this post was submitted on 26 Jul 2023
5 points (100.0% liked)

Selfhosted

40266 readers
535 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hello, friends.

So I've had my Pi-Hole setup for awhile now and it's great. I'd like to get Wireguard working with it, too, so I could browse the internet without loads of ads and trackers on the go.

However, small issue. All DNS traffic is forcibly routed to my ISP. If you need some details, I made this post on the Pi-Hole userspace.

I'm in America and my ISP is Spectrum. I was wondering if there's a way I could convince technical support to allow me to use a recursive DNS for privacy/security (more-so the second of the two) purposes, or if it is even possible to convince them to do this. I don't know if there's a specific number I should contact, email I should email to, or if I just have to endure the nightmare of getting passed around by customer service one Saturday. Any recommendations would be great.

An interesting note for anyone who's ISP is Spectrum, their DNS service, at least for me, uses OpenDNS with dnsmasq-2.57. That version of dnsmasq is over 10 years old. You see if this is the case for you with

dig CHAOS TXT version.bind @192.33.4.12 +short
dig CHAOS TXT version.bind @198.97.190.53 +short

Or something similar if those IP addresses are different for you. You can see that running those commands were a part of the steps I was asked to take in that Pi-Hole userspace post.

EDIT 1:

For those interested, here's some Github gist I found that shows how to use unbound + stubby for have a recursive DNS + DNS-over-HTTPS. There's also this from the DNS Privacy Project.

EDIT 2:

I seems that initial answer from the Pi-Hole forums was correct. There's probably something that was set in the firmware for the Netgear router that prevents me from setting up my own DNS servers. However, I notice on the router there's a "router mode" option that's on, which I can probably turn off, plug in my Pi to the Netgear device and have the Pi act as my router, thus letting me be able to use it as my DNS server as well. That or just suck it up and buy only a modem, not a router + modem combo.

top 17 comments
sorted by: hot top controversial new old
[–] xinaked@lemmy.world 2 points 1 year ago

or just use nextdns

[–] duffkiligan@lemmy.world 1 points 1 year ago (2 children)

I have spectrum and they don’t forcibly route anything for me.

You must have either their modem maybe? Or you have the DNS helper setting where if you mistype a url it redirects you.

Either way there is a way to disable it because it doesn’t happen for me and hasn’t in the many years I’ve had them across the country.

[–] AlecStewart1st@lemmy.world 0 points 1 year ago (1 children)

Hmmm then it's something with the modem I have then. I can't set the DNS address. It's some cheap Netgear modem. If I go to Advanced -> Setup -> Internet Setup and click Use These DNS Servers and put in the address for the Pi-Hole, it prevents me from doing so.

[–] duffkiligan@lemmy.world 0 points 1 year ago* (last edited 1 year ago) (1 children)

I think you mean router, since you would most likely not set DNS on a modem (unless it’s a combo) — but yes I would look into getting something better that you have more control over.

Edit: gotta love new Lemmy clients that spam comment replies 🤦‍♂️

[–] AlecStewart1st@lemmy.world 0 points 1 year ago (1 children)

It's a combo. Most are these days, I believe, but I know Spectrum is weird and will give you a router AND modem if you just buy it through them. What device would you recommend? I don't want to buy one just to find out I can't set the Pi-Hole as the DNS server on a new one.

[–] RoyalEngineering@lemmy.world 0 points 1 year ago (1 children)

I would recommend putting that modem in Bridge mode and getting something like a TP-Link Omada device. I’ve had them for a while and have been really happy.

[–] AlecStewart1st@lemmy.world 1 points 1 year ago* (last edited 1 year ago)

Seems like I could potentially get around my issue by taking the device out of this "router mode" setting I found and connecting my Pi to it via Ethernet cable and have the Pi be the router for my network.

EDIT: Actually, scratch that. I don't think a Pi would be powerful enough to act as a router. Well, off to by a modem (not a combo) it is!

[–] Compactor9679@lemm.ee -1 points 1 year ago (1 children)

How has been your experience with spectrum? Thinking about switching ISPs.

[–] duffkiligan@lemmy.world 1 points 1 year ago

They are better than Comcast but that’s a low bar.

Overall I get Gig speeds for $80/m which isn’t terrible and no data cap. My previous house AT&T fiber was the same cost but better. I don’t have a choice where I live now so it’s Spectrum or DSL

[–] SneakyThunder@sh.itjust.works 1 points 1 year ago

You might try flashing OpenWRT firmware if your router is supported. It allows changing DNS

[–] topnomi@kbin.social 0 points 1 year ago (1 children)

I've never heard of spectrum doing this. I think it's an issue with your router. The steps you mentioned sound right, but I'm not seeing what you're seeing. I usually try to look at the advanced mode, which might have more info.

You could contact Netgear tech support, or consult their manual. Have you made sure you're on the latest firmware?

[–] AlecStewart1st@lemmy.world 0 points 1 year ago (1 children)

I tried to set the Pi-Hole as the DNS via the instructions here, and the exact settings for the Netgear router is under Advanced -> Setup -> Internet Setup. Everytime I've set this, no hostnames can be resolved. I followed the Pi-Hole instructions to a tee, so I don't know if I'd be missing something. Currently, the Pi-Hole acts as the DHCP server.

Have you made sure you’re on the latest firmware?

I don't even know how I would do this on this Netgear router. I see nothing in the settings to check for firmware updates, and I don't recall seeing anything in the manual. I guess I'd have to call their tech support.

[–] topnomi@kbin.social 1 points 1 year ago

Ok, I see the problem. Your router needs an external DNS server for it's internet setup.

You need to set DHCP to give your pihole server as the DNS to the computers INSIDE your network. It's impossible for your router to use your LAN DNS server on the WAN port.

[–] redcalcium@lemmy.institute 0 points 1 year ago* (last edited 1 year ago) (1 children)

Oh, your ISP is very shitty, just like mine! Mine even do deep packet inspection! My solution is by using several upstream DNS servers that listen on alternate ports (so the requests are not intercepted by my ISP), and using TLS and QUIC (can't intercept it because it's encrypted). Can't use DoH though because my ISP somehow can make it timeouts most of the time.

My Adguard upstream DNS settings (Adguard is configured to try all of them at once and use the one that respond first):

tls://1.1.1.1

tls://1.0.0.1

tls://8.8.8.8

tls://8.8.4.4

tcp://9.9.9.9:9953

udp://9.9.9.9:9953

quic://unfiltered.adguard-dns.com

[–] YonatanAvhar@programming.dev 0 points 1 year ago (1 children)

Why do ISPs put in the extra effort to make their service shittier? What benefit do they gain from forcing more load to their DNS servers?

[–] redcalcium@lemmy.institute 0 points 1 year ago

My country has a national block list that must be followed by all ISP. Last year, they even went an extra mile to enforce the DNS hijacking at internet backbone level, so if any ISP neglect to do it, it'll still get enforced by the national internet backbone.

My ISP is fully embracing this system, to the point of performing deep packet inspection to enforce the national block list. Any blocked domain will return an IP address containing a web page full of ads (basically saying that the domain is blocked, here are some ads instead)I guess it's profitable for them to do this. They also blocked Netflix using this system for years until Netflix caved in and partner with the ISP to sell subscription (yay for no net neutrality I guess).

[–] housepanther@lemmy.goblackcat.com 0 points 1 year ago* (last edited 1 year ago)

You would have to implement DNS over TLS. To do this, it's probably easiest to use Unbound and a service like Cloudflare or OpenDNS upstream. Spectrum probably hopes to harvest your DNS traffic and monetize it or maybe they're doing some preemptive sanitizing of your requests to prevent you from going to a bad site. Regardless, I am anti DNS highjacking. It's wrong on many points.

load more comments
view more: next ›