Unifi Network Pi-hole configuration

Expected Behaviour:
I am trying to set up a Pi-Hole network wide. I tried following a youtube video regarding this. Initially, I was able to follow to the point where, over ethernet, I set up the DNS server to the Pi-Hole (IP: 192.168.1.243). I was able to obtain an IP via the Pi-Hole, locally. I tested blacklisting sites and it worked.

Then, as instructed, I removed the local DNS server address that pointed to the Pi-Hole. Changed the name server in the Unifi settings for each of the LAN networks to point to the Pi-Hole address.

No device on any of the VLANs or the wired networks obtain an IP address from the Pi-Hole. Testing blacklisting doesn't yield any changes.

I reverted back to normal for the Unifi settings and re-attempted setting up the DNS server locally and now that even isn't working

-RP4 hardware
UniFi USG4Pro

Debug Token:

iwbyq1j97p

Thank you!

Are you trying to set Pihole as DNS Server for your clients or as DHCP server handing out IPs to the clients.

In case of DNS Server: After you have set pihole's IP as DNS server to be distributed by DHCP, you have to dis/reconnect each device once from the network to pick up the new settings.

@t0207

For each Corporate VLAN network, just enter the local IP address of the Pi-hole. In my case, I run redundant Pi-holes on my native LAN. Each of the VLANs that I want their respective hosts to use the Pi-holes for DNS servicing, I have the following set up:

You may also need to add FW rules, as required, to allow or deny access to the Pi-holes.

I am completely new to this.

I believe I am trying to use the pi-hole as a dns server. I am looking to achieve whole home ad blocking.

I have fixed the pi-hole at 192.168.1.243

I tried to change the DNS name server to this IP address. It doesn’t do anything. I disconnected my phone and reconnected to the network. I then tried to block a site via the pi-hole and it didn’t block anything. Same with a laptop reconnected to the network.

Is it possible my current firewall settings are not allowing the pi-hole access to do its job?

Ideally, I would like to have it work on a small vlan before trying to open it up across multiple vlans.

@t0207 The Pi-hole is not a DNS server, per se. Instead it is a DNS Proxy or Relay that first filters DNS requests, and then, submits the non-filtered requests to recursive DNS servers (of your choosing) over the Internet.

With UniFi HW, you only need to enter the local IP address of your Pi-hole in the Network settings in the UniFi Controller. It appears that your Pi-hole is located on the native LAN with the IP address that you provided in your post.

To keep this simple, you should test your Pi-hole with a host on that same native LAN to verify that it works. Have you done this already?

If I manually change the DNS settings for my laptop connected by ethernet to the native network (LAN) 192.168.1.xx, it originally worked. After I reverted this to the original settings (192.168.1.1) my USG4 I could not reproduce the Pi-hole working when I tried to manually change it again.

I reset my computer etc and it is now set to 192.168.1.1 for DNS on my laptop. I have it connected to the native network.

For my next step, should I change the DNS name server in the settings of UniFi to 192.168.1.243 (Pi-Hole IP Address) for the native network?

For reference, the clients connected to this network are my laptop, the Cloud KeyGen 2 Plus, the Pi-Hole, 6 UniFi cameras, the USG, 4 APs, and 3 UniFi switches.

Should I disable my firewall for now?

Thanks for your help.

@t0207
Is this laptop configured as a DHCP client or are you assigning it a static local IP address. If the latter, reconfigure it as a DHCP client so that it will get its IP addresses from the DHCP service on your USG4.

Now, in the UniFi Controller, assign the IP address of your Pi-hole as the DNS server for the native Corporate LAN network. Only assign the Pi-hole. Remove any additional DNS servers you may have added to this network.

Restart the laptop or refresh its DHCP settings. Does it now show the Pi-hole as its DNS server? If they are both on the same network, it should.

Yes, I have it as DHCP. I changed the name server and the laptop now shows the router as the USG (192.168.1.1) and the Pi-Hole (192.168.1.243) as the DNS server. It appears to be blocking ads on the laptop. However, if I blacklist a site on the pi-hole admin console, it does not block the domain if I try to access it. It used to when I manually set the DNS server for the laptop previously. Is it not supposed to be able to do this?

If you access a domain on a client and block it afterwards in pihole, the client might be able to still resolve the domain for a certain amount of time because it uses it own cache before querying pihole again.

I tried using an incognito browser and also a separate browser and it still was able to access the sites

@t0207
Unfortunately, I do not have access to your debug results.

So, let's double-check that your Pi-hole is working.

First, using Terminal (macOS) or the Command Prompt (Windows), enter the following command: nslookup pi.hole

Then test for a known blocked domain: nslookup flurry.com

If both of these were successful, your Pi-hole is working.

MacBook-Pro:~ ***$ nslookup pi.hole

Server: 192.168.1.243

Address: 192.168.1.243#53

Name: pi.hole

Address: 192.168.1.243

MacBook-Pro:~ ***$ nslookup flurry.com

Server: 192.168.1.243

Address: 192.168.1.243#53

Non-authoritative answer:

Name: flurry.com

Address: 212.82.100.153

Name: flurry.com

Address: 74.6.136.153

Name: flurry.com

Address: 98.136.103.26

Does the above mean it is working?

@t0207
The first result verified that your laptop can find and use the Pi-hole. However, the second result shows that the site was not blocked.

The Moderators will need to assist you as they have access to the debug file that you provided them.

Please post a fresh debug token. The original has expired.

https://tricorder.pi-hole.net/68znlyb42u

thank you

Are you able to assist with token i provided? Thank you

Pi-hole is not blocking because you have it disabled:

BLOCKING_ENABLED=false

That sounds like an easy fix. Is it somewhere on the admin page or done via ssh

I tried ssh typed the command pihole enable

Blocking has an “i” in the box

It can also be done on the admin page.

I was able to get it to block flurry.com on testing. It returned 0.0.0.0. This was connected by ethernet to the native network.

I then set the name server to 192.168.1.243 for another VLAN which I use for my personal devices and connect by wifi.

I restarted my computer. It does not look like the VLAN network is communicating with the pihole.
I tried nslookup pi.hole and it returns:

MacBook-Pro:~ ***$ nslookup pi.hole
Server: 192.168.1.1
Address: 192.168.1.1#53
** server can't find pi.hole: NXDOMAIN

I have turned off all firewall rules in case this was the issue but it's the same.

Of note, I am able to ping pi-hole (192.168.1.243) from the laptop connected to wifi via private vlan (192.168.10.12) and I am able to ping the computer via ssh connected to the pi-hole.

Lastly, if I set the name server as the pi-hole for the VLAN and connect via ethernet to this vlan, it does state that the DNS server is the pi-hole. However, there is no internet connectivity. I cannot ping the pi-hole.