PiHole in our company network (400-500 hosts and growing)

x3rb3rus · November 17, 2017, 1:55pm

I just wanted to share my experience about PiHole in our organisation, since we currently might be the biggest company employing a PiHole machine in their network (for as far as I came across).

I've been using the PiHole in my personal network for around 6 months and have always been very happy with the results. That's why I wanted to test it in our company environment to see if we could optimize our internet connection. Since I am the lowest of 3 IT guys, my co-workers were a little reluctant to try something "free and open-source" for a network our size, especially since we have a lot of resources at our disposal and pretty high tech material.

Our company currently has 24 different sites (5 sites with own servers), all connected to our main site (our provider doesn't call it a VPN, but it's basically VPN). Every different site is connected to the internet through our Squid proxy, so it has a lot of traffic to work with. I especially thought it would be interesting to block all ads because we only have a pretty lousy internet connection (2Mbps down, 5Mbps up according to speedtest). So with that much clients connected, freeing up just 1% of traffic would be a nice accomplishment.

I started experimenting a couple of weeks ago, trying different kinds of setups, but the most successful was also the easiest to setup. It's currently running on a Virtual Machine on our VMWare VSphere with minimal resources (1 core, 512Mb and just 6Gb HDD) running on a Ubuntu 16.04.3 LTS x64 Server. I've been monitoring resources and this seems to be more than enough for it to work (haven't seen memory usage surpass 40%). It gets around 140.000 DNS requests per 24hours on average.

Besides installing the PiHole I did not have to change anything about the machine (ofcourse give it a fixed IP address, preferably in the main DNS subnet). I've only edited the hosts file so it knows which server is making the request (not necessary but easier to read for a human). Ofcourse I'm not using the built-in DHCP client since our network might be a little overkill for the little fella (and we already have multiple DHCP servers running, so don't fix what isn't broken!).
The only thing I did change was whitelist some Google pages, because if people can't click the first links Google suggests, they think something is broken...

After install I just set the PiHole as the soul forwarder in the main DNS servers, and then also changed the off-site DNS servers to point to the PiHole. Since all servers already use our main DNS servers as their DNS servers, this means 95% of DNS queries will come from our 2 main DNS servers.
This could be seen as a disadvantage because you can't trace the exact source of the request (should you see something strange), but in the eye of privacy I'm not against this. In the first 5minutes of the PiHole running I noticed a couple of "meaty" websites, which I just decided to blacklist. But the PiHole is not really meant to do this kind of blocking on large scales.

After around a week in use, I'm happy to say the PiHole is working perfectly. I've had exactly 0 complaints (also 0 compliments, but hey, that's not why we're in IT) and only 1 person (of around 2000 employees) noticed the PiHole blocking ads (he got the PiHole blocked page because one of our suppliers was using a tracker link in their mail). So impact was minimal, but internet works smoother. Buffering video's in Youtube and large pictures were sometimes problematic when everyone was on their break, but this has improved since the PiHole is in use.

Just to sum up to every IT guy or gal wanting to try the PiHole in their business network... Just go for it. Just make sure the PiHole can update it's list before you set it up in the DNS server (so you're sure it has an internet connection) and change your DNS servers forwarder to the PiHole, and you'll be surprised how easily you'll get accustomed to 99% ad free internet. It uses minimal resources and as far as I can tell, requires little to no maintenance.

smokingwheels · November 18, 2017, 6:49am

Might I suggest you download all your lists locally then change them to load locally eg off the PiHole web server. (You may already do that.)

I run ~4 000 000 on a RaspberryPi 3 B and there are large delays when Whitelisting Blacklisting and updating.
Memory usage: 37.3 % of 1 G

Here is the post on what I have done you are welcome to try them. The reason the second list is split because of the manual upload size to Github over my connection has about a 8-9 mb's per file.
https://discourse.pi-hole.net/t/i-concatenated-every-blocklist-i-could-find/5184

x3rb3rus · November 20, 2017, 8:43am

I'm not really a fan to do this blocking locally on computers. Like I said, we have been using a Squid Proxy to block certain wild card words, but after so many years a lot of people knew how to disable the proxy. If we start blocking things via local lists (hosts file) some people will still figure out how to get around this.

In a couple of months our firewall will get an upgrade and chances are we will start using OpenDNS for content filtering. Probably not the most waterproof system, but still requires less maintenance and not that easy to get around for the users.

deathbybandaid · November 20, 2017, 2:35pm

If you are looking to get the functionality of monitoring individual devices in the Pi-hole UI, and still maintain your Active Directory DNS Lookups, there is a functional solution!

github.com

deathbybandaid/piadvanced/blob/master/piholetweaks/dnsmasqtweaks/06-activedirectory.conf

## This Conf Allows you to add your Active Directory servers to pihole.

#server=/domain.lan/192.168.1.1
#server=/1.168.192.in-addr.arpa/192.168.1.1

Just point all your DNS to the Pi-hole, and use the Pi-hole to forward the AD Domain.

x3rb3rus · November 20, 2017, 3:17pm

@deathbybandaid

You mean setting all clients with DNS PiHole? So this is essentially a fix for the nonFQDM searches within a network.

i tried a couple of fixes when I started testing the setup, but nonFQDM was really unreliable... I was looking at a lot of DNS requests to the external DNS servers for local domain names, resulting in time-outs. This might be a fix for that, but I have since given up on doing so and in our case it does not benefit that much. It's not really our intention to start logging users behaviour so our solution is a little bit more elegant in regards to privacy at work.

deathbybandaid · November 20, 2017, 3:19pm

Correct, it's just an option, and something I use in my homelab.

x3rb3rus · November 20, 2017, 3:52pm

For home it probably is ideal if you don't use it as a DHCP server, but in a company I would suggest against it. I think logging users (or at least clients) individually might not really be allowed in some countries/organisations or need to be included in the contracts of employees (I don't know much about all these specifics, but have heard discussions like this).

I'm happy with the PiHole as is, if we need to start logging DNS origins we'll probably do this on our internal DNS servers since they have a lot more resources to work with.

Still, thanks for the advice!

DL6ER · December 3, 2017, 11:25am

I agree. We deployed two Pi-holes (for fallback, high-availability) in our company network with roughly 200 clients over one year ago and everything is still running smooth. Since the very first day, logging is disabled altogether so there is also nothing to be synchronized concerning statistics etc.

We use one of them as DHCP server and there is another Pi configured as DHCP-only server that is on standby in the cabinet for the unlikely case that the DHCP server dies and needs to be replaced while I'm traveling, etc.