i'm new here and fairly new with dns as well. I want to add pi-hole along with my current DNS (Bind9).
I was thinking of adding the pi-hole first (front-line) for all DNS so that the statistics are monitored/graphed properly, and then have it forward/recurse to the Bind9 and then forward out.
essentially like this:
client -> pi-hole -> bind9 -> internet.
i know i need to ultimately change the bind9 port from 53 to say 54 before i can proceed to install/use pi-hole, but i'm not sure exactly on the steps/commands exactly.
further, i have 3 DNS servers (bind9.10; debian 9). 1 is the master (which also has the dhcp), and the other 2 are slaves/caching/recursive. i'd like to ultimately install pi-hole on the 2 slaves/caching/recursive servers.
starting with only one of the slaves first, when i tried to change the listen-on port to 54 and restarted, it seemed to work okay, however it was then not getting any notify/update messages. i thought this portion would be using port 953, but i guess not.
which commands/files need to be updated on the slave(s) and/or master to allow notify/updates and zone-transfers while having the 2 slaves ultimately on port 54, to free up 53 for pi-hole?
once successful, afterwards, i'll likely need help to setup/install pi-hole and have it be able to forward to the bind9 slaves as well
If i'm still up for a challenge after, perhaps dnscrypt after bind; client -> pi-hole -> bind9 -> dnscrypt -> internet
I have several DNS servers on the internal network. The lab servers forward to the production servers. The production servers forward to a single pihole instance. The pihole instance then forwards to one other server, which runs bind9 and some rpz zones for additional malware/c&c blocking. I would think you want one pihole instance and have a similar forwarding topology....
I'd agree except I think having two pi-holes for redundancy is a good thing. It even helps during the system updates when DNS is off line for a while. Just peek at your cron files to make sure the installer picked different update times and tweak if necessary.
Of course, if you can't stand a maintenance window..... but I can rebuild the entire install in under 10 mins. My environment is not that sensitive (with maintenance scheduled at appropriate times).
10 minutes is a lifetime if the spouse is looking over your shoulder and mentioning how important whatever she was doing was and how I need to make a SD card reload faster.
Getting kicked out of bed to "go fix something" because she can't see her tennis scores in the middle of the night when the update process kicks off isn't great either.
A second Pi was a very good investment! If I was supporting more than family here I wouldn't have considered not putting up two or three in the first place. If I'd read more initially I'd probably just done two to start with to keep things happy here.
I can temporarily change the forwarding used by the LAN client DNS servers if those 10 minutes occur at an inconvenient time. I can also edit the cron job to run at a time convenient for everyone, we aren't a 24/7 shop. I run pihole as a VM in production, a full recovery takes about 4 minutes
regardless of how many pi-holes one may choose to have, how could i ultimately change the port my bind is running on (not just query) so that on the same server i can install pi-hole while still maintaining zone transfers/updates/notify from my master bind server?
Changing bind's port is in named.conf, or potentially other configuration files, depending on your distribution. I would recommend you run pihole on a separate box/instance, otherwise you are going to have problems when your slaves try to update and reach dnsmasq instead of bind.
