Setting up Pi-hole

I've often been asked why I have two Piholes. My answer is always the same in that it's for redundancy, in case one breaks. That doesn't take into account stupidity which is what happened a day or say ago.

I had two piholes, pihole-buster1 and pihole-buster2, the former running on a P4 and the latter on a Zero. I swapped the Zero for a Zero2 and it was just a case of moving the SD card over and it worked perfectly. I didn't expect that to work when going from a 4 to a Zero2W and I was right.

Rebuilding was easy enough, I called the new one pihole-bullseye1 and got it all set up nicely. I have various scripts running that copy files from 1 to 2 and if I need to make any changes on 1, they get replicated to 2 overnight.

Where I made a mistake was by mistyping a - for an = in /etc/dnsmasq.d/02-pihole-dhcp.conf. I didn't restart the service after editing the file on pihole-bullseye1 so it didn't show up as a problem. At 01:00 in the morning, the file was replicated over to pihole-buster2 and the FTL service restarted. Because of the typo, the services I restart failed to restart leaving it effectively down.

You see where it all went a bit rubbish and then where I recovered it the next morning.
byFwniv.jpeg

The new one did a splendid job though and everything continued working. This was a proper trial by fire, you can see I only got it online a few hours before.
YDsVQM2.jpeg

"So @Feek, how do you have two Piholes working together?" I hear you ask.

It's pretty straightforward although it sounds confusing as I type it.

My Piholes run DHCP as well as DNS so they're each configured slightly differently.

From the dashboard, go to Settings / DHCP

On the first Pihole, I have the DHCP server enabled and the range of IP addresses is set from 192.168.1.20 to 192.168.1.59
On the second Pihole, I also have the DHCP server enabled and the range of IP addresses is set from 192.168.1.60 to 192.168.1.100

That gives me a total of 80 available DHCP addresses in the pool. I have the lease time set to just 6 hours on both so there are always plenty of available leases.

The next thing I do is to edit /etc/dnsmasq.d/02-pihole-dhcp.conf and add an extra line.

The two Piholes are on 192.168.1.11 and 192.168.1.12

On the first Pihole, I add
dhcp-option=6,192.168.1.11,192.168.1.12

On the second Pihole, I add
dhcp-option=6,192.168.1.12,192.168.1.11

(then restart FTL/dns or just reboot the Pi)

That means that any device which DHCPs from the first Pihole will be given the first Pihole as a primary DNS address and the second Pihole as a secondary DNS address. And vice versa, the second Pihole gives itself as primary and the other one as secondary.

If either of the Piholes goes down, the other one will be used as a secondary DNS server and everything will continue working.

In all the years I've been running two Piholes, this incident above is the first time I've ever had a failure and that was entirely down to user error. They really are such fantastically reliable things. Having said that, even knowing how reliable they are, I still wouldn't be comfortable with just one.
 
Why use DHCP on the piholes instead of the router?

I have one instance of pi hole (with unbound as a recursive resolver) running on my main home server and I keep DHCP on the router as I have some networks that don’t use the pi hole (e.g. guest network). I also allow the router to get DNS servers from upstream (ISP) then set all my DHCP servers for VLANs where I want blocking to give out pi-hole as primary and then fallback to the router for secondary server. Technically that means some clients can escape the pi hole if they use secondary dns server by default, but I’m mostly using it to block ads and in practice I never see any that should be blocked - it works well. Also, if pi-hole goes down or the server goes down for some reason and the router is still up, I can continue to get DNS resolution.

I considered using my rpi to be a secondary system but this works fairly well and I’m not worried if sometimes traffic escapes it.

Just another approach I guess, I can see why you’d want to capture all traffic. I stopped doing that after the pi sd card died and it took me a while to get all clients back up once I realised.
 
Feek said:
Because then the dashboard shows IP addresses, not client names and I couldn't get Conditional forwarding to do what it's supposed to.

I take a backup of the SD card automatically once a week onto the NAS so if the card fails, I can get it back up and running very quickly.
Click to expand...
Mines been running on a sd card for like 5 years without a issue....

Basically just get a decent sd card. They last ages
 
Backups are never important until you need them. Just because it's run well for 5 years doesn't mean you should negate backing it up.
 
Got a bit of one here I'm not sure if anybody can help with.

All my kids devices on our my Guest network run on my Google Nest Router.

I've got a Pi setup with Pi-Hole, running on ethernet and that Pi is shared with the guest network.

Adding a manual DNS to my kids phone and tablet shows no internet connection - any ideas?

Not possible to do network wide DNS for numerous reasons, so I need it to be device specific.
 
jrwagh333 said:
Got a bit of one here I'm not sure if anybody can help with.

All my kids devices on our my Guest network run on my Google Nest Router.

I've got a Pi setup with Pi-Hole, running on ethernet and that Pi is shared with the guest network.

Adding a manual DNS to my kids phone and tablet shows no internet connection - any ideas?

Not possible to do network wide DNS for numerous reasons, so I need it to be device specific.
Click to expand...

By default PiHole will only do DNS queries for hosts on the same subnet as the PiHole machine. So if your PiHole machine is on your LAN and it's not working from the guest network and you're 100% sure that you've allowed the traffic in your router then that's probably the problem.

Open the web interface and go to Settings - DNS. Under interface settings untick the option to allow only local requests.
 
Feek said:
Useful tip.

From the dashboard, select adlists.
Add https://dbl.oisd.nl

I've turned off the default block lists and only use that one.
Click to expand...
I know I put you onto OISD a while back, Feek, but try the newer Hagezi blocklist in its place. Gerd (the guy who maintains the repo) has done an amazing job collating an 'all in one' block list (incorporating OISD amongst others) but based primarily on 1Hosts. He takes out all dead domains, and has his own massive custom white and black list to allow sites to continue working while cutting out all the crud.

Hagezi's lists are more aggressive than OISD (i.e. blocks more bad stuff) but the FP rate is basically zero by now. Payment gateways, online shopping, social media, warez, anything like that all works fine. I find it blocks up to twice as much as OISD, and I was happy to work with Gerd over the end of last year to tweak it, limit FPs for nerdy folks (VPS and server stuff etc), and add some extra tracking protection.

You can use it as your sole list no probs, and it has the entirety of OISD in there (as well as 1Hosts Pro, uBlock Origin's lists, Easylist, AdGuard DNS filter etc) so you're not losing out. It also blocks native device tracking (Samsung, Apple, Microsoft, Alexa/Amazon, etc) and badware. Try it for 24h and let me know what you think?

ABP format (FTL >5.22, AGH etc)
Hosts format (FTL <5.22)
 
Feek said:
@Rainmaker
I’ll take a look, thanks. That first link of yours has fewer entries than the OISD list though so how can it contain it and have more?

So many options though.

github.com

GitHub - hagezi/dns-blocklists: DNS-Blocklists: For a better internet - keep the internet clean!

DNS-Blocklists: For a better internet - keep the internet clean! - hagezi/dns-blocklists
github.com github.com
Click to expand...
Hagezi's list is compressed and uses ABP format where possible. The Pro++ list containing OISD and others actually currently blocks 1,396,175 domains compressed down to just over half a million list entries (you can see it in the table and by checking the Sources page). The OISD list by comparison has closer to 250,000 entries. Make sure you're comparing like to like (ABP to ABP format or hosts to hosts format). I just checked and the OISD ABP format list currently has 298,069 lines and Hagezi's has 526,412 lines. That's not a perfect way to count but it's definitely about double the size!

The Sources page on Hagezi's repo gives you a list of all included lists and what percentage were used/removed/dead.There's also a matrix on his repo showing which lists include what (so the Pro++ already contains everything in preceding lists plus TIF plus personal etc), so you don't need to add extra lists, you'd just be duplicating. I recommend Pro++ as it's balanced and doesn't block things you wouldn't like it to.

e: Clarity.
 
Last edited:
I’m really confused now.

I have two piholes. On the first one, I’ve got the oisd list. Currently it shows 862,560 blocked domains on the dashboard. On the second one, I switched over to the ABP format file you’ve posted and it shows 526,402 domains on the dashboard.

/edit - ahh, the second list you’ve posted shows 1,396,175 on the dashboard. I shall give it a go for a few days, thank you :)

(Yes, I am running FTL 5.22)
 
Feek said:
I’m really confused now.

I have two piholes. On the first one, I’ve got the oisd list. Currently it shows 862,560 blocked domains on the dashboard. On the second one, I switched over to the ABP format file you’ve posted and it shows 526,402 domains on the dashboard.

/edit - ahh, the second list you’ve posted shows 1,396,175 on the dashboard. I shall give it a go for a few days, thank you :)

(Yes, I am running FTL 5.22)
Click to expand...

The 'smaller' Hagezi list I posted (ABP format) is superior. It lists less domains but blocks more, because of how ABP format works. For example, to block bad stuff on imaginary domain.com a hosts file (the 1,396,175 domains format list) would need to be written like this:

Code: 
0.0.0.0 tracker.domain.com
0.0.0.0 tracker.3p.domain.com
0.0.0.0 pixel.domain.com
0.0.0.0 metrics.domain.com
0.0.0.0 metrics-ingest.domain.com
0.0.0.0 sentry.domain.com
...etc

On the other hand, ABP format lists would do all that with just:

Code: 
||domain.com

Despite having (in this case) one single entry, the ABP format list blocks every domain associated with domain.com - even if there's a million of them. The hosts format list has many more lines (is more bloated) but can only block the exact subdomains on the list. So, hosts files are bigger (and look 'more impressive' if you don't know how they work), are slower, less finessed and take up more CPU and RAM - despite being worse. If the 'smaller' ABP format Hagezi Pro++ list (my first link) works for your PiHole install, use it. :)
 
Last edited:
@Rainmaker Well nothing amiss noticed today, I ended up using next level down from the one you suggested, the 'Multi PRO' list simply because the next level up says it may introduce some false positives.

Multi PRO - Extended protection (Recommended)​

Big broom - Cleans the Internet and protects your privacy! Blocks Ads, Affiliate, Tracking, Metrics, Telemetry, Phishing, Malware, Scam, Fake, Coins and other "Crap".

Using this link for the actual list, the ABP format version.
 
You must log in or register to reply here.
Back
Top Bottom