Pi‐Hole - zbrewer/homelab GitHub Wiki

I use Pi-hole as my ad-blocking DNS server with Unbound DNS (running on OPNsense) as my upstream DNS server.

Installation

A normal, unprivileged, container based on Debian or Ubuntu Server can be created and updated on Proxmox for Pi-hole installation. This should be placed on the Servers VLAN and the firewall should be configured to allow access to the Pi-hole server's IP address over TCP/UDP port 53 from all client IP address ranges/networks.

Next, the installation instructions here can be followed to complete the installation using the install script.

Configuration

The Pi-Hole management console can be accessed at https://<pi-hole_ip_address>/admin.

Upstream DNS Configuration

The upstream DNS server used by Pi-hole can be set on the Setting > DNS configuration page on the web UI. This should be set to the address of the Unbound DNS server if using both in conjunction. The Use Conditional Forwarding option on this page can also be checked, specifying the gateway IP address and the local network address space (such as 10.0.0.0/8) in order to try to resolve hostnames in Pi-hole.

Cross-Subnet Support

By default, the Pi-Hole will only respond to queries from the same subnet. In order to allow queries from all subnets, go to Setting > DNS in the Pi-Hole admin console and, under Interface Settings select Respond only on interface eth0 or Permit all origins.

Router/Client Setup

In order to use Pi-hole as the DNS resolver for client devices, they must be configured to use the Pi-hole as their DNS server. This can be done by specifying the Pi-hole's IP address on each client device in the network settings or by specifying it as the DNS server in the DHCP configuration on the DHCP server. DHCP clients will need to disconnect and reconnect to the network to pick up the changes.

Adlists

The default adlist works fine but there are a few I prefer to enable instead (and disable the default):

The main addresses to add for these are given below:

https://big.oisd.nl/
https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt

Remember to Tools > Update Gravity after adding the adlists.

Client Groups

Client groups can be configured so that the adlists which apply to certain clients can be specified more specifically.

First, add some groups, with whatever names you want, under the Groups tab. Then, go back to the Adlists page to assign adlists to the groups they should apply to. Finally, go to the Clients tab and add clients to the groups they should be in. A specific IP address can be specified or a subnet in CIDR notation. MAC addresses can only be used if the Pi-hole is also acting as the DHCP server.

Whitelist

In order to allow basic shopping on Google search, a few URLs should be added to the whitelist on the Domains page. Specifically:

ad.doubleclick.net
adservice.google.com
googleadservices.com

Forcing Pi-hole Use (for IoT Devices)

Some (typically IoT) devices have hard-coded DNS servers. In order to force these to use the Pi-hole, a forwarding rule can be created in OPNsense.

Under Firewall > NAT > Port Forward, add an entry with the interface set to the IoT VLAN interface (or the interface to which you would like the rule to apply), the protocol set to TCP/UDP, the source address/ports set to *, the destination set to IoT net (or appropriate), the destination port set to 53, Destination/Invert enabled, the redirect target IP set to that of the Pi-hole, and the redirect target port set to DNS (53). Save the rule and apply. This will also automatically create the necessary firewall rule.

Monitoring

Monitoring PiHole with InfluxDB and Grafana can be accomplished with the avojak/pihole-influxdb-monitor GitHub project. This is a simple Docker container that reads statistics from PiHole(s) and published them to InfluxDB. It also includes a Grafana Dashboard configuration. Instructions are given in the README of that project but I'm running this as its own Docker Compose stack configured directly in Portainer for simplicity.