Jump to content

My PiHole setup (DHCP,DNS,DOH & DNS intercept)

mikeyw64
By mikeyw64
in Networking
 Share
Posted

came across pihole after watching one of LTTs videos a while back and thought I would share my setup.

I'm using it for DNS & DHCP to my main home network (birdsnest) plus as a guest wifi and then also thrown into the mix DNS traffic capturing on port 53.

For upstream DNS I'm using the optional DOH setup using Cloudflared.

DHCP is disabled on my ISP facing router and also its internal DNS is pointed back at PiHole

Overview of my home network
Mikes_Home_Network.png.3f7a4e712845772eb675bebd2a03905a.png

 

 

 

Post standard PiHole setup :


Guest Wifi Config 
 

/etc/dhcpcd.conf (added the following)

interface wlan0
static ip_address=10.0.0.1/24
static routers=192.168.1.1
static domain_name_servers=127.0.0.1

nohook wpa_supplicant

 

/etc/dnsmasq.d/09-guestnet.conf  (new file)
interface=wlan0

dhcp-range=wlan0,10.0.0.100,10.0.0.200,4h

dhcp-option=wlan0,option:router,10.0.0.1

dhcp-option=wlan0,option:

dns-server,10.0.0.1

 

/etc/sysctl.conf

net.ipv4.ip_forward=1

 

Shell

sudo apt-get install iptables-persistent  (if not already installed, will do an initial save)

sudo dpkg-reconfigure iptables-persistent (if already installed)

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

 

 

Hostapd stuff (for getting the wifi element up on my Raspberry Pi3B+)

sudo apt-get -y install hostapd
 

/etc/hostapd/hostapd.conf
interface=wlan0
driver=nl80211
ssid=Sunnyside
hw_mode=g
channel=8
ieee80211n=1
wmm_enabled=1
#ht_capab=[HT40][SHORT-GI-20][DSSS_CCK-40]
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_passphrase=ITSASECRET
rsn_pairwise=CCMP
 

/etc/default/hostapd
DAEMON_CONF="/etc/hostapd/hostapd.conf"
 

Shell 

sudo systemctl unmask hostapd
sudo systemctl enable hostapd
sudo systemctl start hostapd

DNS Capturing  Config

nb I'm using 2 ethernet (built in plus USB dongle)   as my mind works better with that  however it can probably be done with just one
 

Shell
sudo iptables -t nat -A PREROUTING -i eth1 ! -s 192.168.1.2 -p tcp --dport 53 -j DNAT --to 192.168.1.1:53
sudo iptables -t nat -A PREROUTING -i eth1 ! -s 192.168.1.2 -p udp --dport 53 -j DNAT --to 192.168.1.1:53
sudo apt-get install iptables-persistent  (if not already installed, will do an initial save)

sudo dpkg-reconfigure iptables-persistent (if already installed)

 

Top half below is the test results for a blacklisted URL done  from my laptop configured statically as:
Static IP : 192.168.1.10
DNS : 192.168.1.2
DGW : 192.168.1.1
 

In the lower half the DGW was changed to 192.168.1.254 which is eth1 on the Pi, as you can see DNS requests to 8.8.8.8 now give the same response as going directly to the PiHole
 

dns.thumb.PNG.3fa5580ba864a596661e178a4dca6864.PNG



 

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Networking

×