pfSense DNS help needed

[RAS_3885]

I know just enough to make a mess of things, so need some help trying to figure out what's going on here.

 

I'm running pfSense on a dedicated box serving as my network's DHCP server and DNS resolver (via unbound within pfSense). I have no other DNS server addresses configured so all clients should be using the gateway as the DNS server. Looking at the network configs for various clients (both wired and wireless) this appears to the case as they are all reporting 192.168.1.1 as the DNS servers, which is the gateway address.

 

I'm also running pfblockerng (PiHole alternative) for ad blocking, which appears to be working for all clients except one. When I say working I mean I've verified that ads are being blocked on sites where I know they are present, along with using dnsleaktest.com to verify that only MY IP shows up as the DNS server found, which is what's expected when pfSense is doing the resolving internally (I think... it's consistent so I'll run with it - point of comparison below). I'm also tried to manually ping some domains that are in the block lists and they correctly return the dummy IP address those requests are directed to via pfblockerng.

 

The client not working as expected is my phone, which is a OnePlus 6T running Android 10. BUT, it's only not working using the Chrome browser. In Chrome it serves up ads previously blocked and dnsleaktest.com shows multiple Google DNS servers being pinged. Switching to Firefox resolves this and everything is blocked as expected. I can verify this behavior via the pfSense logs as well. Under the network settings there's a secondary DNS server, 8.8.8.8 (Google's), listed along side my gateway DNS server even though this isn't configured by my network anywhere (per my above). Some searching shows this as behavior added to either Android or OnePlus somewhere in a past update.

 

It appears that for some reason Chrome is preferring to use this secondary DNS server instead of the default. If I manually set the IP and DNS on my phone, rather than automatically get that from the DHCP server it functions as expected and all content is blocked correctly in Chrome.

 

So, following THIS PFSENSE guide I tried to redirect client DNS requests to force them all to use the gateway's DNS resolver, but for some reason Chrome on Android is getting around it. Here's the resulting firewall NAT.

 

 

...and corresponding rule added on the LAN interface.

 

 

There are some DNS requests from other devices on the network that I can see are being redirected to 127.0.0.1:53, which leads me to believe that the fundamental process is working. Except for Chrome on Android.

 

Since setting my phone to a static IP and DNS mapping works I know I have ONE solution to the problem. It's still driving me crazy though as to WHY Chrome on Android is seemingly bypassing the pfSense DNS resolvers (and by extension the ad blocking of pfblockerng) even with the NAT port forwarding in places that's supposed to force it ALL to go through the pfSense unbound resolver.

 

What am I missing here?

 

tl;dr - Chrome on Android seems to be using it's own Google DNS server. I've attempted to setup pfSense to redirect ALL DNS queries to its internal resolver but it doesn't appear to be doing what I expect. I have a workaround, but am trying to learn what I've configured incorrectly.

[RAS_3885]

3 minutes ago, zhnu said:

You're missing they key part where you assume he's using dhcp.
https://www.androidpolice.com/2020/03/26/make-android-use-dns-server-choice/
https://www.reddit.com/r/pihole/comments/h9ma8q/how_to_stop_android_8910_adding_google_dns_8888/

 

I actually came across and read both of those links when trying to figure out what's going one.

 

The first one simply outlines forcing a particular DNS on Android by disabling DHCP and using static mapping. I know how to do that and I know it works.

 

The second one was a bit more convoluted since it's referring to PiHole specifically and wasn't clear what router they were using to point to the PiHole DNS. From what I can tell, pfSense doesn't hand out alternative DNS servers when using itself as the resolver. It only does so when in DNS Forwarder mode, but that breaks the functionality of pfblockerng and therefore ad blocking, which is the whole point.

 

My primary question still is still WHY the NAT and firewall rules set up to redirect all DNS requests to the gateway itself to resolve is bypassed by Chrome on Android.

[RAS_3885]

2 minutes ago, zhnu said:

Because your smartphone is using 8.8.8.8 <- googles DNS (ignoring the one you provided via DHCP) on the wifi settings for the DNS resolver. You can simply change on your wifi connection on the android or yes more convoluted remap the 8.8.8.8 to your internal DNS resolver.

On my phone, under the settings for the wifi I'm connected to, the primary DNS is my gateway at 192.168.1.1 (handed out via DHCP) and there's a secondary listed as 8.8.8.8 (Google). The secondary is added by either Google or OnePlus, NOT my network.

 

The ONLY thing using the secondary DNS server is the Chrome browser. All other traffic generated from my phone uses the primary DNS (and therefore gets routed through my ad blocker as desired). This is the key part of my issue.

 

I'm trying to understand why the DNS reroute I've configured isn't working as expected, thereby still allowing Chrome to get address resolution from Google DNS servers.

[Alex Atkin UK]

10 hours ago, zhnu said:

https://forum.netgate.com/topic/138313/redirect-dns-to-8-8-8-8-for-specific-source-ips

He's ignoring your DNS server because google products force it to use their own DNS servers chromecast does the same if I'm not mistaken. The two options is either block google DNS or redirect it.
8.8.8.8
8.8.4.4

2001:4860:4860::8888

2001:4860:4860::8844

They already have DNS redirection for ALL DNS SERVERS using the port forward on the router.

Of course Chrome might be using DNS over HTTPS now which why bypass it.
 

[RAS_3885]

On 12/18/2020 at 11:20 PM, zhnu said:

https://forum.netgate.com/topic/138313/redirect-dns-to-8-8-8-8-for-specific-source-ips

He's ignoring your DNS server because google products force it to use their own DNS servers chromecast does the same if I'm not mistaken. The two options is either block google DNS or redirect it.
8.8.8.8
8.8.4.4

2001:4860:4860::8888

2001:4860:4860::8844

That article gave me the idea to have my DHCP server hand out 192.168.1.1 as both DNS 1 and DNS 2. The general setting part of pfSense doesn't let you duplicate, but DHCP does.

 

By doing that it seems to have prevented my phone from auto-assigning the Google DNS server as a secondary. Now only my pfSense box shows up and the pfblockerng behavior in Chrome works as desired.

On 12/19/2020 at 9:53 AM, Alex Atkin UK said:

They already have DNS redirection for ALL DNS SERVERS using the port forward on the router.

Of course Chrome might be using DNS over HTTPS now which why bypass it.
 

That's a great point about DNS over HTTPS. I have no idea how that works, but certainly could be why the redirect I set up didn't work (since it was only for port 53 which doesn't cover DNS over HTTPS).

 

I'll look into that a bit more, but have a more elegant work-around for now.