Hello, I am struggling with pihole (or dns in general) and vlans.
which is the “best” and “easy to maintain” path to follow?
a pihole vm binded to every vlan + “interface settings” set to “allow only local requests”
one single pihole vm with /etc/network/interfaces set to all vlans like shown in the linked video at 16:20
one a single pihole vm + “interface settings” set to “permit all origins” + firewall rules to allow subnets to connect to pihole.address#53/udp
one single pihole set directly as dns on pfsense
use pfblocker and forget pihole vm
other?
0voters
I use pihole because it can handle cname, I am not sure if pfsense can do it
In this video, he suggests (around min 16:20) to use the second option on the poll above.
I have tried it and it works, but pihole take long time to start and I am not sure it is the “safest way”, since if the vm where the dns is compromised it have access to every other vlan, right?
I did not watch that video but I keep things simple and use pfblocker for some things but mostly rely on Ublock Origin to make my browsing experience better. Ublock Origin also makes controlling things easier for sites that are not working due to things being blocked as I can just turn them off in the browser.
Thanks, I ve never use pfblocker, so I don’t know if is does the same job of pihole. but… if I remember correctly in one of your video you did a comparison. Do you know if it is it still valid? or in meantime something is changed on both sides?
Anyway, regarding the DNS, do you know if pfsense is it possible to set CNAMEs? if so I will move back the dns on it
You can use many of the same feeds for pihole and pfblocker. As noted, Ublock Origin also makes controlling things easier for sites that are not working due to things being blocked as I can just turn them off in the browser instead of having to go into logs and figure out what site was blocked. Also, it’s been a while since I used pihole but I do remember it having a much nicer interface for reporting compared to pfblocker.
As for DNS in pfsense, additional hostnames are not the same as a CNAME.
Additional Hostnames provide a direct mapping between a hostname and an IP address, allowing for multiple hostnames to share the same IP.
CNAMEs create an indirect mapping by pointing one hostname to another, enabling various use cases like aliasing, load balancing, and failover.
pfBlocker-ng is very heavy on the pfSense CPU. it depends how lightweight you want it, it might just be a VM? I wouldn’t necessarily go that route.
I also wouldn’t put pihole with interfaces in all VLANs, as it is quite risky.
Personally I’d put the pihole in a service zone and point all local machines to use it there for DNS: You don’t need it to have an interface in each VLAN for this to work. You’d only need that if you wanted it to do DHCP for you.
Alternatively you could use the pfsense as DNS server for all VLANs and make the pihole the upstream DNS for the pfSense. Personally i’d not do that. The less local ports you open on the firewall the better.
The advantage of having a central DNS blacklisting like pihole is that it works for all sorts of blacklists, not only as an adblocker, and it is a single point of maintenance for all the machines in your network.
For your notbook that you move out of your home network you really want something in your browser like uMatrix, if you won’t be always connected to your home network via VPN.
I used to run PiHole [PH], but then switched to AdGuard Home [AGH] quite a while back. **I switched because I was curious about the differences; and discovered they’re quite minimal tbh. Close enough that I just never switched back. I won’t go into it here as there are many other forums that cover this.
Regardless, I run my "AGH/PH DNS via Option #3 (I also run two of them, because why not?). But this setup is very simple to maintain. If you’re using DHCP, you can easily define your AGH/PH hosts as your DNS/nameserver targets, and viola! If you do static setups, it’s really no more or less work to enter the AGH/PH IP’s than your ‘default’ DNS endpoints.
*Note that from here, I’m referring to AdGuard Home [AGH] specifically, as it’s what I’m running currently and my memories of PiHole [PH] (while a good product) are just too many years past to be considered accurate.
I would not necessarily recommend using AGH/PH downstream from your router/FW/DNS server, unless you have other services running that just don’t mix. In the context of domain blocking, which is what AGH/PH do, troubleshooting DNS resolution when it’s downstream of the router can be difficult, as the AGH/PH will log the routers IP as the source for ALL queries, not the ‘problem’ client.
In AGH specifically, it’s easy enough to route local DNS and PTR queries to your router (or specific local DNS). This way you get per-client logging, which can be very useful. In fact, it’s easy to create custom settings for specific domains to be handled by specific DNS providers even (conditional forwarding, essentially). I know this is doable in PH as well, but last time I checked, it wasn’t as ‘out-of-box’ (like I said, my PH experience is years out of date)
The main reason I mention this as my ‘vote’ is that it really is super easy to manage and it works well. Nothing more.
, do you remember in which section?