Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




14285 posts

Uber Geek
+1 received by user: 2590

Trusted
Subscriber

Topic # 240779 25-Sep-2018 18:27
Send private message quote this post

After seeing it mentioned on another thread I've set up Pi Hole on a R.Pi 1b - one of the early ones. I like the idea of LAN wide ad blocking, plus I guess a cache is good too. Setting it up was easy - an hour while I was doing something else.

 

It's sitting attached to an old switch in my office, using an old USB power supply. Because I don't think it's very reliable where it is I'd like to configure it in a way that if it gets unplugged DNS still works on my network. If it works out well I'll get another switch for my network cupboard and a better power supply and put it in there, so it should be more reliable.

 

The Fritzbox only issues one DNS server with DHCP, so I need another way.

 

Standard Pi Hole Setup

 

I guess the standard setup would be for the router to give out the Pi Hole IP for DNS in DHCP. I tried it - worked well - until I unplugged the Pi.

 

 

 

My Pi Hole Setup - to Validate

 

I've set up the Fritz so that the first DNS server to use is the Pi Hole, and the second is the 2Degrees secondary DNS server. The Pi Hole uses the 2degrees DNS, in case they have local media caches. I could easily use Google or CloudFlare, it's easy to switch later.

 

I figure this way DHCP tells clients to talk to the Fritzbox for DNS. When the Fritz gets a DNS request it first tries the Pi Hole, but if it doesn't get a reply it'll time out and go back to the 2 degrees DNS.

 

 

 

Question

 

Is this a good / viable setup? Is there a better way to use the Pi Hole as primary DNS but have it fail over to ISP DNS if something goes wrong?

 

 

 

Fritzbox Setup 

 

 

 

 

 





AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3
21614 posts

Uber Geek
+1 received by user: 4430

Trusted
Subscriber

  Reply # 2096377 25-Sep-2018 19:21
2 people support this post
Send private message quote this post

I found things were resolved on the secondary DNS all the time when I tried similar in the past, so it was pretty ineffective.





Richard rich.ms

48 posts

Geek
+1 received by user: 13


  Reply # 2096398 25-Sep-2018 20:19
quote this post

I don't think this will work the way that you're hoping.  The Pi-Hole DNS IP needs to be issued by the DHCP server, not via the WAN connection itself.


 
 
 
 




14285 posts

Uber Geek
+1 received by user: 2590

Trusted
Subscriber

  Reply # 2096401 25-Sep-2018 20:26
Send private message quote this post

That's worth testing Rich.

 

First I checked that using that setup and DHCP it was all working as expected - yes it was.

 

I changed my PC network settings to directly address the Pi Hole for DNS, and the router for secondary. I unplugged the Pi, and DNS lookups took 5 seconds instead of being near instant. I then plugged the Pi back in DNS time dropped to near instant, and the count started going up again. Windows recovers very quickly when a DNS server comes back up.

 

However, after I plugged the Pi Hole back in the router is still using the secondary DNS. I'll keep an eye on it to see if it recovers and starts using primary again.

 

So I think this is an ok configuration for now. Once I've been using the Pi Hole on my PC directly for a while and it seems reliable I'll maybe have DHCP give out the Pi Hole IP and everyone can use it.

 

 

 

@scetoaux - I think it is working how I expected. Are there any tests you can think of other than the ones I've done to validate?





AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


defiant
691 posts

Ultimate Geek
+1 received by user: 331

Lifetime subscriber

  Reply # 2096404 25-Sep-2018 20:44
Send private message quote this post

I use an EdgeRouter, but the concept is similar.

 

The pihole configured as the primary DNS for all my DHCP scopes with the EdgeRouter as secondary just for my primary scope. I don't care if my guest and iot vlans can't do DNS lookups while the pihole is offline for maintenance, but for primary lan at least they can continue functioning by failing over to 

 

The pihole is configured to use the EdgeRouter as its upstream DNS, and EdgeRouter uses ISP assigned DNS servers.

 

Or in simple form: client -> pihole -> edgerouter -> isp dns




14285 posts

Uber Geek
+1 received by user: 2590

Trusted
Subscriber

  Reply # 2096408 25-Sep-2018 20:56
Send private message quote this post

@nas sounds like you use the recommended method of DCHP handing out the Pi Hole IP directly, with a second DNS server on your main scope. The Fritzbox doesn't seem to be able to do that, it's one DNS server only. I'd hand out the Pi Hole IP using DHCP once I trust it - time will tell. For now I'll have my PC address it directly as I can easily switch if I need to, but if my wife had problems while I wasn't here she'd not be impressed.

 

Looking at the Pi Hole logs, most queries are answered in 5-7ms, but there are some at 50 or even 400 ms. I guess those IPs aren't in the 2 degrees cache so they had to reach out to get them. Ireland IPs take up to 400ms, but it is a fair way away.





AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


485 posts

Ultimate Geek
+1 received by user: 96


  Reply # 2096472 26-Sep-2018 00:32
Send private message quote this post

If "its not very redundant where it is", why not move it to be by your router?  Ive got my Pi plugged into the Fritzbox USB port to power it - I have the 7390 too.  I didnt think it'd have enough power to power the Pi - but its been fine.  Saves on power sockets too!

 

With regards to 2nd DNS servers for DHCP clients you are correct in that:

 

  • Fritzbox only allows one (itself by default)
  • PiHole as a DHCP server also only notifies of itself

I've got the PiHole in my set up as the DHCP server too as I wanted to use my own domain name and not fritz.box.

 

Edit: I think you are with 2degrees too... If you make the PiHole your DHCP server ensure you tick the "Enable IPv6 support" option on your PiHole and disable the "announce DNSv6 server via router advertisement (RFC 5006)" option on your Fritzbox.  As well as disabling the IPv6 DHCP server on your Fritzbox.  Your PiHole still gets the IPv6 subnet and allocates out of that.


Mr Snotty
8078 posts

Uber Geek
+1 received by user: 4052

Moderator
Trusted
Lifetime subscriber

  Reply # 2096473 26-Sep-2018 00:46
Send private message quote this post

I've got one running here however have a backup that spawns in Docker on my server if the primary (Raspberry Pi) goes offline for over a minute. I used to have it all running on my server (a HP Microserver) but found it can sometimes be unreliable when the server is under heavy load.

 

Other than that - I use the PiHole as the only DNS server.







14285 posts

Uber Geek
+1 received by user: 2590

Trusted
Subscriber

  Reply # 2096495 26-Sep-2018 07:02
Send private message quote this post

nzkc:

 

If "its not very redundant where it is", why not move it to be by your router?  Ive got my Pi plugged into the Fritzbox USB port to power it - I have the 7390 too.  I didnt think it'd have enough power to power the Pi - but its been fine.  Saves on power sockets too!

 

With regards to 2nd DNS servers for DHCP clients you are correct in that:

 

  • Fritzbox only allows one (itself by default)
  • PiHole as a DHCP server also only notifies of itself

I've got the PiHole in my set up as the DHCP server too as I wanted to use my own domain name and not fritz.box.

 

Edit: I think you are with 2degrees too... If you make the PiHole your DHCP server ensure you tick the "Enable IPv6 support" option on your PiHole and disable the "announce DNSv6 server via router advertisement (RFC 5006)" option on your Fritzbox.  As well as disabling the IPv6 DHCP server on your Fritzbox.  Your PiHole still gets the IPv6 subnet and allocates out of that.

 

 

I will move it to beside the Fritz 7390, and use the Fritz USB as power, but I'm out of ports in that location right now. I'll go buy a 4 or 8 port switch this weekend, unless maybe @freitasm has one lying around he wants to sell? You're closer than the shops and probably better stocked! The advantage of using the Fritz USB is it's UPS protected.

 

I wouldn't use the PiHole to serve DHCP, I'll just announce it as the DNS server via DHCP. I don't turn IPv6 on on my router as I've found it caused some weird problems. I'll try it again perhaps.

 

michaelmurfy:

 

I've got one running here however have a backup that spawns in Docker on my server if the primary (Raspberry Pi) goes offline for over a minute. I used to have it all running on my server (a HP Microserver) but found it can sometimes be unreliable when the server is under heavy load.

 

Other than that - I use the PiHole as the only DNS server.

 

 

Interesting idea. I did consider running up a Linux VM on my PC, but it uses memory and it's not always on.





AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


353 posts

Ultimate Geek
+1 received by user: 84


  Reply # 2096496 26-Sep-2018 07:06
Send private message quote this post

Unless you're handling HTTPS on the pi hole it won't help that much. Most advertising has moved to https now. So you need either SSL decrypt or a proxy that handles HTTPS requests (and decrypts them).


725 posts

Ultimate Geek
+1 received by user: 301

Subscriber

  Reply # 2096497 26-Sep-2018 07:19
Send private message quote this post

vulcannz:

 

Unless you're handling HTTPS on the pi hole it won't help that much. Most advertising has moved to https now. So you need either SSL decrypt or a proxy that handles HTTPS requests (and decrypts them).

 

 

It blocks based on host name which isn't obscured by ssl. It's achilles heel is 1st party advertising.

 

 

 

 










14285 posts

Uber Geek
+1 received by user: 2590

Trusted
Subscriber

  Reply # 2096503 26-Sep-2018 07:35
Send private message quote this post

Ad block plugin can deal with first party ads. Fortunately there aren't a huge number of those.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


BDFL - Memuneh
61784 posts

Uber Geek
+1 received by user: 12438

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 2096506 26-Sep-2018 07:40
One person supports this post
Send private message quote this post

The only switch I have here now is a HP managed switch. I have to keep it because it allows me to tag/untag VLAN ID. There's a lot of routers released in New Zealand that don't do this - hard to understand why companies release these here as they won't work on UFB without this feature.




353 posts

Ultimate Geek
+1 received by user: 84


  Reply # 2096540 26-Sep-2018 09:02
Send private message quote this post

gbwelly:

 

vulcannz:

 

Unless you're handling HTTPS on the pi hole it won't help that much. Most advertising has moved to https now. So you need either SSL decrypt or a proxy that handles HTTPS requests (and decrypts them).

 

 

It blocks based on host name which isn't obscured by ssl. It's achilles heel is 1st party advertising.

 

 

 

 

That is incorrect. SSL encrypts the entire session, including the URL and host name. All anything in between can see is the IP addresses and ports. It is possible to attempt a reverse DNS lookup on the IP, and try and have a peak at the cert on the host. But these are 50/50 - and when a CDN is involved it gets even harder.

 

I run SSL decrypt on my network at home, and sometimes I have to exclude work devices from that as I cannot install the resigning cert on them. They then fall back to take a guess with rdns/the cert name.You also need to be able to block advertising apps embedded in pages, web filtering alone doesn't cut it. In a typical week I will only block about 400 advertising URL hits, but around 3000-4000 advertising apps (like doubleclick) embedded in pages.


485 posts

Ultimate Geek
+1 received by user: 96


  Reply # 2096663 26-Sep-2018 10:40
Send private message quote this post

vulcannz:

 

gbwelly:

 

It blocks based on host name which isn't obscured by ssl. It's achilles heel is 1st party advertising.

 

 

That is incorrect. SSL encrypts the entire session, including the URL and host name.

 

 

Snipped for brevity.

 

gbwelly's statement is correct.  Your statements are also correct.  They are not mutually exclusive.  The HTML contains the URLs of the advertising and your machine can read these as they have been decrypted at that point (otherwise how would it read, interpret and render the HTML?).  PiHole works by blocking the DNS requests of these hosts.

 

Geekzone is running over SSL.  Yet you can still view the page source.  And if you do that you'll see URLs in there!


725 posts

Ultimate Geek
+1 received by user: 301

Subscriber

  Reply # 2096664 26-Sep-2018 10:40
One person supports this post
Send private message quote this post

vulcannz:

 

That is incorrect. SSL encrypts the entire session, including the URL and host name.

 

 

Hey Mark, I know that you know your stuff, but you have the wrong end of the stick on how the Pi-hole blocks adverts. It doesn't care about protocols, it's a DNS based blocker. To fetch an advert the client must resolve the name of the server hosting the advert. This is the point where the Pi-hole returns nxdomain to the client.

 

 








 1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.