Setting up Pi-hole

Whatever you want it to be.
Ok cheers, it seemed like it was asking for one that had already been set.

In your router just set the upstream DNS to be your piHole’s internal IP address instead of the default and in your PiHole ensure DHCP is turned off and its upstream DNS to be Google, your ISP’s DNS or whatever you prefer. Job done and your router is doing the DHCP
No can do on the SH3.

I have to manually set the DNS for each device.
 
I want my router to still do DHCP so I am going to use the conditional forwarding setting in the PiHole interface.

Conditional forwarding is nothing to do with DHCP, it's a DNS settings that tells Pi-Hole to forward DNS requests for a given domain name to a specified DNS server.

I have to manually set the DNS for each device.

So why not disable DHCP on the SH and let the Pi-Hole do it? No need to statically set DNS servers one each device then.
 
Conditional forwarding is nothing to do with DHCP, it's a DNS settings that tells Pi-Hole to forward DNS requests for a given domain name to a specified DNS server.



So why not disable DHCP on the SH and let the Pi-Hole do it? No need to statically set DNS servers one each device then.
Yeah I know, its used to pull down the names of the connected devices rather than just seeing the IP?

I had weird issues when I let the Pi do DHCP and its used a test bed really for random stuff so I am always formatting it etc.
 
Ah, so you want to use conditional forwarding to pick the reverse DNS entries for your home subnet. It's been a while I used an SH but I'm sure mine didn't register PTR records.
Yeah, its not a huge deal I just thought I would enable it if its there.

I will be switching to a Ubiquiti setup soon anyway so SH3 will be out of the way to be fair.
 
Yeah, its not a huge deal I just thought I would enable it if its there.

I will be switching to a Ubiquiti setup soon anyway so SH3 will be out of the way to be fair.
get that superhub into modem mode and let the pi do the hard work, you will however need a router between the pi and the SH, I detest the SH3 right lump of junk from the start!
 
get that superhub into modem mode and let the pi do the hard work, you will however need a router between the pi and the SH, I detest the SH3 right lump of junk from the start!
Yeah definitely, I have an EdgeRouter already but I need to pick up an AP for wireless. Once I have that I will be doing it the proper way, with the EdgeRouter just dishing out the PiHole as DNS.
 
Anyone else experianceing a really low block rate on their pihole at the moment? its gone from a good 30-40% blocked to only 7-10%


These are the lists I use does anyone have some better ones?
 
Mine is even worse but I do know why:

snsZFWi.jpg

The reason mine looks quite so bad is that I've got conditional forwarding for PTR records at my home subnet setup so there's a *HUGE* amount of queries being sent to my Unifi USG, something in the region of 1.2m of those 1.3m queries. I need to see if I can exclude those lookups from the statistics.

For now though I'll disable the conditional forwarding and see what sort of blocking percentage I end up with.
 
EDIT: I actually may have cracked this, as a VM just automatically connected using DHCP. So please don't yet read this huge post and start helping troubleshoot (i.e. wasting your time). I'll update either with more info or else a working guide once I've sussed it out.

Pi-Hole works great, but it's designed primarily to be a standalone server on an existing LAN. For example, if it gets an IP of 192.168.1.76 from your router it will then listen for requests on the same NIC from that over-arching LAN (192.168.1.0/24), in order to serve the other LAN clients with DNS and DHCP as required. I need it to work backwards to that, and have it installed on my x86 router to provide DNS and DHCP.

In other words, contrary to its usual MO it needs to take its upstream WAN connection for DNS resolving only (this will be plugged into my VM SH3), and listen for/serve to clients on the machine's other physical interfaces. I've gotten it mostly working, but a more experienced eye would be helpful atm, if anyone can chip in?

I currently have a Dell Optiplex 7010 (i7 3700, 8GB RAM, Intel Pro 1000VT quad port server NIC) running Arch Linux with dnscrypt-proxy, dhcpd4 and Shorewall acting as our router and firewall. It runs three physical interfaces - WAN, LAN and DMZ (servers, CCTV and IoT). For obvious reasons, my Shorewall policy denies traffic going from DMZ > LAN, although LAN clients can still access the servers in the DMZ. The box itself is connected to an external WireGuard VPN provider, and shares this connection to the clients on the LAN interface only. Servers/devices on DMZ go out through the clearnet Virgin connection. Because of the convoluted setup, I didn't use wg-quick for this; I wrote some custom wg-up and wg-down shell scripts and a systemd unit to regulate the routing tables and ip link connections.

As I said above, I want to (ideally) replace this Arch install with something else so I can just use ufw and wg-quick to simplify things. OS doesn't matter but it'd be easier if it was Debian, Ubuntu or similar. I will keep the same subnet setup (WAN, LAN, DMZ) and already have a functional config for this using netplan (Ubuntu) or iface configs (Debian). Importantly though, and hence posting here, I want to replace dnscrypt-proxy and dhcpd4 with Pi-Hole on the router. In other words, replace multiple standalone tools (DNS over HTTPS, DHCP, blocking) with the one tool - Pi-Hole. This is somewhat anathema to its usual setup, in that it will have to ignore the WAN connection (the one it usually serves dhcp to/from as part of a wider LAN). I need to have it instead listen/act on the two LAN interfaces.

I have read the Arch Wiki, Pi-Hole docs etc and gotten this partially working in a VM. With Ubuntu server installed and netplan configured (ens33, ens34 and ens35 being WAN, LAN and DMZ respectively - the latter two being accomplished in the VM with LAN segments) I installed Pi-Hole using the usual install script. I set it to use Cloudflare upstream for now (normally I'd also install cloudflared and use DoH, but wanted to keep this simple to minimise variables). I made two new config files in /etc/dnsmasq.d/ as suggested by the Pi-Hole docs, and set them to listen on ens34 and ens35 respectively, to serve DHCP and DNS requests:

Code:
## This is /etc/dnsmasq.d/lan.conf and I also have ./dmz.conf with the interface name and DHCP range changed accordingly.

# Only listen to routers' LAN NIC.  Doing so opens up tcp/udp port 53 to
# localhost and udp port 67 to world:
interface=ens34

# dnsmasq will open tcp/udp port 53 and udp port 67 to world to help with
# dynamic interfaces (assigning dynamic ips). Dnsmasq will discard world
# requests to them, but the paranoid might like to close them and let the
# kernel handle them:
bind-interfaces

# Optionally set a domain name
#domain=example.com

# Set default gateway
dhcp-option=3,0.0.0.0

# Set DNS servers to announce
dhcp-option=6,0.0.0.0

# If your dnsmasq server is also doing the routing for your network,
# you can use option 121 to push a static route out.
# x.x.x.x is the destination LAN, yy is the CIDR notation (usually /24),
# and z.z.z.z is the host which will do the routing.
dhcp-option=121,10.10.10.0/24,10.10.10.1

# Dynamic range of IPs to make available to LAN PC and the lease time.
# Ideally set the lease time to 5m only at first to test everything works okay before you set long-lasting records.
dhcp-range=10.10.10.11,10.10.10.254,12h

# If you’d like to have dnsmasq assign static IPs to some clients, bind the LAN computers
# NIC MAC addresses:
#dhcp-host=aa:bb:cc:dd:ee:ff,192.168.111.50

I have enabled IP4 forwarding in UFW, and set the default policy to allow for testing so it doesn't add confounding variables while I get things working.

After rebooting the machine, I fired up some other client VMs (i.e. NICs set to use LAN segments pointing to the Pi-Hole router). DHCP just times out, and so no internet connection is established. If I manually set the network in those clients (eg assign a static IP of 10.10.10.20/24, dns 10.10.10.1, gateway 10.10.10.1) then the internet works perfectly. I can then access pi.hole/admin and when browsing random sites all ads are blocked.

So Pi-Hole is working but it seems either there's a conflict with dnsmasq in Pi-Hole thanks to my having static conf files *and* having 'enable DHCP' ticked in the Dashboard's settings, or something else along those lines. There's no actual dnsmasq service on the machine, as Pi-Hole handles it itself, so my config options are more limited. Can anyone see where I might have gone wrong, or offer any solutions? Last step after getting DHCP working is to enable WireGuard for LAN (not DMZ), but that's easier. TIA for any suggestions.
 
Last edited:
Rather than having to manually set DNS on each device, I thought I would set pi-hole to be the DHCP server (with gateway setting in pi-hole set to router and DHCP off on router) so that any device that connected to my router would automatically be assigned an IP and also pi-hole as the DNS. However since doing this pi-hole doesn't seem to be blocking anything.

Do I need to do anything on the Settings -> DNS page? My plusnet router doesn't allow you to change the DNS settings which is why I'm having to do it this way.
 
Could just be a case that your devices are still using a router DHCP lease (and consequently not the Pihole for dns).

On a windows PC you can use
ipconfig /renew
ipconfig /flushdns

to try and renew the DHCP lease and clear existing DNS cache
 
Got it sorted now and I was being an idiot. I had my VPN browser extension connected which was bypassing pi-hole. Turned it off and all seems to be working as normal...
 
Has anyone had any joy with the delight that is Channel 4/4OD? It seems it doesn't like me blocking 2a7e9.v.fwmrm.net which is a custom blacklist entry I came across on reddit. Their ads are so controlling that if you click on another tab for instance the ad stops till you open the tab again. Some of the ones during the catch up can be a few minutes long each. I'm using the default block lists plus a few custom blacklist entries.
 
anyone else have an issue with the latest pihole update that makes lighttpd give you a 503 web error?

*Edit
Turns out the apt-get update && apt-get upgrade had borked the php install so a quick purge and reinstall and its all happy.
 
Last edited:
Back
Top Bottom