[samvimes]

Devices -> Pi-Hole -> Unbound -> DnsCrypt

Some additional details:

- Outbound internet access over port 53 is blocked for everything on the network, other than the Pi-Hole/Unbound server

- IpTables rule in place to force all outbound traffic over port 53 to go thru the Pi-Hole. This prevents devices from circumventing the Pi-Hole filtering by hard-coding public DNS servers

- Cronjob that polls http://public-dns.info/nameservers-all.txt regularly, and updates an IpTables rule to block all outbound internet traffic over any port/protocol to servers in that list. This is my attempt to block things that try to circumvent DNS filtering by doing DNS over HTTPS

- Unbound makes it possible to bypass DnsCrypt for specific zones, as needed. It also is configured to prefetch records before expiration, which generally eliminates the latency introduced by DnsCrypt

---

This is overkill, but I tried to address privacy concerns as well as ad-blocking with this setup, and it's also been fun to tinker with

[atmosx]

The assumption here is that you “control” the router which runs Linux (iptables) and my guess is dnscrypt and inbound. What kind of HW are you using?

[samvimes]

- ubiquiti edge router x from ~2019.. there's a bash script on the box for updating the blocklist, the rest of the configuration can be done in the GUI

- pihole and unbound are running in a VM on an old intel NUC with an i5 and 18GB of RAM. The NUC is running Proxmox, and is connected to the edgerouter over ethernet

- Separately, there's a ubiquiti WAP and a standalone modem, but there's nothing special about their configuration

[WirelessGigabit]

Sad that in 2023 Ubiquiti's Unifi line does not support IP tables redirect of *:53 to 192.168.x.x for DNS.

[tmottabr]

Their older stuff did not really supported it as well..

you could do it, but just because the USG software was a fork of Vyatta that had a way for doing it and Ubiquiti never put the effort to block it..

So while there was a way of doing it, it was never really officially supported..

But this is why when it came time to upgrade my USG3 i choose to migrate to Opnsense (pfsense fork) instead of upgrading to the latest Ubiquiti router.

[WirelessGigabit]

Which device are you running? And how are you doing WiFi?

[tmottabr]

US-8-150W, US-16-150W and US-FLEX-Mini for switches

UAP-AC-Lite for APs.

Dell PowerEdge R420 with proxmox hosting Opnsense as router, AdGuard Home for DNS, Unifi Controller hosted on Ubuntu and Home Assistant.

[midasuni]

Do you log what attempts to talk on 53 (that you redirect) with hardcoded dns entries?

[samvimes]

Yes, the re-writes are done on a ubiquiti edge router. The re-write rules count the number of hits, as well as basic connection details like src port/addess, dst port/address, protocol. The biggest offender is the roku, which tries to use 8.8.8.8

edit: to be honest though, I don't look at the logs often to see what else gets caught, or why