Pi-hole sends client requests to internal domain, e.g. local.example.com, to a specific DNS server managing all internal domains.
Actual Behaviour:
unknown
Basically I'm referring to this documentation of "Pi-hole as All-Around DNS Solution" that explains the setup and benefits of using a recursive DNS server.
In my assumption the communication chain would look like this:
Client -> asking internal domain -> Pi-hole -> Internal DNS (FreeIPA with bind)
Client -> asking external domain -> Pi-hole -> ubound (recursive DNS) -> query to DNS root servers
Would this be possible?
If not, how could it be realized with existing DNS server (FreeIPA with bind)?
Thanks.
Actually I was thinking that this could be the relevant configuration.
However, I can only maintain one local domain name.
If I have another local domain name, e.g. dmz.example.com, can I maintain this manually in a configuration file?
And with regards to FreeIPA's DNS service, would this mean that I must not maintain a forwarding DNS there?
I first used conditional forwarding in Pi-Hole to resolve and authenticate a local domain through a bind9 DNS server. Now I try it with "Unbound" and "local-zone: ... static", exending the pihole unbound guide.
It works well with ip4v. The Unbound syntax is slightly different than in the bind9 zone - must learn. My problem right now is ipv6 (I'm a noob with it). I do not know what IP6 I have to enter there (for example, my PC has 6 of them). For now I have entered the ULA, which generates my Fritz Box.
-- exending the pihole unbound guide with private zone and ipv6 entries: /etc/unbound/unbound.conf.d/private-network.conf --
local-data: "test.lan. IN SOA pihole.test.lan. 1 3600 1200 604800 10800"
local-data: "test.lan. IN NS pihole.test.lan."
local-data: "w1.test.lan. IN A 192.168.19.63"
local-data: "w1.test.lan. IN AAAA fd00::1f6"
local-data: "w1.test.lan. IN AAAA fd00::89cf:fbf2:e86f:bd86"
local-data: "pihole.test.lan. IN A 192.168.19.112"
local-data: "pihole.test.lan. IN AAAA fd00::4ed6:f59a:481b:ffef"
local-data: "gate.test.lan. IN A 192.168.19.221"
local-data: "gate.test.lan. IN AAAA fd00::cece:1eff:feaf:5eb2"
local-data: "fritz.box. IN CNAME gate.test.lan."
Hm... I'm not sure if I should take the discussion for unbound configuration offtopic.
Anyway, for now I'll address my first question here:
Do I need to make an entry local-data: "<FQHN>. IN A <IP address>" for every single client in local network?
If yes, this would cause a lot of manual work.
And I'm wondering if this data is already available in a local DNS, in my case FreeIPA running bind.
Or do you effectively replace local DNS (=bind) with extending unbound configuration?
Before the Pi-hole:
I had my own Bind9 server for internal and external DNS including DNSSEC. He only took the path via the DNS root server. No Google DNS, etc. I have 2 local domains and need full DNS capabilities for my services (XMPP ...). And yes, it was a lot of manual work, but check out all the community questions about Pi-Hole and how to get / insert information about local domains. Manually customize and extend hosts, local.list, resolv.conf, dnsmasq.conf ...
I am new to Unbound. There could be an easier way, eg. For example, an "automatic DNS client registration" in Unbound.
Yes. With Pihole v4 and the Guide Unbound solution, I still do not have full DNS capabilities. With a newer unbound version (dnscrypt included, auth) and adding zones I should be able to replace BIND9 full. Why should I maintain a Bind9 next to the Pi-Hole construct and Unbound?
Yes i know, but then a need my own (old) BIND9 back. But i want dnscrypt and so on. Unbound with zones and auth seems to be an better solution (with pi-hole) for me.
Dnsmasq has the ability to direct DNS queries for certain domains to specific upstream nameservers. This feature was added for use with VPNs but it is fully general. The scenario is this: you have a standard internet connection via an ISP, and dnsmasq is configured to forward queries to the ISP's nameservers, then you make a VPN connection into your companies network, giving access to hosts inside the company firewall. You have access, but since many of the internal hosts aren't visible on the public internet, your company doesn't publish them to the public DNS and you can't get their IP address from the ISP nameservers. The solution is to use the companies nameserver for private domains within the company, and dnsmasq allows this. Assuming that internal company machines are all in the domain internal.myco.com and the companies nameserver is at 192.168.10.1 then the option server=/internal.myco.com/192.168.10.1 will direct all queries in the internal domain to the correct nameserver. You can specify more than one domain in each server option. If there is more than one nameserver just include as many server options as is needed to specify them all.
Well, I'm not sure if IPA's bind will make recurse DNS for external requests.
Therefore I configured this additional dnsmasq config in Pi-hole:
root@pc5-raspi:~# more /etc/dnsmasq.d/09-custom.conf
#dhcp-option=6,192.168.1.1
#dhcp-option=42,192.168.100.252
server=/localdomain.com/192.168.100.252
server=/localdomain.com/192.168.100.253
server=/100.168.192.in-addr.arpa/192.168.100.252
server=/100.168.192.in-addr.arpa/192.168.100.253
There are two IPA's running: master (192.168.100.252) & replica (192.168.100.253)
And there's no DNS Forward defined in IPA's DNS to respond requests for external domains.
This means any request to local domain goes: Client -> Pi-hole -> IPS
Any request to external Domain goes: Client -> Pi-hole -> unbound
Would the configuration in /etc/dnsmasq.d/09-custom.conf work as expected?
And does this setup make sense presuming IPA's bind is configured for internal domain name resolution only?
If bind is set to authoritative for the localdomain.com zone, and to not recurse then from just reading the configuration it appears as that should work as you would like it to.
I do not have the setup or the resources to actually run that configuration to see the results, but I don't see any glaring errors or omissions with it.
root@pc5-raspi:~# more /etc/dnsmasq.d/09-custom.conf
#dhcp-option=6,192.168.1.1
#dhcp-option=42,192.168.100.252
server=/example.com/192.168.100.252
server=/example.com/192.168.100.253
server=/100.168.192.in-addr.arpa/192.168.100.252
server=/100.168.192.in-addr.arpa/192.168.100.253
I'm facing the following error:
a web service with FQDN cloud.example.com is not accessible from the local network; there are no issues accessing this web service from outside.
The server hosting this web service has FQHN ct117-nextcloud.local.example.com.
