Pihole thinktank

stephdl · June 5, 2024, 6:27am

Basically it is working like I want with port translation, it means that I publish 53/tcp and 53/udp to be able to resolve from hosts the DNS.
This will conflict with AD, maybe dnsmasq (not verified) because the port is already used and opened

thinking on possible solutions

open different ports but not convenient because I am not sure the resolv.conf could handle custom port, I need to do a firewall redirection…so no
use a aqua like trusted network with private IP, make a zone that the server could reach. I do not know if it is possible
use the trusted network, this idea could be nice however I need to be rootfull and use Macvlan network
…

I do not know if you have tips, idea

cc @davidep

davidep · June 5, 2024, 6:53am

At least in theory, we can run Samba, Pihole and Dnsmasq on the same node.

The conflict with Dnsmasq can be avoided by disabling DNS.

The conflict with AD may be solved with Samba dns forwarder option. It has been expanded to support an arbitrary forwarder port, like 127.0.0.1:20053.

In practice, Samba sets the forwarder from the host resolv.conf and it is not designed to accept arbitrary settings. This collide with your goal.

Apart from Wireguard, we cannot handle additional networks. A NS8 node is a server, not a router.

Consider that if you remove Samba from the equation, you already have the solution because Dnsmasq can run with DNS switched off.

Andy_Wismer · June 5, 2024, 7:14am

This would be easy if 2 or more nodes are available…

My 2 cents
Andy

bwdjames · June 5, 2024, 7:49am

Could one use the docker port mapping feature?

So the clients would resolve against NS8 and NS forwards the requests to PiHole on a different port?

oneitonitram · June 5, 2024, 8:11am

Pihole is a DNS, so in this sense, i dont understand why you would want DNS in DNSmasq as well as Pihole

My biggest concern is, if supporting additional affect Samba, Equally, I have been curious as to, Having Samba fully functional, as well as DNSMasq fully functional, meaning both DHCP and DNS working… Unless am floating in my own cloud.

All propositions, must work within a Single Node Setup, and any additional Nodes Requirements, as an added advantage, FOr small Offices, and Home Setups.

Andy_Wismer · June 5, 2024, 8:28am

@oneitonitram

I don’t need DNSmask - I have a hardware Firewall handling DNS and DHCP.
This is OPNsense, but could be just as well NethSecurity.

But PIHole would be nice.

Samba / AD on one node
PIHole on the other…

I will never use a VPS, so I don’t have those issues…

My 2 cents
Andy

Andy_Wismer · June 5, 2024, 8:47am

I do NOT see this as a requirement.
At least not initially.
Several Home / SoHo Installations are running virtualized. Setting up a second node is probably done already by these users…

NS8 was released and not everything worked in all situations. So what?
It will get there… It may be called 8.2, 8.4 whatever. What’s in a name?
If everything including multi AD on a single VPS is mandatory before release, we would not yet have NS8!

My 2 cents
Andy

stephdl · June 5, 2024, 11:51am

Saddly no. Dns expects to run on tcp and udp 53 to work. At least for what I know

oneitonitram · June 5, 2024, 1:49pm

Desing in development is important.

Not initially is a wonderfuly consideration, however, there are aspects in the design build of a software, if not accounted for initally, would end up biting in future and might not be feasible,

So making considerations early enough, enables and allows for future implementations.

i was actually looking at it from a NUC perspective, if only one of them is sued to handle those kind of things, then it works out of the box and gets the job Done.

stephdl · June 6, 2024, 7:25pm

https://bugzilla.samba.org/show_bug.cgi?id=14599

Well no way to use custom port with samba. Not tested but they state it does not work and you have to use another host

davidep · June 7, 2024, 6:14am

This is an old bug. According to the smb.conf, it has been implemented, but I haven’t tested it myself. Hopefully, they succeeded in implementing this long-awaited feature.

Edit: it is a different bug. It’s about the Samba DNS port, and not the forwarder’s port.

Active Directory has its requirements: it must be THE network DNS, no intermediary is allowed.

Andy_Wismer · June 7, 2024, 6:36am

@davidep

AFAIK, AD works when the DNS can resolve all hosts AND the AD (in all variants, including the nsdc-…).
Joining a PC can require directly using the AD as DNS, but in some cases the above worlks even to join.

This info is specifically for Samba, I can not verify this when using MS AD(s)…

My 2 cents
Andy

oneitonitram · June 7, 2024, 6:54am

does it meam that, if another DNS is used, the its not mandatory to use samba DNS?
unless i am missing something.

if this is true, would disabling DNS in samba, when another DNS is enabled on NS8 host be a valid solution?

Andy_Wismer · June 7, 2024, 7:04am

No.

This is only valid when using PI-Hole, and the AD set in PI-Hole.

My 2 cents
Andy

oneitonitram · June 7, 2024, 8:52am

wouldnt this then be a feasible Solution.

IF someone has Pihole, they Define Samba as the internal as well as pihole, so technically they will be using pihole as external DNS for all other things, while internally Samba

stephdl · June 7, 2024, 8:56am

I need to understand fully the implication and the consequences

but two possible ways now

1- block to configure if the 53/tcp and 53/udp is already used on the host
2- alternatively allows to configure but on a custom port

i think case 1 could be quickly released

oneitonitram · June 7, 2024, 9:08am

Correct @stephdl working with Step 1. BEcause using non Standard ports for things like DNS might introduce other challenges unforseen in the near future for non advanced users.

So therefore, for external use case, Allow the one DNS either from DNSMasq, or from Pihole to work, while the one for Samba is blocked.

That way, it would be possible to have Samba, DNSMasq as well as Pihole installed and functioning in the same Server.

Internal Samba Working without Issues, DNSMasq, Maybe handling DHCP and Not DNS, while inside Pihole, Define the Samba DNS.

Is one is Using DNSMasq for DNS, then Pihole can not be Used at all, and Only Samba and DNSMasq would be functioning.

With this new Implementation, a Small Improvement or adjustment to the DNSMasq App Would be required to accommodate this case.

Faily “easy” solutions,all scenarios considered without Making significant non conventional Modificatiosn to well know Tools.

This will also make it easier for all of us for future Full Authoritative DNS Server for Domains and TLD handling Applying the same Scenario, the rest will not be functioning, while the user uses that,

But at this Point, i believe a Multi Node Cluster would now be required, otherwise it would be a STUPID Setup.

Andy_Wismer · June 7, 2024, 9:14am

No, this would NOT be a feasable solution…

ALL DNS clients, no matter if Linux, Windows or Mac will always use the first working DNS.
No other DNS will ever be queried if the first one works.

Clients are NOT capable of “aggregating” different DNS.

My 2 cents
Andy

stephdl · June 7, 2024, 9:16am

can we run container on nethsecurity ?

To be honest my container pihole runs on the firewall (NS7 based)

cc @giacomo

do not shoot the pianist please

Andy_Wismer · June 7, 2024, 9:16am

@stephdl

OpenWRT has support for containers (docker) itself!

So maybe a GUI adaption would be the major part (Plus a few firewall rules pre set…).

My 2 cents
Andy

https://openwrt.org/docs/guide-user/virtualization/docker_host

Podman is also mentioned / supported.