The extremely simple set-it-and-forget-it local MS compatible DNS server?

BoredSysadmin

Not affiliated with Maxell
Mar 2, 2019
856
327
63
If you have an AD domain, running built-in DNS and DHCP is critical and replacing them isn't for the faint of heart. However, nothing stops you from using a Pi-Hole as a DNS forwarder set up on your AD DNS server. The same goes for outsourced managed DNS like OpenDNS.
IF you want people not to be able to cheat by using their own DNS setting there is a way to mostly block it as well:
 

SecCon

Member
May 26, 2022
60
15
8
No AD.
No PiHole (or any Pie for that matter).

Just a local simple SoHo Lan with a few servers. I can do virtual guests and hosts.
 

BoredSysadmin

Not affiliated with Maxell
Mar 2, 2019
856
327
63
SoHo Lan with few (windows based?) servers and no AD?

p.s: Pi-hole can be easily installed on a virtual machine. no need to add any additional hardware. The software is extremely easy to use.
 

SecCon

Member
May 26, 2022
60
15
8
yes soho Lan with windows ( not forgetting a small forest of random devices ) and no AD... last time i tried setting up an AD I managed to **** up that server so badly the HDD went ablaze ...

I thought Pi was hardware? Ahh, this: Pi-hole – Network-wide protection . Sure I could give that a shot assuming it can be configured with a pedagogical and intelligible UI and not some crap CLI.
 

BoredSysadmin

Not affiliated with Maxell
Mar 2, 2019
856
327
63
Cockpit is pretty awesome. Running it on my NUC/Plex ubuntu 20.04 lts server. I mean I already know how to do sudo apt update etc.., but in cockpin things are just a bit easier.
 

BoredSysadmin

Not affiliated with Maxell
Mar 2, 2019
856
327
63
what a crybaby afraid of a black screen which a blinking cursor. 99% of pihole is managed thru it's pretty GUI:
 

ccie4526

Member
Jan 25, 2021
54
40
18
++ for pihole.

I've got it deployed as a forwarder for AD, as well as being a direct resolver for inside devices.

The important thing is that outbound firewall rules are necessary as there are some devices that will still try to reach out to google dns or other external resolvers in spite of what you may tell your devices either via static or dhcp. Permit outbound tcp/udp 53 only from the pihole servers, and deny all other outbound tcp/udp 53. You'll be surprised at how much of that traffic was going on. Chromecast and Roku are big on trying to use 8.8.8.8 in addition to whatever is locally provisioned, for example.

DNS over HTTPS (DoH) is another story. Gotta have layer 7 inspection to watch for that stuff.

@SecCon - saw your rant in the network thread... I've been doing network engineering since the late 80s, and I learned Cisco when all they had was CLI. Even when they introduced GUI, I found it had many limitations and that to do what I really wanted, I had to roll up the sleeves and get dirty.
 
  • Like
Reactions: itronin

SecCon

Member
May 26, 2022
60
15
8
what a crybaby afraid of a black screen which a blinking cursor. 99% of pihole is managed thru it's pretty GUI:
I despise CLI. Sure it is useful if you have no other option, but to me it's only UI wanting to be developed. Very 1984 and Orwellian.

But thanks for those additional links.

@ccie4526 Appreciate your input, but I was never in network engineering. Nor should I need it.
 

BoredSysadmin

Not affiliated with Maxell
Mar 2, 2019
856
327
63
The important thing is that outbound firewall rules are necessary as there are some devices that will still try to reach out to google dns or other external resolvers in spite of what you may tell your devices either via static or dhcp. Permit outbound tcp/udp 53 only from the pihole servers, and deny all other outbound tcp/udp 53. You'll be surprised at how much of that traffic was going on. Chromecast and Roku are big on trying to use 8.8.8.8 in addition to whatever is locally provisioned, for example.

DNS over HTTPS (DoH) is another story. Gotta have layer 7 inspection to watch for that stuff.
agreed, this is why I posted an easy to follow guide on how to configure pfSense to restrict external DNS only from pihole above
 

LodeRunner

Active Member
Apr 27, 2019
430
180
43
I can't think of anything, other than updating PiHole and trying to do some of the encrypted DNS stuff that requires me to use the CLI. Install on a supported OS is braindead simple:
Code:
curl -sSL https://install.pi-hole.net | bash
Updating is also easy:
Code:
pihole -up
Pihole update can include the restarting the lighttpd process which would kill the update process if run via the UI.

If that's too 'Orwellian' then I don't really know what to say. GUI's have a hard time covering all the options enterprise level switches present, with the possible exception of wireless (looking at you, Cisco WLC command syntax). I have yet to encounter a GUI on an enterprise switch from Cisco, Juniper, Brocade, or HP, where I couldn't do the same thing faster, more easily, and more accurately, from the CLI.