How to switch DHCP/DNS to dedicated server with pihole?

Hi, I installed Nethserver as a Gateway between Router and LAN extended by Modules/Apps DHCP, DNS, Firewall, IPS, Webfilter, DPI, NtopNG

I defined static addresses inside DHCP and added corresponding DNS-Name like diskstation.lan.home in DNS-Server.

I have some shortcomings that make me dissatisfied with DHCP/DNS and filtering unwanted web traffic. Therefore I want to switch to my trusted pihole and do without DNS/DHCP on the Nethserver.

Findings:

• The administration overhead is enormous compared to pihole (FTL).
• LightSquid Dashboard shows me only the accessed DNS-Addresses not the blocked ones for each client
• really poor possibilities to analyze blocked/allowed traffic (for example no drill down from Web Proxy & Filter Dashboard into the Top10 blocked Clients, only IP-Addresses for blocked destinations without the possibility to find out false positives and so on)
• no qname-minimisation
• poor whitelist- /blacklist-Management

My question about the how-to to switch…

1. Is it sufficient to disable the DHCP (on green) and DNS server?
2. Is it sufficient to disable the dnsmasq service for this?
3. Will all other modules and apps still work?
4. Do I have to delete all configurations before deactivating, or can I leave them in as fallback?

Thanks, Marko

Just disable the DHCP server, and use your pihole installation as upstream DNS.

Please don’t, otherwise the system may not work correctly. With the above configuration, dnsmasq will forward requests to pihole.

Yes.

If the web filtering is done via pihole, make sure to disable Squid transparent mode.

Thank you for your hints.

why that?
I thought I could use DNS-Filtering as the “first line of defense”, than Squid in combination with IPS as the second line.

Because otherwise all the traffic will appears as coming from the NethServer and this will prevent clean statistics in pihole.
By the way, you can always do a test with the proxy in transparent mode

I did it, leaving the proxy in transparent mode. Internet sites are reachable and browsable w/o any issues. I was surprised about the mass requests from the Nethserver.

image.png952×522 42.9 KB

I can’t explain where the name “_gateway” comes from, because I haven’t assigned this name anywhere. Also I cannot explain, why the _gateway answers DNS-requests (and so much)

image.png778×562 37.1 KB

Summary:
Step 1: I configured the pihole-“Server” as DNS-Server with any external forwarder or local DNS-Resolver (unbound)

• Search DNS: lan.home
• Never forward non-FQDNs: Off
• Never forward reverse lookups for private IP ranges: off
• Use DNSSEC: on
• Use Conditional Forwarding: on
• IP of your router: 192.168.3.1 (= Nethserver)
• Local domain name: lan.home

Step 2: defined Pihole-Server as forwarder in Nethserver (Cockpit Dashbord)

Step 3: Checked the name resolution for external DNS names, All works fine.

Step 4: Deaktivating DHPC on Nethserver/ Activating DHCP an pihole

• Range of IP addresses to hand out: 192.168.3.100-192.168.3.100
• Router (gateway) IP address: 192.168.3.1
• Pi-hole domain name: lan.home
• Enable IPv6 support (SLAAC + RA): Off
• Enable DHCP rapid commit (fast address assignment): off

Step 5: defined static DHCP-addresses with identical IPs and names like on Nethserver DNS
Step 6: renewed leases in LAN-Clients
Step 7 : changed pihole DNS-Configurtaion:

• Search DNS: lan.home
• Never forward non-FQDNs: ON
• Never forward reverse lookups for private IP ranges: on
• Use DNSSEC: on
• Use Conditional Forwarding: off
• IP of your router: 192.168.3.1 (= Nethserver)
• Local domain name: lan.home

Step 8: deleted DNS-Defintions on Nethserver-DNS
Step 9: re-adjusted firewall groups

So far I have not examined the firewall, IPS and web proxy functions.

Thank you for your Support!

The requests on the pihole are normalizing since a few hours

image.png1898×466 61.7 KB