Pi-hole on a business network

(Or a home network.)

ENV: Pi-Hole 5 on a Centos 7 LXC Container on Proxmox VE 6
Skipping the original home of Pi-hole here (RPI) and going straight to desktop series processors on proxmox for reduced latency and better performance when querying the Pi-Hole database log. I wouldn’t expect any performance difference for everyday resolver operations between a latest gen RPi and a desktop/server.

Usage

This is a recommendation guide for IT professionals looking to additional monitoring and control at a network level over DNS. It involves introducing pihole as a first level resolver between your client systems and your existing network/dns infrastructure to provide detailed logging, statistics and domain blocking control.

Client Systems
<>
pihole
<>
Existing DNS with DHCP entries, local domain entries and domain overrides/forwarders
<>
Public DNS Resolution Services, (1.1.1.1, 8.8.8.8, <your preference here>)

By introducing pihole at that layer you see all client activity and retain the ability to have DHCP names resolved.
At this stage in time I cannot recommend the pihole DHCP service epically if you already trust your existing service, in my case the ISC DHCP Server 4 on pfSense. Plus by using this method you can easily bring the new dns server online and rollback simply by changing the DNS server list in the existing DHCP.

This setup is going to heavily recommend enabling DNSSEC support and utilizing DNS over TLS for public name resolution. Make sure your upstream services supports both, and you public resolution service supports DNS over TLS.
In pfSense youll need to be using the DNS Resolver (unbound) not the DNS Forwarder (dnsmasq) service to utilise DNSSEC and DNS over TLS.

Setup

Spinup a recent Centos 7 LXC Container.
Set pihole as your second priority server just behind you firewall. Enable start at boot.
yum dist-upgrade
Install/Enable openssh-server, wget, git
ln -sf /usr/share/zoneinfo/<Country>/<PreferedCity> /etc/localtime

At your own risk download and run the install script.
# wget -O basic-install.sh https://install.pi-hole.net
# <Check script>
# sudo bash basic-install.sh

Alt install via the github method described here.

Go to http://<host-ip>/admin/ login with initially set password from the install log.
or reset it with “pihole -a -p” in your console.

“pihole -up” is used to update the service, updated pulled domain lists and restart.

Config

cd /etc/pihole

#! pihole-FTL.conf
RATE_LIMIT=10000/30
BLOCK_ICLOUD_PR=false
MAXDBDAYS=28
PRIVACYLEVEL=0
RESOLVE_IPV6=no

The options above are not included in the configurable options in the web interface.
Raise resolution rate limited to 10,000 per 30 second period per client as the default 1000 per 60 breaks some applications.
Block iCloud Public Relay to false to allow iOS Devices to use the new mail relay and auto vpn features.
Reduce DB Days to 28 to reduce database size.
Privacy level to 0 to enable logging of all details on all requests.
Disable IPV6 unless you’re actively using it.

In the web interface, left side settings, DNS:
Use no upstream servers. Add a custom one pointing to your pfsense.
Tick: Never forward non-FQDN; Never Forward Reverse Lookups for pvt; and Use DNSSEC

DHCP Tab: Disable All

In pfsense make sure it is only using DNS over TLS to your prefered public resolver.
Make sure DNSSEC is on to validate applicable results.

Optionally add some additional lists under Group Management > Adlists.
Ive added https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/hosts.txt and https://raw.githubusercontent.com/notracking/hosts-blocklists/master/hostnames.txt to block some known crypto domains and hostile or tracking services. Assign them to the default client group.

Test

Bounce some queries off your new server using dig.

Check DNSSEC validity
dig +dnssec blog.mqbx.nl @<piholeip>

Check pfsense config to ensure all requests are going out over 853 DNS over TLS.

Manually configure one client to use pihole for resolution.

Piholes web interface should start showing log entries straight away.

Use the Tools > Tail pihole.log tool to see live queries.

Ensure that local domain queries still resolve. Also check a dhcp client name.

Cutover

Change DNS server specified in DHCP config.
Let clients cutover automatically or trigger dhcp refresh on clients manually.

Block DNS Queries to all destinations except pihole to enforce that all clients use pihole.

Marvel

At he large amount of potentially useless data.

Leave a Reply

Your email address will not be published.