I just found PiHole yesterday and in less than 24 hours of use, I’m quite impressed - I’ve been using uBlock Origin and Ghostery, which have worked well for the most part, but they are detectable - since putting PiHole in, uBlock and Ghostery haven’t had much to do, and one site in particular that nags you about having an ad blocker no longer does.
On to my question.
I have a Windows domain that has both domain-joined clients as well as non domain-joined clients (Andriod phones, tablets, linux based RPis and such). right now I have it set up so that all of my clients look to my DCs for DNS and those in turn are pointed at the PiHoles (I have two networks connected via VPN with a DC and PiHole at each location). This is working great, with one exception - obviously, PiHole only sees the requests as coming from the DCs, so I have no view on what clients are doing what.
Windows domains are touchy about DNS - I did read a thread when I searched where a person had set their clients to use both their DC and a PiHole (Presumably, the PiHole going right out to public DNS server) for DNS - This is bad and should never be done and can cause weirdness that would have you pulling your hair out trying to figure out if you’ve never seen it before. Windows domain members should ALWAYS be using Windows DCs for DNS. Before I actually try it and potentially cause issues, I wanted to see if anyone has done it this way first: Is there any reason I couldn’t point all clients, the DCs included, at the local PiHole, and then have the PiHole set to only forward to the DCs DNS server, with the DCs DNS Server making the final hop out to public DNS for final resolution? In theory, this should work without issue, making sure that the DCs are the last stop before going to public servers and having the chance to resolve anything that they can, while preserving proper domain DNS function.