Hi,
I have been playing around with PiHole on Raspberry Pi. It has been working pretty well as a network wide ad blocker and has certainly increased performance on mobile devices.
I am specifying the DNS server in the DHCP server/network/dns servers setting. I have not found a good way to specify static DNS entries on Pihole.
Would a good solution to remove any servers from the IP/DNS server list, but specify any static IP under the static tab. Then specify 2 DNS serves in the DHCP server - the first being the router, then the 2nd pointing to the Pihole dns server.
Would queries check the router DNS (including) static entries, then look to Pihole for all else? Probably not terrible efficient. Is there a better way to do this - I am still getting the hang of DNS and Pihole.
Thanks in advance for any help.
Re: Static DNS best practice with dedicated server
LOL - 2 days ago Pihole V5 was released and ..... wait for it..... Local DNS records can now be added. Yay - it seems to be working. They have made a number of enhancements. You can read more about it here: if you are so inclined. https://pi-hole.net/2020/05/10/pi-hole- ... ge-content
I am still curious if someone would chime in about how the DNS servers would resolve one another.... and what the best practice is to integrate this with Mikroitk DNS.
I am still curious if someone would chime in about how the DNS servers would resolve one another.... and what the best practice is to integrate this with Mikroitk DNS.
Re: Static DNS best practice with dedicated server
Think about all device's DNS servers as equal (all need to have the same info), device can ask any of them at any time. It may not be strictly true, different systems may use different algorithms. But you can't rely on the first one being always asked first. And even if it would, it could be just a little slow and system will ask another, and if it happens to answer faster, you could get "wrong" response. And because every record has TTL (how long it's valid), as long as it doesn't expire, system won't send the same query again. So you'll see random failures on different devices. Same record will work on one and not on another, and after a while it suddenly starts working again, and stops working somewhere else. It's real fun to debug something like that.
Re: Static DNS best practice with dedicated server
Not sure if is proper way of handling DNS, but I left Cloudflare as DNS under DHCP-Server>Network and use NAT to redirect to my Pi-hole instance. My Pi-hole has the router set as it's DNS so that I could use Static DNS and the router had Cloudflare set for it's DNS. I have some that I don't want going to the Pi-hole, so I use an address list to exempt them and a second set of NAT rule as a catch all to redirect to the router so that static entries still work.
To just redirect to your Pi-hole, use the first 2 rules and omit the src-address-list...
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat comment="DNS Redirect to PI-Hole" dst-port=53 protocol=udp src-address=!my.pi-hole.ip.add src-address-list=!DNS-Bypass to-addresses=my.pi-hole.ip.add to-ports=53
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp src-address=!my.pi-hole.ip.add src-address-list=!DNS-Bypass to-addresses=my.pi-hole.ip.add to-ports=53
add action=dst-nat chain=dstnat comment="DNS Redirect to Router" dst-port=53 protocol=udp src-address=!my.pi-hole.ip.add to-addresses=my.router.ip.add
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp src-address=!my.pi-hole.ip.add to-addresses=my.router.ip.addRe: Static DNS best practice with dedicated server
Thanks - that is a pretty slick idea. Looks like you get the best of both worlds with this. I see the ew Pihole has per client and grouping blocking options now.... that adds a great deal of flexibility.Not sure if is proper way of handling DNS, but I left Cloudflare as DNS under DHCP-Server>Network and use NAT to redirect to my Pi-hole instance. My Pi-hole has the router set as it's DNS so that I could use Static DNS and the router had Cloudflare set for it's DNS. I have some that I don't want going to the Pi-hole, so I use an address list to exempt them and a second set of NAT rule as a catch all to redirect to the router so that static entries still work.
To just redirect to your Pi-hole, use the first 2 rules and omit the src-address-list...Code: Select all/ip firewall nat add action=dst-nat chain=dstnat comment="DNS Redirect to PI-Hole" dst-port=53 protocol=udp src-address=!my.pi-hole.ip.add src-address-list=!DNS-Bypass to-addresses=my.pi-hole.ip.add to-ports=53 add action=dst-nat chain=dstnat dst-port=53 protocol=tcp src-address=!my.pi-hole.ip.add src-address-list=!DNS-Bypass to-addresses=my.pi-hole.ip.add to-ports=53 add action=dst-nat chain=dstnat comment="DNS Redirect to Router" dst-port=53 protocol=udp src-address=!my.pi-hole.ip.add to-addresses=my.router.ip.add add action=dst-nat chain=dstnat dst-port=53 protocol=tcp src-address=!my.pi-hole.ip.add to-addresses=my.router.ip.add
Did you add the router to one of the custom dns options? I have played around with the conditional forwarding?
I appreciate you sharing your solution - thank you.
Re: Static DNS best practice with dedicated server
It has it's drawbacks as well! When forwarding, the Pi-hole only sees the Router as a client, so the per client/group blocking won't work. Devices on my network only get 1.1.1.1 & 1.0.0.1, so if I was to disable both sets of NAT rules the devices would still have functioning DNS. I originally had set the Pi-Hole and a separate Mikrotik (CHR) device as the DNS for my devices, but discovered my folly when the server both instances was running on crashed and I had to go to each devices in my network that spans 3 houses and 4 outbuildings to renew DHCP Leases. This is why I settled on the only using Cloudflare as client DNS and just forward. I may in the future give Pi-hole an address out side my LAN so that I clients can connect directly again. I briefly attempted this, but ran into issues with unRAID and just haven't spent the time on it.
Yes, I added my Router as a Custom Server and disabled all others.
Yes, I added my Router as a Custom Server and disabled all others.
Re: Static DNS best practice with dedicated server
Great discussion, i tried pihole once but the system slowed down, and complaints from users, since I didnt know what I was doing, caused me to pull the plug on the idea.
In other words your discussion as simple as it is, is still no basic enough for me.
Flavour based on questions below.
What is the best approach to inserting PI hole as the DNS resolver and by that I mean the basic starting point is difficult.
(1) Put PiHole on its own port?
(2) Put PiHole on its own subnet?
(3) put Pihole on its own VLAN?
4. how to assign all my vlans to use pihole and should I??
5. how to set up DHPC servers wrt DNS
6. how to set up IP DNS
7. do you redirect users (force to use pihole dns source)?
8. Biggie - how to direct all DNS to pi hole BUT............Pihole still has to get out the router to make the requests (how is this best accomplished)???
9. What happens if there is a pihole failure, what is the backup plan so my network doesnt completely fail.
would most likely use either cloudfare 1.1.1.1 or quad9 9.9.9.9
In other words your discussion as simple as it is, is still no basic enough for me.
Flavour based on questions below.
What is the best approach to inserting PI hole as the DNS resolver and by that I mean the basic starting point is difficult.
(1) Put PiHole on its own port?
(2) Put PiHole on its own subnet?
(3) put Pihole on its own VLAN?
4. how to assign all my vlans to use pihole and should I??
5. how to set up DHPC servers wrt DNS
6. how to set up IP DNS
7. do you redirect users (force to use pihole dns source)?
8. Biggie - how to direct all DNS to pi hole BUT............Pihole still has to get out the router to make the requests (how is this best accomplished)???
9. What happens if there is a pihole failure, what is the backup plan so my network doesnt completely fail.
would most likely use either cloudfare 1.1.1.1 or quad9 9.9.9.9
Re: Static DNS best practice with dedicated server
@anav
1. Not sure what you mean!?!? (leave on tcp,upd :53)
2. I believe this would be best, so if there is an issue with it you can redirect to somewhere else. (see 9.)
3. This would be more personal preference. I only use vlan for my Guest network.
4. 192.168.254.1 is pi-Hole in this example:
5. See 4.?!?!
6. Not sure what you mean..
7. If you need to redirect use: (but it is best to configure clients to use directly (see 2.))
8. See 7. (src-address=!my.pi.ip.add)
9. Use 2 pi-Holes or on failure redirect to Router:
I am running pi-Hole as a Docker image on my unRAID server so I can not attest to the performance of using a pi-device.
1. Not sure what you mean!?!? (leave on tcp,upd :53)
2. I believe this would be best, so if there is an issue with it you can redirect to somewhere else. (see 9.)
3. This would be more personal preference. I only use vlan for my Guest network.
4. 192.168.254.1 is pi-Hole in this example:
Code: Select all
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.254.1 gateway=192.168.0.1
add address=192.168.1.0/24 dns-server=192.168.254.1 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.254.1 gateway=192.168.2.16. Not sure what you mean..
7. If you need to redirect use: (but it is best to configure clients to use directly (see 2.))
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat comment="DNS Redirect to PI-Hole" dst-port=53 protocol=udp src-address=!my.pi-hole.ip.add to-addresses=my.pi-hole.ip.add to-ports=53
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp src-address=!my.pi-hole.ip.add to-addresses=my.pi-hole.ip.add to-ports=539. Use 2 pi-Holes or on failure redirect to Router:
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat comment="DNS Redirect to Router" dst-port=53 protocol=udp dst-address=my.pi-hole.ip.add to-addresses=my.router.ip.add
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp dst-address=my.pi-hole.ip.add to-addresses=my.router.ip.add