piHole with local bind9 and isc-dhcpd-server

I have an existing bind9 dns server running that is properly configured for forward and reverse zones (for local domain). I also have my dhcp server sending clients the proper configuration options for dns.

My setup works like this:

dhcp -> clients -> bind -> dnscrypt -> dns server

I would like to to do the following:

dhcp -> clients -> bind -> pihole -> dnscrypt - > dns server

basically, I want pihole to come after my local dns server, so as to only invoke pihole for domains that are not resolvable by my local dns zones.

I am trying to start dnsmasq, but it want’s to start on port 53, which is obviously already taken. What is the proper bind configuration to forward to pihole, and how do i get dnsmasq to start on a different port (like 5353).

1 Like

I got it working.

basically, very simple.

edit /etc/dnsmasq.conf, uncomment the port setting, set to whatever port you want.
I used : 5353

edit /etc/dnsmasq.d/01-pihole.conf
server=127.0.0.1#54 ( basically, forward all requests to dnscrypt listener that’s already configured).

edit /etc/pihole/setupVars.conf
comment out all PIHOLE_DNS entries

edit /etc/bind/named.conf.options (change your forwarder from the default of 127.0.0.1 port 54 (if you were using dnscrypt), to pihole which is now listening on dnsmasq port 5353

   forwarders {
    127.0.0.1 port 5353;
    };

restart all services. voila.

Basic flow diagram is like this:

local client -> local dns server instance bind running on 53 --> pihole running on 5353 --> dnscrypt on port 54 --> final dns server

2 Likes

I would not do it this way as your pi-statistics all be missing a lot of data from dns requests handled locally. I’d put pi-hole first in the chain and local dns afterwards for this reason.

Thank You Komrad, although a bit late in replying, you are indeed correct. Although the configuration works as previously described, my statistics are off, since all the queries appear to be coming from a single host.

Hi,

Could you post detailed settings or step-by-step how to implement this?

local client ->pihole running on 53 --> local dns server instance bind running on 5353 --> dnscrypt on port 54 --> final dns server

I’ve been searching all over the internet for the last 5 days and I couldn’t find good and complete instructions how to do.

tks

To clarify:

Easiest to install bind9 (DNS) first, but you don’t have to except the default dns port will be in use. If not just shut down the pihole-FTL services. Set up bind9 and verify local domains. In my case I have a point to point vpn that I have to resolve internal (private) domains on. I followed a standard forwarding name server setup for bind for slave zones. I also set my master servers to allow transfer to slaves. Important so the zones transfer.

As Lcstyle says above:

Go ahead and install - pihole-FTL will run - but be in conflict for the port until you change the settings.

“edit /etc/dnsmasq.conf, uncomment the port setting, set to whatever port you want.
I used : 5353” #Me too - worked fine.

Modify:
edit /etc/dnsmasq.d/01-pihole.conf
server=192.68.1.2#54 #the actual ip of the pi first
server=127.0.0.1#54 #basically, forward all requests to dnscrypt listener that’s already configured

“edit /etc/pihole/setupVars.conf
comment out all PIHOLE_DNS entries” # yes worked fine

Modify to add both the 127 local and whatever the ip is of your pi.
/etc/bind/named.conf.options

forwarders {
192.168.1.2 port 5353;
127.0.0.1 port 5353;
};

There really should be a way in the config to ask if you are using bind9 as a local DNS server. Its quite common to setup forwarders etc and would be very common in a small or even large office.

Seems to work ok so far but will test 24 hours before I move more of my clients over on my Ubiquiti AP / Security gateway / POE switch. Please feel free to comment if I am missing anything obvious.

I do see multiple clients query data in the interface. When I tried it as written above all queries came from the localhost.

netstat -tulpn shows:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:4711 0.0.0.0:* LISTEN 3061/pihole-FTL
tcp 0 0 0.0.0.0:5353 0.0.0.0:* LISTEN 3061/pihole-FTL
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1846/lighttpd
tcp 0 0 192.168.1.2:53 0.0.0.0:* LISTEN 2869/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 2869/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 2869/named