I have an existing bind9 dns server running that is properly configured for forward and reverse zones (for local domain). I also have my dhcp server sending clients the proper configuration options for dns.
My setup works like this:
dhcp -> clients -> bind -> dnscrypt -> dns server
I would like to to do the following:
dhcp -> clients -> bind -> pihole -> dnscrypt - > dns server
basically, I want pihole to come after my local dns server, so as to only invoke pihole for domains that are not resolvable by my local dns zones.
I am trying to start dnsmasq, but it want's to start on port 53, which is obviously already taken. What is the proper bind configuration to forward to pihole, and how do i get dnsmasq to start on a different port (like 5353).
edit /etc/dnsmasq.conf, uncomment the port setting, set to whatever port you want.
I used : 5353
edit /etc/dnsmasq.d/01-pihole.conf
server=127.0.0.1#54 ( basically, forward all requests to dnscrypt listener that's already configured).
edit /etc/pihole/setupVars.conf
comment out all PIHOLE_DNS entries
edit /etc/bind/named.conf.options (change your forwarder from the default of 127.0.0.1 port 54 (if you were using dnscrypt), to pihole which is now listening on dnsmasq port 5353
forwarders {
127.0.0.1 port 5353;
};
restart all services. voila.
Basic flow diagram is like this:
local client -> local dns server instance bind running on 53 --> pihole running on 5353 --> dnscrypt on port 54 --> final dns server
I would not do it this way as your pi-statistics all be missing a lot of data from dns requests handled locally. I'd put pi-hole first in the chain and local dns afterwards for this reason.
Thank You Komrad, although a bit late in replying, you are indeed correct. Although the configuration works as previously described, my statistics are off, since all the queries appear to be coming from a single host.
Easiest to install bind9 (DNS) first, but you don't have to except the default dns port will be in use. If not just shut down the pihole-FTL services. Set up bind9 and verify local domains. In my case I have a point to point vpn that I have to resolve internal (private) domains on. I followed a standard forwarding name server setup for bind for slave zones. I also set my master servers to allow transfer to slaves. Important so the zones transfer.
As Lcstyle says above:
Go ahead and install - pihole-FTL will run - but be in conflict for the port until you change the settings.
"edit /etc/dnsmasq.conf, uncomment the port setting, set to whatever port you want.
I used : 5353" #Me too - worked fine.
Modify:
edit /etc/dnsmasq.d/01-pihole.conf
server=192.68.1.2#54 #the actual ip of the pi first
server=127.0.0.1#54 #basically, forward all requests to dnscrypt listener that’s already configured
"edit /etc/pihole/setupVars.conf
comment out all PIHOLE_DNS entries" # yes worked fine
Modify to add both the 127 local and whatever the ip is of your pi.
/etc/bind/named.conf.options
forwarders {
192.168.1.2 port 5353;
127.0.0.1 port 5353;
};
There really should be a way in the config to ask if you are using bind9 as a local DNS server. Its quite common to setup forwarders etc and would be very common in a small or even large office.
Seems to work ok so far but will test 24 hours before I move more of my clients over on my Ubiquiti AP / Security gateway / POE switch. Please feel free to comment if I am missing anything obvious.
I do see multiple clients query data in the interface. When I tried it as written above all queries came from the localhost.
netstat -tulpn shows:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:4711 0.0.0.0:* LISTEN 3061/pihole-FTL
tcp 0 0 0.0.0.0:5353 0.0.0.0:* LISTEN 3061/pihole-FTL
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1846/lighttpd
tcp 0 0 192.168.1.2:53 0.0.0.0:* LISTEN 2869/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 2869/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 2869/named