Assigning DNS4ME to pihole only for specific clients

[Steven P. Administrators]

My pihole is setup on my local network as 192.168.178.11 (same as NAS) and it is a static address.

My router is 192.168.178.1 and has the default ISP DNS.

Clients on my LAN are assigned address in this range from the ISP router.

However, I have a smart TV that I want to have DNS4ME DNS for UK television. It is a Samsung QN90B and I can only edit 1 DNS address.

In pihole I have set the two DNS4ME addresses as custom 1&2 Upstream DNS Servers and then I have manually set the DNS on my TV to 192.168.178.11.

iPlayer and ITVX already works (indicating that the smart DNS is being used) but Channel 4 and My5 don't. I'm in The Netherlands.

Anyway, I wanted to confirm if my setup is the correct way. I don't want DNS4ME as the global DNS, just when I manually select it for devices like a smart TV for geo unblock.

Right now I am using the 7 Day trial of DNS4ME to see if it is any good. I also have Unlocater, but that can suddenly stop working.

I prefer to have pihole as a choice for geo unblocking, because if I use the smart DNS globally services I'm subscribed to like Disney and HBO Max stop working (using Unlocator).

[+InsaneNutter MVC]

The way things are setup now anything pointing to your Pi Hole for DNS will be using DNS4ME from what you have said.

Given that iPlayer and ITVX now work outside the UK I suspect everything is setup as intended.

Perhaps Channel 4 / My 5 have cached DNS lookups? or you have previously triggered a flag to say you are not in the UK? Removing / re installing those apps might allow them to work, presuming they can just be tricked with a DNS server and nothing more.

If you don't want all devices on the Pi Hole to use DNS4ME, then if your router supports it you could simply create Static DHCP Mappings for certain devices such as the smart TV. On these Static DHCP Mappings DNS4ME would be the DNS server defined for that particular device. Those devices with static mappings would use DNS4ME directly by default (or which ever DNS service you specified), everything else would then use the routers default DNS server.

[Steven P. Administrators]

On 15/08/2023 at 12:58, InsaneNutter said:

If you don't want all devices on the Pi Hole to use DNS4ME, then if your router supports it you could simply create Static DHCP Mappings for certain devices such as the smart TV. On these Static DHCP Mappings DNS4ME would be the DNS server defined for that particular device. Those devices with static mappings would use DNS4ME directly by default (or which ever DNS service you specified), everything else would then use the routers default DNS server.

This is the bit I don't understand.

In my ISP router I have several static DHCP addresses set up.

In pihole I could set a block of 192.168.178.200 > 255 and enable the DHCP there, and set a static DHCP reserve for the TV, but what I don't get is if there are two DHCP servers assigning addresses, how do I ensure it is always the pihole assigning to the TV? Couldn't my ISP router assign any 192.168.178.x address under .200 to the TV too if it was quicker?

[binaryzero]

Stop over thinking this, what you're currently doing is sane...

[+InsaneNutter MVC]

It's possible to run two DHCP servers on the same network if they are configured to work with each other, however I'm not actually sure you could with your ISP router and Pi Hole or what you would actually gain at home doing this.

Keep it simple and create all your Static DHCP Mappings on the ISP router.

For example if we imagine below is the Static DHCP Mapping for your Smart TV on your ISP router, you will see we can specify the DNS servers DHCP hands out to this device only.

Set these as the DNS4ME IP address and only 192.168.178.22 (The Smart TV for example) will get the DNS4ME DNS servers when obtaining an IP address via DHCP.

 

 

All other devices on the network will use the ISP's DNS servers (or the defaults you have specified).

[Steven P. Administrators]

I like that idea, but my ISP router only allows me to reserve the IP, nothing more

DNS is also all or nothing.

It's just one client out of all my devices too, so I don't want to overcomplicate it.

Edit: I also want to direct the smart TV to the pihole for the adblock/telemetry lists, so it serves two purposes. Geo unblocking and reducing the amount of "chatter" the TV is doing with external servers (even when in standby).

That's one day, and one device using https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts and https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV.txt adlists

[+InsaneNutter MVC]

Can you go in to network settings on the Smart TV and manually change the DNS server to the ip address of the Pi Hole?

That would give you the end result you want, the Pi Hole is blocking content as desired on the TV, in addition you are also using DNS4ME on the TV via the Pi Hole.

Everything else on the network is working as normal via your ISP's DNS server.

[Steven P. Administrators]

On 15/08/2023 at 17:22, InsaneNutter said:

Can you go in to network settings on the Smart TV and manually change the DNS server to the ip address of the Pi Hole?

That would give you the end result you want, the Pi Hole is blocking content as desired on the TV, in addition you are also using DNS4ME on the TV via the Pi Hole.

Everything else on the network is working as normal via your ISP's DNS server.

Yeah that's what I've done, although I can only edit 1 DNS address (a trick Smart TVs use to lock secondary to their own address).

[+InsaneNutter MVC]

I think realistically to do exactly what you want you'd need a more advanced router / firewall.  You have no guarantees the Smart TV will not ignore the DNS server addresses handed out via DHCP and to continue to use its own preferred DNS servers instead.

If you were to use pfSense as your router / firewall you could force the TV to use the local Pi Hole DNS server even if it does this: Redirecting Client DNS Requests - so the only way that TV is making DNS requests is through a DNS server you control such as your Pi Hole.

Certainly worth considering if you want more control over your network and plan to add more IOT / Smart devices in the future.

[Steven P. Administrators]

Is it possible to route all UDP requests over port 53 from a specific client back to the pihole?

apparently this would stop the TV using a fallback to public DNS servers, which is the whole reason it is only possible to edit 1 DNS address in the TV.

[+InsaneNutter MVC]

On 15/08/2023 at 22:49, Steven P. said:

Is it possible to route all UDP requests over port 53 from a specific client back to the pihole?

apparently this would stop the TV using a fallback to public DNS servers, which is the whole reason it is only possible to edit 1 DNS address in the TV.

If your ISP router supports this you can, I suspect it probably doesn't unfortunately as most ISP routers usually do not support more advanced features like that. However if it does support such functionality it would be called DNS Redirect or something to that effect.

This blog by Scott Helme explains what you essentially want to achieve with Pi Hole pretty well: https://scotthelme.co.uk/catching-naughty-devices-on-my-home-network/ - he is doing that with Ubiquiti networking equipment, however you can do that with other router / firewall solutions also, such as pfSense or OPNsense.

I like pfSense personally as the documentation is great, the web ui is pretty logical and you can install it yourself on some pretty low powered hardware. On pfSense for example you achieve what you want by first by Blocking External Client DNS Queries then by Redirecting Client DNS Requests to the Pi Hole. Essentially the end result would be the only device you'd allow external DNS queries from would be the Pi Hole. "Naughty devices" like the Smart TV on your network would be tricked in to using Pi Hole as described on Scott's blog, even if they are using hardcoded DNS servers.

[Steven P. Administrators]

I think I've decided what to do.

• Completely disable Samsung Tizen smarthub (only use Chromecast with Google TV in HDMI)
• Disconnect from network / disable Wi-Fi
• Set my backup Google account to UK
• Add backup Google account to Chromecast with Google TV
• Switch to backup account to download UK apps in Playstore
• Switch back to my own profile to use

In the Chromecast I can edit both DNS addresses.

[+InsaneNutter MVC]

Looks like a good plan to avoid any major home network changes and leak as little data as possible.

My setup is somewhat similar to the above. I have LibreELEC installed on an old Mini PC that is connected to the TV via HDMI for running Kodi, which is how I watch the vast majority of content.

Kodi integrates great with my Plex library for any content I've ripped myself, viewing family photos and so on. Kodi also has plugins for the iPlayer, YouTube and even Netflix, so pretty much covers all my streaming media needs. I do also have Tvheadend integrated with Kodi to record / watch OTA TV, however to be honest its pretty rare I watch live tv or even record anything these days.

In addition I also have an older Chromecast for playing back any other media with DRM. I did used to use that for Netflix, however Kodi has had a working Netflix plugin for a couple of years now, which I find a lot more convenient. So the Chromecast only occasionally gets used to cast Disney+ or Prime Video from my phone, although I don't actively subscribe to either at the moment.

[Steven P. Administrators]

Does this look right to bounce all port 53 requests from a specific client back to the NAS with pihole on it?

.32 is the smart TV .11 is ther NAS with pihole on it.