." Not sure what the implication of that is, seems like it should have IPv6 DHCP servers.

My wife's personal W10 laptop (HP Probook same as the work one) also doesn't get an IPv6 DHCP server. The only computer that does it my Windows 10 computer.

Not really sure where to go from here with this, so I'll probably ignore it for now.

The PiHole is configured to give out IPv4 addresses for 2 hours, which is showing as it should on my wife's work laptop. Oddly, my work laptop seems to have a DHCP lease time of 10 hours 17 minutes 31 seconds. Another oddity.

tanivula

998 posts

Ultimate Geek
+1 received by user: 158

Lifetime subscriber

#3127223 13-Sep-2023 16:27

Hey Timmay, any reason you don't just let the Fritz sort DHCP and leave the piHole to just DNS?

What are the pro's for the piHole to to DHCP as well?

1 | 2 | 3 | 4