hngopher.com

       [HN Gopher] Configuring Split Horizon DNS with Pi-Hole and Tails...
       ___________________________________________________________________
        
       Configuring Split Horizon DNS with Pi-Hole and Tailscale
        
       Author : gm678
       Score  : 57 points
       Date   : 2025-07-09 17:08 UTC (5 hours ago)
        
 (HTM) web link (www.bentasker.co.uk)
 (TXT) w3m dump (www.bentasker.co.uk)
        
       | leipert wrote:
       | > Chromecasts ignore local DNS... grrr
       | 
       | Can't you force traffic to 8.8.8.8 / 8.8.4.4 (especially port 53)
       | to hit your PiHole instead?
        
         | joombaga wrote:
         | I think you can just block Google's servers and it'll use the
         | DHCP-configured DNS server.
        
         | temp0826 wrote:
         | Iptables can be used to dump any traffic destined for port 53
         | to a dns server of your choosing, but I don't know if something
         | like that exists in consumer routers. (Blocking a baked in doh
         | client is a lot more complicated...)
        
           | Melatonic wrote:
           | Yeah it would depend on your equipment - but basically if
           | stuff pins and IP instead of doing DNS you would have to
           | block the IP's of all the common resolvers (or at least the
           | ones it will try)
        
             | VTimofeenko wrote:
             | Why not forbid going outside on port 53 and (optionally)
             | redirect to the local DNS servers:
             | 
             | (nftables syntax)
             | 
             | ip saddr != @lan_dns ip daddr != @lan_dns udp dport 53
             | counter dnat ip to numgen inc mod 2 map { 0 : 192.168.1.1,
             | 1 : 192.168.1.2 } comment "Force all DNS traffic to go
             | through local DNS servers"
        
         | watersb wrote:
         | My older Kindle Fire HD 10 flips over to DNS over HTTPS if it
         | can't see Google on port 53.
         | 
         | I've tried to add a couple of rules in iptables on my Ubiquiti
         | Dream Machine (UDM), but the out-of-box configuration on the
         | UDM is pages and pages to iptables rules. I can modify that
         | config via a shell interface (a shell script with four iptables
         | command lines), but it doesn't play with the web based GUI, and
         | I have yet to figure out how the UDM handles such traffic.
         | 
         | Yes, I've simply blocked all traffic for 8.8.8.8 and 8.8.4.4,
         | via the UDM GUI, the rules are there. The Kindle still shows me
         | ads.
         | 
         | It may be possible to delete the entries for Google DNS on the
         | Kindle via adb commands during boot, but I haven't gotten that
         | far.
         | 
         | Someday I will get around to setting up a homelab network
         | enough to learn iptables etc without blacking out my home
         | network. As any network outage bring immediate screams from the
         | house, I have to treat the firewall configuration as critical
         | infrastructure: brittle. Don't touch.
        
           | ectospheno wrote:
           | Hagezi and others provide reasonable DoH block lists.
        
         | api wrote:
         | On my LAN I send all DNS traffic to pi.hole with iptables.
         | Won't help if they DoH tunnel it though.
        
         | gerdesj wrote:
         | Its a trick one. Traditional DNS runs over port 53/udp and
         | fails over to 53/tcp for large queries/results. That's easy to
         | deal with on a packet filter firewall.
         | 
         | Then in the name of ... something, something, security ... DNS
         | over http(s) was invented. Now you can balkanize DNS by
         | requiring certain SSL certificates be involved. To my knowledge
         | this hasn't been abused large scale yet but it could.
         | 
         | Let's go easy on the tinfoil and simply redirect outbound
         | traffic to 53/udp and tcp to a PiHole or other DNS server under
         | your control.
         | 
         | If you insist on the tin foil, you will probably need to look
         | into a MitM proxy such as Squid - look into "bump" and "spice".
        
       | dolmen wrote:
       | The post says:
       | 
       | > Side note: for those wondering, Tailscale is Canadian and can't
       | see the content of connections (although if you're worried about
       | this it's also possible to self-host using Headscale).
       | 
       | However this is no longer the case. From Tailscale's Terms of
       | service "Schedule A", "New customer accounts on or after
       | September 3, 2024" are bound to "Tailscale US Inc., a Delaware
       | corporation"
        
         | doctorpangloss wrote:
         | It can't see the contents of connections but it records all the
         | metadata. You know a lot about what the contents are going to
         | be based on the ports. The default configuration of Tailscale
         | will also collect all your DNS requests.
         | 
         | https://github.com/tailscale/tailscale/issues/16165
        
       | elashri wrote:
       | I do force all plain DNS on port 53 to my local dns (Adguard home
       | + unbound on a gl-inet router). And I block common DoH addresses.
       | There are many lists on Github. I collect them using github
       | action to have one big list of their IP and addresses and block
       | them.
       | 
       | This is not a bullet proof solution in case there is a semi known
       | custom DoH an application use. But it is the best that I can do
       | without Enterprise network gear and more complex setup that I
       | would like to maintain.
        
         | baby_souffle wrote:
         | Would you be willing to share the list sources you use?
        
       ___________________________________________________________________
       (page generated 2025-07-09 23:00 UTC)