Pi-hole + Unbound with VLANs (Ubiquiti UniFi)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
if you run pyo or Pyle plus Unbound within your home network and at the same time if you configure V lens you may encounter issues when it comes to DNS the main name resolution in this video let's talk about how we can resolve that by the way this video is not really related to Unbound but just because a while ago I posted a video about Pyle plus mband plus do I want to continue the discussion that's why in the title of this video I have unbounded in this video I'm going to use ubiquity UniFi network devices as example in my lab environment within one machine I configured both py hole and ound and this machine is running within V one in the lower part you can see I have three vins just to demonstrate a typical Vine setup Vine one which is default and the vland 10 which is insecure for iot devices and I also have a admin vland you can see from the different colors of the arrows for default vand it can access iot but not admin vand for admin vand it can access both the other V but for iot V it cannot access the default and admin V this type of requirements are typical within home network I'm going to discuss two different ways to achieve what we want to use py hole among multiple vas first change our firewall rules and configure the Pyle so that Pyle at this IP address can serve multiple wheelers the second second approach let's make py hole so the DNS services in every single whe individually without changing any firewall rules this is the screen layout I'm going to use for this video in the upper right I have UniFi network controller and py hole machines in the lower part I have three Linux clients each one resides in a individual whe let's check the current configurations so let me go to UniFi network controller go to settings for network settings you can see I have three Network defined the vine one 10 and 20 for each one of them let me take admin as a example of course the subnet is 20 if I scroll down to the DHCP service management then I can find the DNS server configuration at this moment I have not pointed to the py hole yet it's pointing to external DN server so for the other V I have similar configuration when it comes to DNS at this moment if I check the current firewall rules go to security you can see I follow the drop all first methodology I have a drop interv land rule defined in the very beginning I only allow the traffics which I I want if we check the diagram side by side you can see all the red disallowed directions they are achieved by this drop all rule right and then for each single green ones I created corresponding rule for example allow admin to iot for example allow default to iot so then move to the right let's check Pyle if I go to settings for DNS you can see it's not pointing to external Upstream DNS server instead it's pointing to the local machine with this part number this is for my nbound server my nbound server is pointing to external DNS servers at this moment the pyo machine is ready to be used as DN server even though we haven't used it yet let's see at this moment What's the situation for the three V lens move to the default VL first first in the diagram I also indicate the individual IP address for each Linux machine so from default vland let me see whether I'm able to access admin no I cannot correct and Mo on to iot vland let me see whether I'm able to access default vland no I cannot correct and then from admin V whether I'm able to access default ven yes I'm able to do that what about the iot V okay no problem right the firewall rules work but let's see whether they are able to access internet ping abc.com yes from default vland no problem from iot vland no problem from admin vand no problem so everything is expected because at this moment we are not using py hole yet what if now we point the DNS server to Pyle what will happen go to unify network controller for network setting let me start with default whe go to the DHCP service management for DNS change it to my pyo servers IP address apply changes then quickly do the same thing for the other whe before we start testing the DNS the main name resolving again we need to refresh the DHCP configuration in each Linux client otherwise the DNS server change won't be effective so let me do it okay then from the default Vine let me do the same thing pin abc.com okay no problem that's expect it because the pyo itself is also in the default vay right there's no reason why this doesn't work for default vay but what about iot V it's just hang there that means the packets were dropped there's no response from the DNS server it failed for the admin whe the same thing happened so only the default V Works let's check the diagram so the root CA is for the iot vine and admin V are not really the same let's talk about admin V first yes from the firewall rules the admin whe is able to access the other two whe right theoretically it should be able to access the pyo server why we have failure in the DNS name resolving and the second thing is for the iot vet no matter whether the pyo server works or not from iotv L we simply cannot reach out to any machine in the default vay because of our firewall rule so we need to resolve the firewall first then we talk about the pyo server let's resolve the issues starting from iot VL let's work on the firewall rule first so let me go to the iot Linux instead of pin in abc.com let me dig the domain name it will hang there for a moment then return error communication error to this IP address what's this this is the Pyle IP address we set in UniFi network controller for this iot vlay because we have the firewall rule so this machine cannot reach out to the machine in default vet that makes sense but how we can change firewall rule to open up this access it's very simple so let me go to firewall rule in udm Pro I want to create a new entry allow access to pyo DNS for protocol I only want to allow UDP because that's what DNS service will use for the source type I already have a IP group defined previously this is the RFC 198 subnet which means my local network including all my local V so I don't care which whe as long as it's my local network I want it to be included in this firewall Rule and the port group I don't care then about destination for Destination type I only want the access to be the py hole machine so I already defined a IP group for the py hole it's very simple I don't want to waste your time here I will directly select it see here Pyle basically this means this one single . 1.88 machine and that's not enough because I don't really want the other V lens to access these Pyle servers any other services I want to limit the access even more for Port group I only want to allow the DNS part for this firewall rule I open up access to the pyo machine to the DNS service only add row let me change the sequence for this new fire rule I will move it to the very top so that it will be processed first okay that's it that's our simple firewall rule in the iot Linux machine let me try to dig the abc.com again it seems it still doesn't work yeah you can see time out even though we already enabled the access to Pyle when it comes to DNS service we got the same error that's strange let's try the same thing in the admin vay according to the firewall rules we allowed full access from this admin Linux machine to Pyle right so let me see whether it can get the IP address back let me do the same thing dig abc.com too bad we get the exact same error that means it's not just because of firewor rules there are must some more fundamental things we are missing right what will that be it is within pyo configuration in pyo go to settings go to DNS scroll down there's this very strange setting you may not be able to understand what this means exactly but this is our root cause for other V lens to be unable to access the Pyle DNS by default pyo only allow the local request local means the same whe so that means it only allows the one subnet to access its service we have the three possible options I don't want to spend time explaining the exact differences if you are interested you can go to pyo documentation check the interfaces document so for this video we simply enable this one we allow the py hole to respond to this interface regardless from which V the request is from it will serve other vland as well once we make the change save it now it's active let's try the iot Linux machine again let me do the same thing dig abc.com it immediately return with the correct result and for admin V the same thing yeah same result problem is resolved let me summarize in this approach we did two different things if you do have firewall rules which prevent your computers from accessing the VL which pyo server resides you need to create firewall rules to open up that access but that's not enough you need to furtherly configure pyo to allow it Serv other vet instead of just the local vet some people may not like it because it requires we open up access from other vland to this particular Pyle machine to the DNS service see these three green arrows that's required to allow this approach to work some people may not like it they don't like to mess up with the firewall rules before proceeding we need to revert back the firewall rule changes delete this additional firewall rule we added in the first approach in the first approach we just talk about because the Pyle server resides within this one subnet or vland default to allow machines in other vas to be even able to connect to Pyle we need to manipulate the firewall rules right apparently the idea for the second approach is why not provide DNS services in each single wheet so then we don't need to touch the firewall rule we even don't need to touch the py hole configurations we simply need to work on the operating systems Network configurations let's do that we have three vens three different subnets the idea is for each subnet on this server for Pyle I have a distinct interface so that the pyo can provide DNS resolving service on each subnet This pyo Server you see here is a brand new pyo server is not the one we used in the first approach so you can see from this icon it's managed by Linux network manager and if we go to the network setting we can see currently its IP address is 1.99 it's in the default vand there is no other network interfaces okay so this is the default current pyo server network configuration and if we go to the settings remember in the first approach for DNS we change the setting for the interface but you can see here for this default configuration for the brand new py hole it has the default setting allow only local request we don't want to touch this setting we don't even want to touch any configuration Pyle depending on the operating system you run your Pyle in my case I run it on debit so what I need to do is on dabing I want to manually configure my network using the configuration file before the configuration I need to know my network interface name depending on the hardware in your system the interface name may be different to easily find it out let me see what's the current configuration okay it's tells me the interface name ens s192 in the pyo servers Linux let me edit a network configuration file it's under Etc Network and the file name is interfaces by default the file is pretty simple let me add my new interfaces in the end okay this part is the one I just added so basically what I want to say is in the first section I want to add a new interface with this name and is a static IP address configuration and with this IP address I choose a IP address which is different than the previous approach on purpose and then the 24 indicate the subnet mask for Gateway this is my udm Pros IP address for default vland then the second section is for vland 10 for the iot V this is the interface name with special naming convention Dot and then the whe ID for IP address is 10.98 the Gateway is the corresponding udm Pros IP address similar way for V 20 this is the configuration so you can see pretty simple straightforward network configuration right write the file then exist to make it effective we either restart the network manager or I simply reboot the Linux machine while it's rebooting let me explain a additional thing because I'm running this Linux on a esxi server so it's a Linux virtual machine to enable the vland trunk I need to do some special configuration on the esxi level this is the part group used by my Linux virtual machine if you check the setting you can see I set the vet ID to this number this number in the indate I want to enable vand trunk if you happen to use exxi you may want to do similar thing but if you run your Linux in different way it's not relevant to you okay let me go back to the rebooted pyo server okay the operating system has been rebooted you can immediately notice one difference is this icon for network configuration now it's showing question mark why because network controller for Linux cannot determine the IP configuration anymore because we manually change the configuration file right to validate the current effective one let me simply run this command yes we can see this interface for default vet this one for vland 10 this one for vland 20 from the operating system level we are good remember we haven't changed anything in Pyle right to finish the change we need to go to udm Pro to chck change the DHCP settings for each whe to save time I already completed the change let me quickly show you for default vland you can see this is the DNS server I configured in the right side we have the same IP address then for vland 10 we have this DNS server in the right side you can find the same information for vland 20 we have similar thing right I don't want to waste your time so we are done with all the needed config curations now let's validate it before we can even test anything remember we just change the DHCP settings in udm Pro right we haven't refreshed the client setting yet we need to do that let me quickly do it okay now let me start with the default vand dig x.com okay I quickly get answer back and this is from the newly configured DNS server no problem we are good of course this is default vet we expect it to work right now the moment of choose for iot v v 10 dig x.com as well okay we got answer back quickly this time it's from this IP address you can validate from the py hole as well it's the one we configured for the V 10 on the operating system level good let's validate we 20 okay similar thing from the this Pyle server so we are all good as you can see I really like the second approach because it only involves configuration changes on the Linux operating system level and we don't need to mess up the router firewall settings we don't need to change pyol configurations this is the end of the video thanks for watching
Info
Channel: 777 or 404
Views: 1,909
Rating: undefined out of 5
Keywords:
Id: if_O2ldBLUs
Channel Id: undefined
Length: 20min 55sec (1255 seconds)
Published: Sat Feb 17 2024
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.