Hi all, just added a Pi-hole to my topology. It's sitting in between some domain-joined PCs and a Windows Server (specified as sole upstream server in Pi-hole settings). Almost everything seems to be working well, but PCs on the VLAN going through the Pi-hole before the server (which I will call Pi-holed VLAN) show as "private network" under the Network and Internet settings on the PC, whereas those on the VLAN going directly to the server and skipping the pi-hole show as being in a domain. All PCs on the pi-Holed VLAN have the pi-hole listed as their sole DNS server, for the time being.
I tried unchecking "Never forward non-FQDNs" and "Never forward reverse lookups for private IP ranges" in the Pi-hole settings but that appears to have had no effect.
Not such a huge deal but it would be preferred for the purpose of applying firewall settings through GPO to have the correct network profile displayed. Would a reverse lookup zone in Windows Server accomplish this? Thanks in advance for any help you can offer.
Edit: I'm not intending to make any assumptions about your level of knowledge for AD forests, just wanting to make sure we're all talking the same language.
Assume away, because as I discovered my inexperience led me to make a silly mistake.
For once, my problems were not caused by DNS. Instead, it was an issue with the other ports required to authenticate to the domain, namely:
RPC endpoint mapper: port 135 TCP
LDAP: port 389 TCP, UDP
LDAP over SSL: port 636 TCP
Global catalog LDAP: port 3268 TCP
Global catalog LDAP over SSL: port 3269 TCP
Kerberos: port 88 TCP, UDP
SMB over IP (Microsoft-DS): port 445 TCP
I at least had the foresight to allow port 53 from the Pi-hole VLAN to the server, but in the process of isolating the server from the workstation VLAN, neglected to open the rest of these. It was more ports than I wanted to open between these subnets, but I discovered they can be routed over IPSec. So my users will have to authenticate to the VPN prior to being able to access shared domain resources. If not using a VPN, my solution would have been to allow communication on these ports directly between server and workstation, or else setting up a static route for them.
Everything is working great now, and my next step will be to add my router's IP as an alternate lookup in Pi-hole in case there is some problem with the domain controller.
Thanks for your excellent software, and for being prepared to support it!