Upstream DNS question

Help
1

Hi - I have a pihole server that serves my whole network, but I also have a seperate locked-down VLAN for retro computing. On that VLAN I have a second pihole that handles local DNS for the hostnames of all the retro computers on the network.

The firewall is setup so anything on my internal network can conenct INTO the retro VLAN, but the retro VLAN cannot connect to my internal network.

I have the retro PiHole instance set as an upstream DNS server on the internal one, hoping I could use that to look up local hosts on the retro VLAN from the internal, without having to duplicate the entries - but it doesn't seem to try to query the upstream for queries that it doesnt find.

This is the upstream config on the internal:

Screenshot 2025-02-20 at 4.02.29 PM
Screenshot 2025-02-20 at 4.02.29 PM492×1227 65.5 KB

And this is the difference when I query a host on the internal vs the VLAN instance:

Screenshot 2025-02-20 at 4.03.50 PM
Screenshot 2025-02-20 at 4.03.50 PM772×514 12 KB

Is there a way to tell pihole to check the upstream server any time a host isnt found?

2

I think you have 2 options :

  • Setup Conditional Forwarding from the Main Pi-Hole to the Retro Pi-Hole
  • Enable Forwarding Local Domain Extensions to the Upstream Retro DNS Server

But...

IMHO the best is to have just 1 Pi-Hole with some VLAN Interfaces on it and bind only FTLDNS to all of them while keeping the WebGUI only on the Main eth0 Interface :slight_smile:

I have been doing that for years and it works very well :+1: :+1:

3

Ah perfect - i think conditional forwarding is perfect for what i need.
Yea I fully recognize the right way to do it would be to have one instance serving both VLANs - but with things like IRIX and SunOS and HP/UX machines from the 90s-00s, im just not gonna take any risk of them being able to touch ANYTHING on my real network :wink:

4

Whatever you want, but it has become super easy to setup Pi-Hole with VLAN Interfaces since Pi-Hole v6 because it binds DNS to ALL Interfaces by default and then you only need to bind the WebGUI to the Main Interface if you don't want all VLANs to be able to access it :sunglasses: :grimacing: :+1: :+1:

5

Noticing you used pismo.local in your sample lookups, you should be aware that .local TLD is reserved for mDNS protocol usage and should not be mixed with plain DNS.

An mDNS-aware host may register its name with any other mDNS-capable host on the same link as somehostname.local, allowing you to ping or ssh using that name (while DNS lookups for that name would fail).

mDNS only ever allows resolution among mDNS-aware hosts, i.e. it does not work on or for a host without mDNS software.

1 Like
6

Adding to that :

  • The officially assigned TLD for a LAN network is .internal : .internal - Wikipedia
  • My suggestion however is to use .lan like Pi-Hole does by default because it looks less silly :slight_smile:
7

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.