Pi-hole integration with Windows ActiveDirectory

Help Community Help
1

I am new to Pi-Hole, and Linux, and have great hope for Pi-Hole on my home network.

Problem Statement
I am having multiple issues. One is the setup of Pi-Hole within an Active Directory environment. I currently have all desktops set up to have two DNS entries, the first points to the physical AD server, and the second points to the VM backup DC. The AD DNS servers have a forwarder record set up that points to the Pi-hole server. Name resolution seems to work as expected. I am seeing two issues. 1) I am still seeing ads. 2) Pi-Hole seems to be registering all DNS queries/lookups to the AD DNS Servers instead of the clients that actually made the requests.

Home Network Details
My home network consists of a Hyper-V server, which is running several Windows Server 2016 VMs plus an Ubuntu 20.04 headless with Pi-hole. I also have 2 ActiveDirectory domain controllers that all networked computers are a member of, as well as the other Windows Server 2016 VMs. The DCs consist of one physical, separate, server as the primary and a VM that acts as a backup domain controller. Before installing Pi-hole all workstations were issued IP Addresses from my gateway DHCP server. The DNS that was issued consisted of AD Primary, AD Secondary then two google DNS servers (8.8.8.8 and 8.8.4.4. The AD DNS servers had forwarders setup to the root hints.
Everything worked well.

What I have changed since installing Pi-hole:
After Pi-Hole my DHCP server (Not using Pi-Home) issues DNS servers of ONLY the two DCs and the DC DNS servers have a single forwarder to the Pi-hole server and the use of root hint servers is disabled. So DNS resolution should go to the DC DNS server, if it can't resolve it it should forward to Pi-hole. Name resolution seems to work except for the problems I explained above. Pi-hole setup has Google setup as the Upstream DNS servers and since I am not using Pi-hole DNS I have set the "Use Conditional Forwarder" option in Pi-hole and specified my Gateway and AD domain name. Other than the creation of some groups all other settings are default.

My Actual Questions

  1. Is this the proper configuration for my environment?
  2. Why is Pi-Hole not registering the actual clients when requests are forwarded? Should it?
  3. Why am I still seeing ads? My expectations are that all ads should go away, is that wrong?

Any thoughts or suggestions would be greatly appreciated.

Thank you!

2

The answer to this lies in the eye of the beholder.

There is no single best configuration for setting up Pi-hole. I'd deem any working configuration as proper, and Pi-hole can be setup to filter your DNS requests in a variety of ways.

Depending on your circumstances and personal preferences, you may decide on a set of configuration options another user wouldn't want to use, or couldn't use due to some external restrictions (like a router that allows only upstream DNS configuration).

We can try to highlight benefits and disadvantages of the options that most likely matter to you.
You may also refer to Pi-hole's online documentation. Specifically, one of the most basic choices is how you introduce Pi-hole into your network.

No, not the way you've configured it.
As I understand it, you are forwarding DNS requests from your AD DNS servers to Pi-hole, hence all DNS requests reaching Pi-hole will originate from those servers (this also means that Conditional Forwarding wouldn't help here).

In order to associate DNS queries to individual clients, you'd have to change the DNS forwarding chain in your network, e.g. by configuring your clients to use Pi-hole as DNS, and have Pi-hole forward requests to your AD DNS servers.

Note that client-based filtering (as introduced with Pi-hole 5.0) is only possible for clients as identified by Pi-hole via a DNS request's origin IP address.

Pi-hole's filtering works at the DNS level. It can either block resolution of a domain name (e.g. ads.content.com) or return its associated IP addresses (e.g. for www.content.com).
Any unwanted content that is delivered via the same domain as the content you want to access (e.g. www.content.com/ads/picture.jpg) cannot be blocked by Pi-hole, unless you are willing to also block that content altogether (i.e. block www.content.com).

Note that while Pi-hole provides the mechanism for blocking, it's ultimately still your decision what to block.
The default blocklists that you can opt to use during installation will provide an adequate level of filtering.
In case you find that your favourite sites are still showing ads, you can match Pi-hole to your individual browsing behaviour, by adding whole blocklists, a regex to block several domains matching a pattern, or a specific domain (How do I determine what domain an ad is coming from? will help you identify candidates for the latter).

3

Thank you for your reply. Gives me a few things to think about.
As of now, I have changed my configuration a bit. I have completely disabled forwarding on my AD DNS Servers. I have changed the IP DNS servers assigned by DHCP to include my two AD DNS servers first and then Pi-hole. This has resolved the issue of the clients not showing in Pi-Hole. I will let it run for a while to determine what else I may be seeing and determine if it is sufficient.

Again, thank you.