Combining Pi-Hole with Windows Server DNS and OpenDNS

This is a (relatively) simple configuration question, so I hope I am asking it in the right place.

I have two Windows Server 2016 machines running the DNS role in my house, as primary and secondary DNS Zones (Luke @ 10.0.1.2 and Beau @ 10.0.1.3). Previously, both zones were using OpenDNS as forwarders for external queries.

To start off and establish a proof of concept, I set up Pi-Hole on a Paspberry Pi 3 and configured it to forward external queries to OpenDNS, then changed the Windows Servers to forward queries to the Pi-Hole (Roscoe @ 10.0.1.15), essentially placing the Pi Hole between my internal devices and OpenDNS to perform its sinkhole duties. It all worked great, except that the Pi Hole dashboard was only showing query information for two clients (Beau and Luke) instead of the actual client machines. I can live with that.

I REALLY want devices outside of the network to also use the Pi Hole and OpenDNS. Setting up my DNS as WAN-facing comes with the obvious security vulnerabilities, so I took a look at the docs on using OpenVPN and liked what I saw. The problem is that the howto doesn't consider use cases like mine where there are actual DNS servers on the local network that clients need access to when they are local.

I set up the OpenVPN server on the Raspberry Pi and tested using an Android device that was on mobile data. The content and ad filtering is still working, but it is using the office gateway and I only want DNS queries going over the VPN. I made the change suggested here and it broke internet access for the VPN clients. Maybe I missed something in the .ovpn file? Input appreciated there.

Also, when the VPN clients are local, they need to be able to use the Windows DNS servers for local hostname resolution, which the VPN config bypasses.

Instead of having Luke and Beau forward external queries to the Pi Hole (which then forwards them to OpenDNS), I was thinking I would change the DHCP server (Luke) to send clients the Pi Hole as the DNS server, have it forward queries to 10.0.1.2 and 10.0.1.3, and then have them forward queries to OpenDNS. That way I would have more accurate client information in the Pi Hole admin console and local devices would not be bypassing the Windows DNS servers, even if they are connected to the VPN.

Assuming the last paragraph above is a viable solution (I'd love to hear potential problems and alternative ideas if it is not), how to do need to configure my openvpn.conf and client.ovpn files?

TIA,

J

So I ran with my second-to-last paragraph above.

I went into Luke's DHCP server settings and told it to hand out 10.0.1.15 (Roscoe, the Pi Hole) for the DNS server. I set Roscoe (Pi-Hole) to use custom forwarders of 10.0.1.2 and 10.0.1.3 (Luke and Beau). I set the DNS servers on Luke and Beau to use OpenDNS forwarders of 208.67.220.220 and 208.67.222.222. The Pi-Hole dashboard began showing accurate per-client statistics, ad-blocking worked (pi-hole), smut-blocking worked (opendns), and DHCP clients can resolve both internal and external hostnames.

I edited /etc/openvpn/server.conf on the Pi Hole and added the lines:
push "route 10.0.1.0 255.255.255.0"
push "dhcp-option DNS 10.0.1.15"

commenting out
push "redirect-gateway def1 bypass-dhcp"

Used the openvpn-install shell script to generate an ovpn file, copied it to an android and imported it.

The android device can connect to the VPN while it is on mobile data, and all ad/smut blocking works as it should from outside my network while using the mobile carrier's gateway. Hooray!

BUT, I can't seem to resolve internal hostnames while connected to the VPN. For example, connecting to a web site via FQDN works fine, but connecting to a web server named Jesse fails. Connecting to Jess's web UI by IP works. A quick glimpse at the Pi Hole's recent queries list shows:

2019-05-09 20:10:55 A jesse pcsupreme.vpn OK (cached) NODATA (0.4ms)

...even though the hostname Jesse can be resolved by LAN and WiFi devices, including the Android that I am testing with when it is on the wifi instead of the VPN.

ALSO, it can't connect to the VPN from inside the network. That's not especially important, as it does not need the VPN once it is on my wifi, but I intend to push this VPN config to several mobile devices via comodo MDM so that everyone has the ad/smut blocking working for them, at home or not, without user intervention. Connecting to the wifi AFTER connecting to the VPN just breaks network connectivity. I don't know if comodo will give me a way to disable the VPN when on our home network and reconnect it once another network is detected, but I'm trying solve problems ahead of time instead of kicking them further down the road in hopes that another package will solve them.

For the VPN issues, @RamSet or others may be able to help (I do not deal with VPNs).

One downside of putting Pi-hole as the first DNS server is that you lose the redundancy of having two DNS servers available, but this was already lost when Pi-hole was added as the upstream for the other DNS servers. This can be resolved by having two Pi-holes, one for each Windows DNS servers.

Do you see two queries for jesse, one from the VPN client which returns NODATA, and another from local device which returns an IP address? Dnsmasq should resolve the address the same for both clients.

For this you would have to configure the OpenVPN server to "answer" to the DNS requests but not forward the traffic.

As in, when connected to VPN, it will act as a DNS via VPN server. All traffic will go through whatever provider you are using (mobile network or off-site WiFi).

There are two options. You can set-up only one instance of the OpenVPN server on the Raspberry pi that will do both traffic routing AND DNS or you can set-up the server in such a way that it will only do DNS.

This is achievable also via the same server configuration (but only when traffic routing is used).
I don't know why you would use this in the loop though.

Not only you are adding an extra failure point in the link but you are throwing the request with an additional (un-needed) stept.

Picture this:

Remote client connects to VPN, DNS request goes to either Luke or Beau which in the end query back to the same device that's hosting Pi-hole and open VPN, that in the end queries OpenDNS.

Instead one should use Pi-hole directly as the VPN server DNS resolver.

Having a hard time following the trail on this one.

OpenVPN by itself is a dhcp server. It acts as a DHCP server for the incoming (authorized) connections.

It serves (a customizable range, true) a different range of IPs to the connect clients, and via some IPTABLES-fu, the packet get routed inside the network back and forth (if chosen so via the vpn configuration).

Now, for your scenarion, in order to achieve what you want, you need to install the OpenVPN server and customize /etc/openvpn/server.conf and make sure these lines are there:

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.0.1.2"
push "dhcp-option DNS 10.0.1.3"

What this does is force the traffic via OpenVPN at the same time, (also) forcing the DNS server as Luke and Beau, onto the connected clients.

The only downside of this is that the traffic will pass through the VPN, and that will put you (and the speed) at the mercy of your upload speed on the Server side (from the ISP) as your connection will not go faster than the upload speed of your home connection (or wherever the VPN server is hosted).

If you want to have ONLY DNS via VPN, then, due to the configuration limitation on OpenVPN (being hosted on the Pi), you can't have OpenVPN with DNS only, using Luke and Beau on the RaspberryPi.
Unless, you install OpenVPN on Luke or Beau ...
Then you CAN use DNS only with Luke and Beau.

Same settings as above would apply in the server.conf, with the exception of the first line. That one can be commented out or deleted.

You don't need to change anything on the .ovpn side.

Thank you both so much for the input! Let me see if I can gather what I accomplished and what you both said in my head here and puke out a sensible solution.

@Mcat12: Beau is actually a Plex Media Server. The reason I added the DNS role and made it a secondary zone is that Luke is a VM. Any time Luke or the host machine was down (windows updates, hardware upgrades, firmware updates, etc.) the whole house would lose internet, even though the entire infrastructure was in place. No Luke->no DNS->No web, so I created the secondary zone in a physical server. Having the redundancy for the Pi Hole isn't as much of an issue because it isn't a VM. I do like the idea of using a second Pi Hole to maintain my redundancy though, and I have resources available on the Hyper-V server. Early on in this process, I tried setting up a Pi Hole VM using deitpi, but the Pi Hole installer never completed on it. If you can suggest a really lightweight distro to run it on, it would be no effort at all to set up a second Pi Hole and keep my redundancy. Lubuntu, maybe?

@RamSet: That leaves the question of the VPN. Which Pi Hole would host OpenVPN? How about neither? My firewall is a pfsense box, so setting up OpenVPN on there is no big chore. I actually did achieve VPN clients using their own gateway and only routing DNS through the VPN via the lines changed in my server.conf as described in my second post above. If you see an issue with doing it that way, let me know. Based on my paragraph above, I could set the Pi Holes to use Beau and Luke as forwarders and revise the server.conf "push DHCP option" to hand out the Pi Holes' addresses to VPN clients.

This seems like my best option to maintain my DNS redundancy while still having local and remote ad blocking/content filtering without making it more complicated than it already is. I'm being fussy about this because my family uses this network, but I also work from home and need maximum reliability/redundancy.

Feel free to poke holes in my plan or let me know of any issues that I'm not anticipating.

The raspberry Pi that runs Pi-hole would host the VPN also.

You do need VPN as this is the healthiest way to achieve Ad-Blocking from outside the home without exposing port 53 to the world.

Regardless where you setup the VPN server (Raspberry Pi or pfsense) in order to use the two internal DNS servers, you would have to route traffic through the VPN server.

If you want DNS only, you would install OpenVPN on one of the DNS servers.

That way the client will connect to the server on the DNS server, answer queries to DNS locally that actually are answered by Pi-hole that queries OpenDNS...

so it would be 10.8.0.2 (client) -> 10.8.0.1 (VPN server) -> 10.0.0.1.2(if you install OpenVPN on Luke) - 10.0.1.15 (Roscoe) -> OpenDNS and then alllllll the way back to 10.8.0.2

For posterity and the benefit of future Googlers, here's the final outcome:

The local DHCP server (in Luke) is set to hand out Luke (10.0.1.2) and Beau (10.0.1.3) as DNS to wired and wi-fi clients in the house. Luke is a VM. Beau is physical.

A customer of mine can't keep his employees out of trouble, so I sold him the Raspberry Pi 3 that was running Pi Hole on Raspbian. I installed Ubuntu Server 18.04.2 64-bit on a new Hyper-V VM (1 CPU core, 800MB of RAM, set up as Gen 2, with an 8GB vhd) and set the hostname to Roscoe, IP to 10.0.1.15. I created an identical setup on a puny old physical semi-NUC (Shuttle XS35V3, Intel Atom D525, 4GB DDR3, and a spinning HDD), so that I could maintain my virtual/physical redundancy, named it Vance and set the IP to 10.0.1.16. I set up Pi Hole on both of them.

Roscoe and Vance use OpenDNS as their forwarders, and I set Luke to use Roscoe as its forwarder, then set Beau to use Vance as its forwarder. I reset my DHCP clients, and life turned pretty. No ads, no smut. I'll probably also set my firewall to only allow outbound traffic on port 53 to go to OpenDNS so that if one of my sons gets clever, he can't manually change the DNS on a device trying to google "boobs" or something.

Then I turned to mobile devices. I created another VM for Ubuntu Server, set up exactly the same as Roscoe, set the IP to 10.0.1.20, forwarded UDP port 1194 to it in my Pfsense firewall, and installed OpenVPN. I added the lines

push “route 10.0.1.0 255.255.255.0”
push “dhcp-option DNS 10.0.1.2”
push “dhcp-option DNS 10.0.1.3”

to /etc/opendns/server.conf, and removed the line

push "redirect-gateway def1 bypass-dhcp"

I installed OpenVPN connect on my Samsung Note 9, imported the .ovpn file, disconnected from the wifi, and connected the VPN. Voila! By visiting speedtest.net and overriding to the desktop site, I had no ads and the reported IP was Verizon's, not the Suddenlink circuit at my house. internetbadguys.com and a random pron site were also blocked with an OpenDNS message. I disconnected the VPN for a test, and I got a screen full of nasty thumbnails and speedtest.net was once again splattered with ads. Throughput on the speedtest was nearly identical with or without the VPN connected (less than 2% difference in upload and download speeds).

I've already signed up for Comodo's free MDM service, which includes the ability to push an OpenVPN configuration and force devices to stay connected to it so mobile devices are still filtered when on mobile data or connected to a different wifi.

If someone sees a hole in this setup that I am unaware of, please speak up. Otherwise, I think I have it licked! Thank you for the help!

J

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.