Beginner Basics • Re: Pihole - NAT firewall Rule not redirected static DNS

This doesn't make sense since have hairpin dst-nat NAT rule for all outgoing DNS traffic from LAN to Pi-hole unless Chrome is performing DoH request to Google DNS when is set manually and that bypasses router NAT rules. Did you try with other browsers? Since dig is unable to connect due to NAT rules when Pi-hole is down (assuming that is performed from host which is not in excluded address list) I suspect it is a DoH request from Chrome that is used for resolving.

See: https://support.google.com/chrome/a/thr ... ps-setting

Chrome will have a small (i.e. non-exhaustive) table to map non-DoH DNS servers to their equivalent DoH DNS servers. Note: this table is not finalized yet.

If is implemented as stated (not using Chrome), Chrome checks if set DNS is in DoH server list and uses it over DoH for resolving, I'm pretty sure that Google DNS is in that mapping list and that bypasses hairpin NAT for DNS.

To avoid such bypasses (someone can also run DNS server locally which is using DoH/DoQ/DoT upstream DNS and set local IP as DNS server for interface in OS) you can maintain some DoH/DoQ/DoT servers address list and block tcp/udp port 443 (tcp - DoH, udp - DoQ) and tcp/udp 853 (DoT) connections from LAN to that address list in router firewall. Some servers can be found at: https://dnsprivacy.org/public_resolvers/ but also others exists... You can't block all (like when DoH/DoQ server running on some VPS which is not in address list on router) since HTTPS/QUIC is used for web and applications, except DoT and block all DoT connections from LAN.

Statistics: Posted by optio — Mon Feb 19, 2024 5:46 pm

---