PI hole was not working correctly so I reinstalled it last night. That killed my touch phone. I had to restart my UDM Pro and my enterprise switch. Every UI device is working now but I had to disable pihole.

Even after allowing:

static.ui.com
trace.svc.ui.com
etc

UI was saying it could not reach UI.com. Dugh, fuck their tracking.

My pi hole is setup as a recursive DNS server using unbound.

How can I setup my pi hole to work with UI?

I searched...

Search more man.  In fact, in the thread you made yesterday, a valid suggestion was provided and you obviously ignored or didn’t try what was in that link.


Options:

1.  Set your router WAN interface DNS to your ISPs, 9.9.9. Or 1.1.2.2.  Set your DHCP DNS to your pihole address
2.  Allow all the traffic for [\*].ui.com (which you have),  but your root.hints in Unbound must not have the right IP or have NIL for those FQDNs.   Update your root hints and restart pihole.





With this said, you need to think of others here as you’re using this as your personal (unpaid) IT support and it’s not really what it is here for.

Someone of your intellect and knowledge level would benefit from a simplified setup of a normal router/wifi AP and a COTS NAS like synology.

Just look in your pi hole log for the specific blocked traffic and white-list it.  It's very easy.  Everything in my house uses the pi hole, including lots of Unifi.

Also, my unifi doesn't track anything.  It checks for updates, and that's all.  Just opt out of their improvement program, or whatever it is.

You set your internal network devices to use pihole DNS via DHCP settings in Unifi Network.
Attached File

192.168.1.1 is my UDMPro (yeah I'm lazy and took defaults), 1.3 is the IP of my Pihole, the UDMPro is handing out DHCP and telling all clients to use the Pihole for DNS.  Note you have to do this for ALL networks you have created in Settings.  I have Default for wired, and Wireless for wireless.  If you have more you have to modify those as well.

You let the UDMPro use your ISP for it's WAN side outbound system DNS calls.  <- pretty sure that is what spammed your Pihole.  If you learned what its doing, its checking that you have internet.
Attached File


Otherwise set the Pihole to not care about lookups to unifi:
Attached File



One can block all but the pihole from outbound DNS.  But I am wary about showing you how to do this, you can very much shoot yourself in the foot.
It will also only get basic things as DNS over HTTPS is possible and very hard to stop for non-enterprises.

Hold on getting some screenshots.

Never use your ISP's DNS.  There are WAY better options, I don't care who they are.

Yeah I know, and mine is set to Cloudflare, but this is just getting him to a workable state instead of a jumbled clusterfuck of a house of cards.
Also, UDMPro is just going to use those DNS calls to go to UI.com and such for updates.  All other traffic should be using the Pihole, and if Pihole is set to use Unbound...  Shouldn't leak.

I'm running a Dream Machine Pro and have had a pihole for years.   Never had any issues w/ it.   This sounds like a good start if you're having issues.

I'll second never use the ISP's DNS.  It will bite you on the butt later.  I normally use 8.8.8.8 and 4.2.2.1 if someone doesn't have other preferences.

True.  I wonder why unifi is in an adlist, in the first place.  I can't think of a reason why you would want them blocked.

trace.svc.ui.com is telemetry data and ping.ui.com is for internet connectivity checks.  I guess one could be paranoid about the first and be heavy handed with some blocks so you stop your router from thinking its connected to the internet.

Internal stuff like APs and Cameras check for unifi by name or IP depending on what you have setup, so they can report into the management system they're connected to.  Thats why I have them not shown in the top10 lists in Pihole.  Funny thing is wouldn't a privacy advocate not want logs to be kept?

I see no trace.svc.ui.com, but my unfi management is self-hosted, and I have an EdgeRouter, rather than unifi.  I do see the pings, and static.ui.com, though.  Any idea what that is?

Just on the name I'd guess static.ui.com is for web assets that are changed or updated frequently and they don't want to release updates to integrate them into the local software.

Yup, open DevTools in your browser before you login to your Unifi setup,  you can see whats being loaded from there, icons/gfx for stuff.  I see Comcast icon an AP icon, the Youtube icon.  All stuff that is fairly dynamic and would need near daily update downloads if it was to be all local.  I bet your stuff would still work if you block it, but you'd just be missing some icons.

Ah, gotcha.  I have icons for all my clients in the management.  That could be it, or part of it.

I give up.

I know I am a loser.

Sorry for all of the questions.

Sorry man I think you're just trying to do too much at the same time.  Sure thought you had Talk going though.

OP request