Bind9 + Pi-hole

Hello, I like to use pi-hole. I already have bind9 + isc-dhcp with rndc. I might if is possible install Pi-hole to KVM and then just replace in bind forwarders IP of Pi-hole in KVM. Is this possible way.
Thank you.

You could have bind pointing to Pi-hole. Or have isc hand out the KVM IP and set Pi-hole to point to bind as it's upstream.

Hello,
First of all thank you for reply to my question.
My environment:
I have Linux router firewall as my main router for internet and hosts. Here I have Bind + isc-dhcp connected together via RNDC. I can ping named ti dhcp cleints because they are propagated to bind. Bind it self works as resolver and forwarder for internal networks.
My idea is set new KVM vrtual machine with PiHole and tell bind sent the requests to PiHole.
In bind conf like this:

forwarders {
                172.30.18.1;
                1.1.1.1;
         };

And change it to PiHole IP. The PiHole it sel then forward requests to the internet.
Is it possible ?
Thank you.

That may cause bind to split it's queries between 172.30.18.1 and 1.1.1.1 which would mean some of the traffic would not be blocked.

Thats mean, you are absolutely not understand. Still thanks :slight_smile:

Keep below one running and you know for sure:

sudo tcpdump -n -i any 'port 53 and (dst 172.30.18.1 or dst 1.1.1.1)'

The tcpdump binary is in the tcpdump package that can be installed via apt:

pi@ph5b:~ $ man tcpdump
[..]
DESCRIPTION
       Tcpdump prints out a description of the contents of  packets  on  a
       network  interface  that match the Boolean expression; the descrip‐
       tion is preceded by a time stamp, printed, by  default,  as  hours,
       minutes, seconds, and fractions of a second since midnight.  It can
       also be run with the -w flag, which causes it to  save  the  packet
       data  to  a file for later analysis, and/or with the -r flag, which
       causes it to read from a saved packet  file  rather  than  to  read
       packets  from  a network interface.  It can also be run with the -V
       flag, which causes it to read a list of saved packet files. In  all
       cases, only packets that match expression will be processed by tcp‐
       dump.

This GW of my ISP. I am not start yet. I just asking if it possible way to do by set dns forward to my bind to KVM virtual machine where was run Pi-hole.

What @DanSchaper is trying to explain is that the order in which you configure DNS forwarders like 172.30.18.1 first and 1.1.1.1 second is of less importance.
bind9 will eventually query all DNS servers configured.
Not equally though because bind9, like most all DNS resolvers, deploys some sort of best forwarding logic similar as pihole-FTL does:

Improve detection algorithm for determining the "best" forward destination¶

The DNS forward destination determination algorithm in FTLDNS's is modified to be much less restrictive than the original algorithm in dnsmasq. We keep using the fastest responding server now for 1000 queries or 10 minutes (whatever happens earlier) instead of 50 queries or 10 seconds (default values in dnsmasq). We keep the exceptions, i.e., we try all possible forward destinations if SERVFAIL or REFUSED is received or if a timeout occurs. Overall, this change has proven to greatly reduce the number of actually performed queries in typical Pi-hole environments. It may even be understood as being preferential in terms of privacy (as we send queries much less often to all servers). This has been implemented in commit d1c163e.

https://docs.pi-hole.net/ftldns/dns-resolver/?h=best+forw#improve-detection-algorithm-for-determining-the-best-forward-destination

My clients mostly exists out of Linux, Apple, Microsoft and Android devices.
And I run two Pi-hole nodes/servers for my LAN with all the clients configured to use both.
Below are queries received on node one over a 24 hour period:

pi@ph5a:~ $ nc localhost 4711 <<< '>stats >quit'
[..]
dns_queries_today 6659
unique_clients 8

And below the ones received on node two:

pi@ph5b:~ $ nc localhost 4711 <<< '>stats >quit'
[..]
dns_queries_today 1867
unique_clients 5

So thinking that all queries will go to 172.30.18.1 first and only when this one fails, the other 1.1.1.1 server will be queried is wrong.
Both will receive queries from bind9 and if one is blocking and the other is not, you get inconsistent blocking of ads etc.

If you keep that command of mine running for a while, you will see.

2 Likes

Hello, thank you for pointing me. I prepare virtual machine with pi-hole and add to me Bind forward ip address of pi-hole.