Page 2 of 2

Re: Nextcloud, Pi-hole and the default page

Posted: Tue Sep 10, 2019 1:19 am
by krtpowa
MichaIng wrote: Tue Aug 13, 2019 2:16 pm @krtpowa @anubis
We're about to implement a solution to block the Pi-hole blocking page by default for non-local access:
This makes sense since no one would ever share ones local Pi-hole DNS to the public www, although would be cool to have a public DNS with Pi-hole integrated :P. And without having something blocked by this Pi-hole instance, the blocking page has no meaning, thus denying access totally makes sense to prevent any possible information leak.

The question is now if we should do the same for the admin page:
- Block it by default for remote access? Or keep it possible to monitor/administer your Pi-hole instance from remote networks as well?
- Give a choice during install process? The Pi-hole installer anyway asks a lot of question, so one more does not hurt much?

The block is implemented a way that all client IPs have access, that match the address ranges that are reserved for local networks. This means also VPN clients and otherwise directly connected local networks have access, which is important of course.

We are thinking of allowing this for local IPv6 networks as well, but I doubt that anyone has an IPv6-only local network, meaning having only IPv6 addresses assigned and using them to connect to devices within the local network?
Otherwise it is not too hard to add those Link Local Unicast and Unique Local Unicast address ranges to the pattern, after all. There is just still to possibility to access individual local devices via external IPv6 prefix+internal address, so the device will receive the external prefix as well as remote IP, thus block access. Not sure if there is any reasonable way to check this, but there is really no point in accessing local deices by their external IPv6 address from within the local network anyway...
Thank you for making this improvement, especially when it facilitates the user.
I would put the question in the installer, or the web server (Ngix, apache etc, or when you install Pi HOle)

Very good work

By the way, a DNS server with Pi-Hole would not be bad, because sometimes I use VPN to avoid advertising on my mobile, but OpenVpn consumes a lot of battery. a DNS would be a good idea, but I don't know if this is a danger to the security of the equipment (DNS server / Rpi / other computers with Dietpi)

Re: Nextcloud, Pi-hole and the default page

Posted: Tue Sep 17, 2019 10:15 am
by MichaIng
Thanks for your kind feedback. Jep about the admin panel it is now asked during install. The Pi-hole installer requires much manual input anyway, one more question does not hurt much :D.

Some use unbound as local DNS resolver to be used by Pi-hole then. So unbound e.g. listens to 5353 and Pi-hole uses as upstream DNS.