Pi-hole's DHCP service should announce different DNS to clients

Please follow the below template, it will help us to help you!

Expected Behaviour:

Pi-hole's DHCP service must announce different DNS server to clients

Actual Behaviour:

Pi-hole's DHCP service announce Pi-hole's IP as DNS server to clients

Debug Token:

llnlt32ffs

This is not the expected behavior. The expected behavior is that Pi-Hole provides itself as DHCP to clients, so they will route DNS through Pi-Hole.

There is a method to use an alternate DNS for individual clients, but this is not the default Pi-Hole behavior.

To do this, Pi-Hole must be the DHCP server. These thread provide guidance.

Will this work?
Creating file /etc/dnsmasq.d/05-custom.conf

# DNS
dhcp-option=6,10.0.0.1 10.0.0.2
# NTP Server
dhcp-option=42,10.0.0.1

What are you trying to achieve? Redirecting DNS and DHCP to another non-Pi-hole server negates the Pi-hole server. No need to install Pi-hole if that is the only goal?

Actually this is true.
However I have installed Identity Management System "FreeIPA" that is providing a DNS.

In the config of FreeIPA I have defined a forwarder to Pi-hole.

As DHCP is running on Pi-hole, too I need to provide another DNS than Pi-hole to any DHCP client.

Are your IPA DNS servers hidden masters (auth only and only for your zone) or do they fully recurse? If they recurse and answer all queries for the clients you may find that just using Pi-hole as is and then point Pi-hole to use the IPA's BIND as the upstream works as well and gives you back the dashboard.

I'm not sure if I understand you correctly.
My current understanding of the setup is this:

  1. Client sends DNS request to IPA
  2. Server checks if the request is served for local domain
  3. If request is for any other domain IPA forwards the request to Pi-hole
  4. Pi-hole serves the request if no blacklist rule applies

Where's my mistake / misunderstanding?

If this is the way you have it set up and it works, why do you need Pi-Hole to offer different DNS to clients? The only client that Pi-Hole would see in this setup is IPA. The remaining clients would have IPA for their DNS server.

Well, in this setup the DHCP server should provide the DNS IP of IPA to the Clients.
However, I'm not sure if this is the best solution.
Do you have other recommendation?

Got it. I misunderstood the traffic flow and forgot that Pi-Hole is your DHCP server.

What happens when you use Pi-Hole as the primary DNS and have it use IPA as the upstream server (the reverse of how you have it now)?

The big question is how is bind configured. Is it only allowed to answer responses for your local domain and to not answer internet accessible domains/pass non-local domains to bind's upstream. Or is it configured to answer all queries (local from internal database/files and recursively look up non-local domains?)

If bind only knows how to answer local domain queries then your current configuration is what you will have to do, but you will lose the dashboard as all queries to Pi-hole will come from only the bind server's IP address. If bind recurses then you can have it set as the upstream to Pi-hole. You gain back the dashboard and Pi-hole sees queries from the client IP address.

1 Like

Well, you adress exactly the questions that I was asking myself, too.
Based on the discussion in another thread regarding "cloudflared configuration" I come to the conclusion that it makes sense to configure FreeIPA as DNS upstream server.
In my understanding of FreeIPA this should be possible by using the feature "forward". Hereby any request that cannot be served by internal DNS, means any external domain, would be served by the forward IP address (representing a public DNS server).

What I don't know up to now is if FreeIPA's DNS is working as a recursive DNS server as pointed out by DanSchaper.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.