¶ Introduction
Pi-hole is a very simple solution for blocking ads on an internal network. I have tried it out before, but now that I have Proxmox, I wanted to add this is a permanent service in my homelab.
¶ Install
I used a Debian ISO because I wanted it to be as lightweight as possible. In Proxmox, I left most of the VM settings default, but I used the below values as they were the recommended minimums:
- Cores = 2
- Memory = 512 MiB
- Storage = 4 GiB
Once the OS was finished setting up, I installed Pi-hole using their documentation on Github:
curl -sSL https://install.pi-hole.net | bash
¶ Traffic Flow
When thinking about where I wanted Pi-hole to sit on my network, I had to consider Active Directory (AD) as well as Windows DHCP.
In my DHCP settings, I changed the 006 DNS Servers to my Pi-hole IP. That would ensure that all client devices would send DNS traffic through Pi-hole first.
I also removed the DNS Port Forwarding on my router at this point because it wasn't needed.
Next, I went to the Pi-hole admin UI to select my upstream DNS provider. This is where all the traffic goes after it passes through Pi-hole. Now, the flow of traffic on my network is as follows:
Now I had to consider AD traffic. In order for domain-joined devices to work properly, they need to be able to communicate with Windows Server DNS. To do this, I went to the Pi-hole admin UI and set conditional forwarding:
true,10.0.0.0/24,10.0.0.8,tybax.com
This ensures that any AD traffic related to tybax.com inside the 10.0.0.0/24 network are forwarded to my DNS server at 10.0.0.8. I also added a DNS forwarder in Windows DNS so that traffic won't get stuck if non-AD related traffic gets sent to Windows DNS. Now all AD traffic flows as follows:
The final network topography looks as follows: