NethServer Proxy Option "Use Other DNS"

Feature
1

@giacomo

Hi All !

One Option in OPNsense under Squid Proxy would be a good addition to NethServer, easy for the devs to implement and: makes sense!

Situation:

You’re using NethServer as a Proxy, but have a seperate PI-Hole as DNS.
I let my client machines use PI-Hole, but not my Linux Servers.
And that includes NethServer.

That means, that anyone using NethServer as a Proxy effectively bypasses the PI-Hole, and get’s Ads shown… Not what is intended.

The solution?
Something like this:

Bildschirmfoto 2020-09-26 um 23.18.44
Bildschirmfoto 2020-09-26 um 23.18.442294×186 29.7 KB

OPNsense has the Option to let just the Proxy use different DNS (Like my PI-Hole at home).
This means, even users using the Proxy get PI-Hole cleaned websites displayed…

It works!

And, as said, would be easy to implement…

Any Feedback?

My 2 cents
Andy

1 Like
2

Hi Andy, that’s my use case.

DNS within the Nethserver Cockpit: 1.1.1.1, 8.8.8.8
DNS provided bei DHCP for all clients: 192.168.3.3 (pihole)
DNS within my other servers: statically defined 1.1.1.1, 8.8.8.8
Pihole Configuration:

3

@capote

Hi Marko

That’s what I had too, before the PI-Hole I was using the NethServer as Proxy (Squid).
I noticed as soon as a PC/Mac used the Proxy, Ads were displayed, when using the PI-Hole (alone) not. If they didn’t use the Proxy, the PI-Hole worked fine.

Then I noticed that nice feature in OPNsense, and I thought would be nice if I could get NethServer to do that, too…

At the moment it’s working using OPNsense + PI-Hole, where OPNsense is the Proxy, but also main DNS and DHCP.

This site is good for a quick testing of PI-Hole & Proxy: https://weather.com/ (On top is a banner Ad, not shown when PI-Hole is used…) :slight_smile:

I’d like to be able to use this for some friends who only use Nethserver, without OPNsense. The PI-Hole are in almost all cases running as LXC in Proxmox, only one friend actually uses a Raspberry PI as PI-Hole…

My 2 cents
Andy

4

And configuring Pi-Hole as a DNS forwarder for NethServer? As only DNS forwarder, i mean…

5

@pike

Problem is, some clients marketing departments WANT the Ads, a bit of a dilemma…

I need sometimes both…

6

Hi Andy, I’m using Nethserver as Proxy (transparent SSL) and PiHole. No ads at weater.com

image
image2080×1790 673 KB

7

You can define groups inside of Pihole without related blocklists.

8

@capote
I thought transparent proxy doesn’t work with SSL?

And… doesn’t transparent proxy require being running on the firewall?
This is not possible in most use cases for me.
At least that’s what reading this implies:
https://docs.nethserver.org/en/v7/web_proxy.html

9

We are already using such option: the value is enforced if DNS blacklisting is installed.
It will not be easy to integrate it with a custom value :thinking:

@davide_marini what do you think?

1 Like
10

As GUI perspective
if DNS Blacklisting is installed there should be a combobox (DNS Blacklisting, custom DNS)
if DNS Blacklisting is not installed, the same combobox with the DNS Blacklisting not choosable.

2 Likes
11

Hi Andy, It seems to me that the proxy works fin with SSL.

The proxy can be enabled only on green and blue zones. Supported modes are:

  • Manual: all clients must be configured manually
  • Authenticated users must enter a user name and password in order to navigate
  • Transparent: all clients are automatically forced to use the proxy for HTTP connections
  • Transparent SSL: all clients are automatically forced to use the proxy for HTTP and HTTPS connections

And… doesn’t transparent proxy require being running on the firewall?

i have not yet tried to run it without firewall.

12

There always is a firewall on NethServer, even if not explictly configured. I mean, without using NethServer as main firewall / gateway…

The Proxy as such does work.