I recently got Circle and Pi-Hole playing nicely together, and I wanted to document the gotchas here in case it could help anyone else.
Background
Circle is parental control software that works at the network level. It's available in a standalone device (that uses ARP poisoning...), and is also included as a feature on some Netgear routers. In a nutshell, it allows you to assign devices to users, and to set individual restrictions for each of those users. The restrictions are enforced by DNS.
https://meetcircle.com/netgear
Network Layout
My network is a bit complicated, with 3 routers between my LAN and the internet:
LAN <---> Netgear R7000 <---> Ubiquiti ER-X <---> ISP Modem <---> Internet
(with Circle) |
|
Pi-Hole
The DNS setup is also a bit complicated and looks like this:
LAN <---> Circle <---> Pi-Hole <---> Cloudflare / Quad 9
First Issue - The IP Conflict that Wasn't
With the Netgear in router mode and Circle enabled, it sets itself as the DNS server for downstream (LAN) devices. It also forces you to set its WAN IP address and its upstream DNS servers via DHCP rather than manually.
When I tried to set the Netgear's upstream DNS server to a LAN address via DHCP, the Netgear software concluded that my LAN address space must be in conflict with my ISP's WAN address space, and automatically flipped the LAN address space over to 10.0.0.0/0.
To get around this, I moved the Pi-Hole server to the WAN side of the Netgear. In my case this is the LAN side of the Ubiquti EdgeRouter X, but it could just as easily be my ISP's modem.
Second Issue - Pi-Hole Blocking Mode
The Circle software did not respond well to the Pi-Hole's default blocking mode. From the client perspective a blocked query would hang, with the browser displaying Resolving host...
but never getting anywhere.
This appeared to be resolved by switching the Pi-Hole's blocking mode to NODATA
as described at Blocking mode - Pi-hole documentation.
However, some errors persisted, and appeared to be associated with specific TLDs, e.g. .ca, .org. This was resolved by disabling DNSSEC on the Pi-Hole. This setting is located in the GUI at Settings --> DNS --> Advanced DNS settings --> Use DNSSEC.
Conclusion
That's it! Everything seems to running smoothly now, so we'll see how it goes. Hopefully this post can help folks in a similar situation.