I’m trying to set up a Pi-hole on my in-laws’ home network. I’ve got everything configured on the pi but ad-blocking wasn’t working. So I did some digging into the logs and found that DNS requests were all coming from the router.
After some reading it seems that the DHCP server that the router used was adding a DNS suffix to all requests (search.charter), so I turned off the DHCP server on the router and used pi-hole’s built-in DHCP to see if this would resolve the issue. I didn’t have enough time to test the fix, but here’s my understanding of what was happening before I changed the configuration:
I set the primary DNS server to the IP address of the pi-hole in the router settings so they would have network wide adblocking. All of the clients get a DHCP assigned DNS server address which was set to the router’s address. I would input example.com into a client’s browser, the DNS request would be sent to the router, then the router would act as a client in the pi-hole logs. Pi-hole tells the router that example.com is found at 192.158.1.38 and the ads being hosted on the website are at 0.0.0.0. The router sees that the DNS server didn’t return a result for one of the queries, so it goes to an upstream DNS server hosted by the ISP where they provide the IP for the ad. Both addresses are sent along to the client device and the pi-hole shows the ad domain as being blocked.
Is that true? Did changing the DHCP server to the Pi-hole fix the problem? Is there anything more that I need to do? Did I totally whiff on troubleshooting? Let me know if you need more information. Any help would be appreciated since I’m trying to learn a little bit more about networking and take a little more control of my home network. Thanks!
What I usually do is
- configure pihole as DHCP server and to give out pihole address as DNS server
- configure pihole to use router DNS (if you want but not necessary) as upstream DNS server or
- (better) use DNSsec enabled DNS server as upstream DNS server such as Quad9
The router sees that the DNS server didn’t return a result for one of the queries, so it goes to an upstream DNS server hosted by the ISP where they provide the IP for the ad
Nope. That is done by the pi-hole itself. The router would send a request, then it either gets the IP or it doesn’t, there are not retries upstream.
The pihole actually returns its own IP address for any blocked DNS results.
For any http requests (that aren’t to the admin interface) it serves up a non-https “this page has been blocked” type webpage.
This way, the DNS request doesn’t fail or timeout. It’s just the DNS response has been hijacked to return something different than what is posted on the public DNS records.