Pi-Hole Docker Plus OPNSense + Zimbra Collaboration Server

antonical · October 8, 2022, 1:43pm

*operating system Ubuntu 20.04.5 Server
hardware]_Intel Xeon

We have tried to implement pi-hole a few times but ran into issues historically. Came back to it after about 3 years and started again.

We have a high-performance NAS server running Ubuntu 20.04.5 and docker with a lot of spare headroom so we used that as the Docker host.

We installed the latest image just over a week ago. It ran up fine and we started the configuration.

We have been running OPNSense for many years. It was providing DNS and DHCP services for the LAN.

Initially, we implemented pi-hole and turned on DNS and DHCP recreated the static leases etc. and pointed OPNSense at Pi-Hole in general settings. We disabled ONPSense DHCP and turned off dnsmasq. So the only DHCP/DNS service on the LAN was from pi-hole and OPNSense was using pi-hole as its upstream server. Pi-Hole was using 1.1.1.1 and 8.8.8.8 as its upstream servers.

We had some challenges gettings PXE booting working but eventually pieced an answer together from various posts here and on dnsmasq site.

It seemed to work fine and websites etc. seemed noticeably snappier. However, our Zimbra server could not get any dns service and was timing out.

After many many hours of googling and searching we gave up. It didn't really make sense. We set the masterdnsiP in zimbra pointing at pi-hole and soft and hard reboots but alas we could not get it to work. It was as if somewhere the IP of the OPNSense server was still in there somewhere.

If we put 1.1.1.1 and 8.8.8.8 in the OPNSense general settings and started OPNSense dnsmasq it would burst into life and all was well. So in that case DHCP clients would get pi-hole as the DNS and others would get OPNSense and Zimbra would be using OPNSense.

So we then did the config as set out in the blog on OPNSense and Pi-Hole and then the extra config needed to enable unbound using 5335 which is in various posts but the part 2 article looks like it never got written.

That way to the Zimbra server it looks like OPNSense is the primary DNS server and all is well. However, it is slow! Noticeably slow at the browser compared to when we were using pi-hole directly and bypassing OPNSense for DHCP and DNS.

I appreciate we just made the DNS cycle more complex as now its Client>OPNSense>Pi-Hole>[Unbound]>Upstream

Instead of client>pi-Hole>upstream

But it really seems sluggish as a service.

Any suggestions to tweak the config of OPNSense or PI-Hole would be appreciated as it is doing a great job and seems to be blocking around 7% of the traffic we don't want.

Cheers
Tony

Bucking_Horn · October 9, 2022, 6:33am

This reads more like a historical account of past endeavours to introduce Pi-hole

In order to help you, we'd need a current description of your issue, including a debug token as suggested by our template.

In the meantime, what's the output of the following commands when run from your offending Zimbra server?

nslookup pi.hole

nslookup flurry.com

Tntdruid · October 9, 2022, 7:17am

antonical · October 9, 2022, 10:52am

Firstly thanks for responding.

Yes, you are correct it was a heuristic process to get it running.

The first one returns the pi-hole host address from the local 12.7.0.0.1 server the second returns 0.0.0.0 from the local 127.0.0.1 server.

It is working generally and seems sluggish although I am still working through how to read the various logs and understand them.

The zimbra server is taking the longest route. Zimbra>OPNSense Dnsmasq>Pi-Hole>OPNSense Unbound [local or upstream]>zimbra

Rather than what we had hoped zimbra>pi-hole>[local/upstream]>zimbra

Ideally, we wanted to run pi-hole as the DNS and DHCP server for the lan and turn off OPNSense DNS/DHCP etc.

Cheers
Tony

antonical · October 9, 2022, 6:00pm

Yes, I am aware of this and referenced it in my note. This is Part 1 Part 2 never happened and I managed to piece the rest together from other forum posts. If all you do is follow part 1 then you will not get it working correctly as without unbound there are issues.

Cheers
Tony

Bucking_Horn · October 10, 2022, 7:16am

That 127.0.0.1 server would mean that your Zimbra server is not using Pi-hole for DNS, but a local DNS resolver instead.
The replies are as expected and would suggest that the local DNS resolver is forwarding DNS requests to your Pi-hole directly, or somewhere in its upstream resolution chain.

But you seem to describe DNS as working?
I still fail to see what your issue is about.

antonical · October 10, 2022, 9:30am

Zimbra is running on Ubuntu Server. As you know it uses a local stub resolver that forwards queries. So yes it is answering and getting its answers from we are assuming the following chain.

Zimbra>OPNSense dnsmasq>Pi-Hole>OPNSense Unbound>

Not sure what is returning the actual answer. Is it Unobund directly to Zimbra or back through the chain?

The issue is DNS is sluggish. Noticeable wait on browsing sites etc.

We have it configured as per the blog and post guides on here.

OPNSense dnsmasq is configured, DHCP issues OPNSense dnsmasq as the server, General settings points to Pi-Hole and that points to OPNSense Unbound on 5335.

Did we config it wrong?

Cheers
Tony

system · October 31, 2022, 9:31am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.