network security

Note-to-self: redirect DNS bypass over your DNS blackhole server

When you have smart devices at home, like smart TVs, you might notice that they are bypassing your internal DNS server, by using public internet DNS (like Google DNS).

And if you use a DNS black hole server like PI-Hole, to protect your network against adware, malware, phishing this is not a healthy situation, as these smart devices bypass your security.


Originally, I tried to implement the solution proposed and documented by Scott Helme.

But I ended up with DNS lockdown (and killing my entire internet connection, due to blockage of DNS.)

The solution documented by “Fiction becomes Fact” on this page, did the trick.

Apparently, since the 2018 version, some configuration items like the folder locations have changed…

Important: carefully verify the site folder location mentioned in the posts, to upload the config file. It has changed in newer Ubiquity versions. (Currently : unifi/unifi/data/sites/default/)

Older articles might point to wrong folders (I suppose it has recently changed with new versions of Ubiquiti…)

Just a few more important attention points:

  • in the newer version (dd oct 2022) of the Ubiquity interface, it looks like the topology does not support upload of maps anymore… so you can’t auto-create the site folder… (to be confirmed). You need to create the folders manually. And set the owner/group permission of the folders and config file yourself.
  • explicitly verify the owner settings of the newly created folders too

You can of course, apply this approach to other security solutions.

In essence:

  • all DNS traffic through your firewall must come from your (PiHole) DNS server
  • DNS traffic from any other device is redirected to the DNS server
  • DNS server logs and manages and filters (blocks/allow) the DNS requests