Using Pi-hole for external DNS only

Hi all, I'm sorry if this has already been asked. I searched a bit for an answer, but was not able to find one.

Is it possible to use my router (running OpenWrt) as my DHCP server and DNS server for local DNS, while passing external DNS queries to my Pi-hole?

Thanks,
Aaron

Pi-hole can resolve local IP's that are mapped in /etc/hosts on the Pi. Would this suffice?

I'm hoping I can have it not resolve them, and *only *handle external addresses. Is that possible?

If your router can handle this, then the router can resolve what it needs to locally and forward the rest to Pi-hole.

Are you trying to set up a publicly accessible DNS server?

I would never open a Pi-hole to www, as you could quickly run into query overload. Instead you can install a VPN server, like WireGuard, where external clients can connect to and use the Pis VPN IP as DNS server for those. Then the router can be configured to use any public DNS server for local clients.

EDIT: Ah I think I understand now, you mean you want Pi-hole as local DNS server, but only for public hostnames while local network hostnames should be resolved by the router?
Hmm, a client can only use one DNS server, falling back to an alternative only if that one is not reachable, AFAIK. So yeah either the router needs to be configured as suggested or the clients hosts files need to contain/overwrite the related local hostnames.

Not sure if Pi-hole can be configured to use a certain DNS namserver for a certain hostname pattern? Would be actually nice. So e.g. *.local queries are send to router IP as "upstream" DNS while everything is sent to another public DNS nameserver?

If I understand correctIy, you are aiming for filtering public DNS queries while wanting to preserve your existing local hostname resolution.

Pi-hole does support this, and there would be two ways to address it.

a) configure Pi-hole as your router's upstream DNS server

Without Pi-hole, most routers will accept DNS queries from local clients, provide local hostnames as known, and forward any remaining DNS requests to its upstream DNS servers as provided by your ISP.

By replacing your router's upstream DNS servers with Pi-hole (and Pi-hole only), your router and clients behave just the same as before, while Pi-hole is providing it's filtering capabilities.

In this scenario, since only your router is asking Pi-hole for DNS resolution, Pi-hole will see all DNS traffic as originating from your router (apart from its own queries). You do not have the ability to attribute DNS queries to a certain device in Pi-hole's statistics.

b) distribute Pi-hole as local DNS server via your router's DHCP with respective configuration options

When successfully distributing Pi-hole this way, your clients will ask Pi-hole (instead of your router) for DNS resolution. Since Pi-hole is oblivious of local hostnames as assigned by your router, it will either come back with an empty answer straight away, or it will forward those queries to its upstream servers, which also would not know any of your private names.

There are two ways to overcome this:
b.1) use your router as Pi-hole's solitary upstream DNS server
If you do this, you also need to uncheck Never forward reverse lookups for private IP ranges on Pi-hole's Settings | DNS panel.
Depending on how your router handles names, you may also uncheck Never forward non-FQDNs.
b.2) enable Conditional Forwarding

In both cases, you must not configure your router to use Pi-hole as upstream DNS - that would close a DNS loop, likely incapaciting DNS.

In this scenario, Pi-hole's statistics will show individual clients (as distinguished by a DNS request's IP address) with their respective local names.

3 Likes

Yeah Bucking_Horn that's exactly what I'm hoping to do (filter public DNS while preserving existing local hostname resolution.)

I think I was originally using (b.1): I had set my router (running dnsmasq) to use dhcp-option=6,<pi-hole-ip>, and then made my router the solitary upstream DNS server for pi-hole. But, that led to some confusing and unpredictable local hostname resolution behavior. I didn't uncheck Never forward reverse lookups for private IP ranges, though. Maybe that caused the confusing behavior?

What is Conditional Forwarding and how does it work? That sounds intriguing/promising.

Leaving that option checked would result in Pi-hole only showing IPs, as it wouldn't query your router for reverse lookups (as in What's the name for this IP address?).

Now, there are a few things that may cause irritations. (click for more)

Quite likley, your router will append names by its local domain (or search suffix), so names will be longer than expected, e.g. a device labeled my-laptop will be shown as my-laptop.lan or similar.

Also, there may be multiple names associated with an IP address, and there is currently no way to influence which of these names will be picked up by Pi-hole, e.g. an Android phone may show up as androidgxhhe23hsn.lan despite of you labeling it as my-smartphone in your router.

And as IPv6 addresses are calculated by a device autonomously (rather than centrally assigned by DHCP with IPv4), neither Pi-hole nor your router may know their names, and your ISP may or may not have assigned a rather generic name for a device's global IPv6 address, often resembling an IP address prefixed or suffixed by an indicaton of your ISP's name.
If you have IPv6 enabled for your network, this may result in IPv6 addresses showing up in Pi-hole either directly or with those generic names.


But none of these possible irritations would seize cease if you switch to Conditional Forwarding.

By enabling Conditional Forwarding, you instruct Pi-hole to forward queries for local hostnames (as identified by your local domain name) and reverse lookups for local IP addresses (as derived from the target's IP) to a target DNS server at a specific IP address, commonly your router, while all other queries would be filtered and passed to Pi-hole's upstream DNS servers.

In effect, it is equivalent to using your router as Pi-hole's upstream, but would be preferred e.g. if you'd wish to use specific value adding local DNS services (e.g. unbound) as Pi-hole's upstream while still obtaining local names from another source.

You'll find Conditional Forwarding to the bottom of Pi-hole's Settings | DNS panel.

Nice! This sounds like exactly what I want. I’ll experiment with conditional forwarding. Just had a couple of follow-up questions:

By enabling Conditional Forwarding , you instruct Pi-hole to forward queries for local hostnames (as identified by your local domain name) and reverse lookups for local IP addresses (as derived from the target’s IP) to a target DNS server at a specific IP address, commonly your router, while all other queries would be filtered and passed to Pi-hole’s upstream DNS servers.

  1. So I would still advertise my Pi-hole as the DNS server via DHCP Option 6, but conditionally forward local traffic to my router?

  2. And would I choose another upstream for the Pi-hole, like Cloudflare? Or would I continue to set my router as the solitary upstream for Pi-hole?

  3. With conditional forwarding, how does the Pi-hole know which addresses are local?

See b) in my previous answer.

See b) in my previous answer, specifically

See my previous answer, specifically

Thanks for your help!

Does this

include

Because I use conditional forward but still see the appended suffix.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.