Just an update. It took me a while to figure out all those quarries for those two brothers printer do come from just one PC. I have hard coded printers' ip addresses in the host file, which cleans up a little. All other apple devices that air print on both printers do not have this problem.
It works for both printers, one with IP, the other attached to raspberry.
However, web GUI of Pihole still not working but since we can do pretty much everything command line, it is not that important.
Probably you have configured your router WAN/Internet DNS setting to point to Pi-hole.
So currently DNS queries go like so:
client --> router --> Pi-hole --> upstream configured DNS server(s)
What you want is to have the clients query Pi-hole directly eg:
client --> Pi-hole --> upstream configured DNS server(s)
That way Pi-hole will log the client IP instead of the router IP and will makes searching the dbase or log files for who does what much easier.
Preferred is to have your router distribute the Pi-hole IP for DNS via DHCP.
Methods 1 or 2 in below FAQ:
Your absolutely right, who needs a web GUI
Most all can be done from good old trusted bash:
pi@ph5:~ $ pihole -h
Usage: pihole [options]
Example: 'pihole -w -h'
Add '-h' after specific commands for more information on usage
Whitelist/Blacklist Options:
-w, whitelist Whitelist domain(s)
-b, blacklist Blacklist domain(s)
--regex, regex Regex blacklist domains(s)
--white-regex Regex whitelist domains(s)
--wild, wildcard Wildcard blacklist domain(s)
--white-wild Wildcard whitelist domain(s)
Add '-h' for more info on whitelist/blacklist usage
Debugging Options:
-d, debug Start a debugging session
Add '-a' to enable automated debugging
-f, flush Flush the Pi-hole log
-r, reconfigure Reconfigure or Repair Pi-hole subsystems
-t, tail View the live output of the Pi-hole log
Options:
-a, admin Web interface options
Add '-h' for more info on Web Interface usage
-c, chronometer Calculates stats and displays to an LCD
Add '-h' for more info on chronometer usage
-g, updateGravity Update the list of ad-serving domains
-h, --help, help Show this help dialog
-l, logging Specify whether the Pi-hole log should be used
Add '-h' for more info on logging usage
-q, query Query the adlists for a specified domain
Add '-h' for more info on query usage
-up, updatePihole Update Pi-hole subsystems
Add '--check-only' to exit script before update is performed.
-v, version Show installed versions of Pi-hole, Web Interface & FTL
Add '-h' for more info on version usage
uninstall Uninstall Pi-hole from your system
status Display the running status of Pi-hole subsystems
enable Enable Pi-hole subsystems
disable Disable Pi-hole subsystems
Add '-h' for more info on disable usage
restartdns Full restart Pi-hole subsystems
Add 'reload' to update the lists and flush the cache without restarting the DNS server
Add 'reload-lists' to only update the lists WITHOUT flushing the cache or restarting the DNS server
checkout Switch Pi-hole subsystems to a different GitHub branch
Add '-h' for more info on checkout usage
arpflush Flush information stored in Pi-hole's network tables
pi@ph5:~ $ pihole -a -h
Usage: pihole -a [options]
Example: pihole -a -p password
Set options for the Admin Console
Options:
-p, password Set Admin Console password
-c, celsius Set Celsius as preferred temperature unit
-f, fahrenheit Set Fahrenheit as preferred temperature unit
-k, kelvin Set Kelvin as preferred temperature unit
-e, email Set an administrative contact address for the Block Page
-h, --help Show this help dialog
-i, interface Specify dnsmasq's interface listening behavior
-l, privacylevel Set privacy level (0 = lowest, 4 = highest)
My router Orbi does not allow dnsmasq setup. I wont be able to enable the DHCP 6 option on Orbi. There is a possibility to hack Orbi using telnet but it is a little too involved.
Based on my reading, I can still enable Pihole as DHCP and disable Orbi's DHCP. But I am afraid it is a little beyond what I can handle.
But there is a but.
If Pi-hole doesnt do DHCP, for example your router does that, Pi-hole wont be able to do reverse PTR lookups to figure out the hostnames that belong to device IP's on your LAN:
pi@ph5:~ $ host 10.0.0.220 localhost
Using domain server:
Name: localhost
Address: ::1#53
Aliases:
220.0.0.10.in-addr.arpa domain name pointer laptop.dehakkelaar.nl.
When a client negotiates a DHCP lease with the router, the client advertises its own hostname to the DHCP server:
And as most routers, or so called smart routers, also run their own caching DNS service, PTR and A records gets created/added automatically for devices that acquire IP details through DHCP.
So only the DHCP device knows of these hostnames.
For that, Pi-hole got the "Conditional Forwarding" option that can be configured via the web GUI:
pi@ph5:~ $ sudo netstat -nltup | grep 'Proto\|:67 '
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:67 0.0.0.0:* 7445/pihole-FTL
You can check loggings for client activity with below:
grep dnsmasq-dhcp /var/log/pihole.log
Or tail the logs live:
tail -F /var/log/pihole.log | grep dnsmasq-dhcp
Ps. activate DHCP service on Pi-hole first before disabling the one on the router!
This because some routers re-initialize their interfaces when changing settings causing the clients to shortly loose connection and prematurely trying to acquire a DHCP lease while no DHCP service is active yet.
Also you'll have to renew DHCP leases on all the clients.
Usually disconnecting and reconnecting them does that.
I think I get what you doing. From your setup, you probably do not even have a router in between. I really like it but I probably will not follow this route because if raspberry fails, the whole family will be totally in blind.
I wish I could just set Orbi NDSMasq to option 6. I will keep digging a little more and see if I can get it done...
Thanks for you input. It has been fun learning from all of you.
For 1, I saw discussions about it before. I guess we just leave it alone.
For 2, seems like a amazon aws related, should I blacklist it?
For 3, there seems to be a problem. It seems to be a self reverse referencing for 192.168.1.22. But I did not find a device with that IP on my network.
Any suggestions.
Also, about DHCP on Rpi, I might want to set it up and run for a few weeks so that I understand what domains each devices hit. Blacklist a few if I have to. And then turns it back to DHCP on Orbi. My concern is that if I am not at home, my family wont be able just unplug/plug Orbi to fix some network problems (if DHCP is on Rpi). Is my understanding correct?
Yes, I made the change. I have a few legacy static IPs to take care of and then setup a strip of DHCP zone that has about 140 IPs controlled by RPi now. It has been a few days. It is running stable. Thanks for helping to get this done, so that I can target each IPs and see what is going on. This way, I found Orbi marked a nitendo switch as macbook, which had me worried about having a mysterious device connected to our network.
Also, I have a regex domain question. If I need to open up a different discussion, please let me know.
I am still working on blocking youtube ads. I used a regex expression:
r[0-9]—sn-[a-z0-9]*.googlevideo.com$
Good news, it works. Bad news, it blocks everything. Since I do not have GUI, can I just set enable/disable column in the database manually? I want to ask because it can be messy if I manually changing database. Especially for this particular case, I might have to join a few tables.
I want to keep this regex in the tables so that I can turn it on when kids remote schooling, and turn off when they are not in school.
Being able to quickly turn on/off is a feature, this should advertised broadly as a plus for pihole.
So, the id in the vw_regex_blacklist will be the same as the one in the aggregated domainlist, with group type =3, am I right. this way I will be able to quickly lookup the id in the shorter regex table. With this enable/disable key, pihole will instantly work as expected, am I right?
As I am digging a little more in this, I like pihole more and more. I am working on setting up an IKEv2 VPN server on the RPi. So that I can install an always on VPN for all kids' iOS devices, this way, they will have a consistent internet experience wherever/whenever, because I know that sooner rather than later, I will have to worry about this anyway.
For this purpose, I have a question, as the VPN server will acting a little part like a DHCP server. Will this potentially conflict with the DHCP conf from pihole. After the GUI conflict with Plex, I need to be careful and think about each step as I am slowly moving forward.
The earlier bare Raspi 1 and 2 models are not well suited for running a full pledged VPN server.
This because they dont have gigabit but 100mbit instead thus all traffic, LAN and VPN, need to share that 100mbit.
And the DNS + Pi-hole gravity runs + VPN encryption + DHCP + routing going on might be a bit heavy for the Pi 1's.
Checkout below official guide that also allows the option to only route DNS traffic through the VPN tunnel and let the regular traffic take the default route to internet provided by ISP router or phone operator:
I spent the weekend getting the IKEv2 VPN on RPi 4. It has been running for 1 day. Now I have DNS + DHCP + VPN + Plex running, CPU temp is higher than before, 45 C vs 43 C. But it seems holding up fine.
I went with Strongswan IKEv2 setup because IKEv2 is well supported by iOS, my long time goal is to have all kids' devices hard wired with this VPN, always on. So that I would not worry about what internet kids have access to, and they can also watch their videos wherever they are. I am slowly moving towards that direction.
Also, Strongswan provided some extra packages, DHCP and FARP, which will make the remote clients acting as if they are just connected to the local LAN. So it serves my purpose perfectly. There is no conflict with any other services that I am running on RPi 4, as of yet....
The setup is okay, I made some stupid mistakes myself. After reading a lot of documents, I finally made my way out. If anyone wants to do the same, I would be happy to help. This seems to be a very helpful and friendly community and I learnt a lot from here.