Installing Pi hole on Proxmox and using OPNsense Unbound DNS Upstream

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
a lot of Home users like to run pie hole in their Network to block ads ad tracking Telemetry data or malicious domain names Pi hole works great for that and has a nice web interface that has some graphs and charts and even has a log of all of the DNS queries that have on your network so you can take a look at what's going on and see what's being allowed and blocked on your network and you can add exceptions to that list or add more additional blocks to that list as well and add other lists that you can find on the internet that has some domain names that you might want to block in addition to the ones that come with pie hole so there's some customization you can do there to fine tune it for your network for your needs to block as many ads or other malicious domains that you do not want on your network I want to show how to set up Pi hole on proxmox and configure it to work with opensense so what I'm going to do at a high level is have open sense configured to hand out the pie hole DNS server to all the network clients and then pihole will be configured to use Unbound DNS in open sense as its Upstream server and then opensense will use whatever whatever Upstream server you have configured so I'm going to cut over to my system and show how to set up high hole in proximox first in a container and then we'll move on to configuring opensense and do some more configuration of pie hole as well I'll show how to set it up on a single Network first and then I'll show some additional configuration you'll need to do if you want to set this up for multiple networks if you have vlans or other networks set up in open sense so now I'm logged into the proximox web interface and you go up to the topic and click create container and then I'm going to enter a CT ID of 312. and hostname of pie hole and then you just enter a password for the root user click next for this step you just need to pick your template you're going to use for your container and mine is actually stored on the network share so I'm going to be picking a different story but you might just pick local for yours if it's on the same server I'm going to pick Ubuntu 22204 you can use a different operating system but the instructions will vary a little bit if you're not using a Debian based operating system because the commands might be a little bit different I'm going to click next so for the storage you can use locals EFS otherwise it might be like lvm or some other storage naming up here at the top by default it's eight gigabytes you can up this 10 if you want just make it nice and even you can always change this value later it's easy to do and the container will recognize it immediately so it's not not that big a deal click next hey for Cores you might want to select two here because I notice if I selected one I got a warning message about exceeding 100 CPU when it's first loading like the block list depends on how fast your single core performance is on your system we've used two cores you should be good to go so click next by default it's set to 512 megabytes you can lower this to 256 if you want to minimize the amount of resources available you could probably almost get away with 128 megabytes the pie hole doesn't use that much resources at all for the network you need to pick the bridge of the network where you want pie hole to live on and I'm going to pick my virtual Land network because I have some virtual ridges here for and proximux that will represent the land Network that I have here for ipv4 I like to pick DHCP and then assign a static IP in open sense so that I can control all my static IPS in one place and open sense for the same for IPv6 I usually use slack even though I have DHCP running on my network I noticed slack seems to work a lot better proximox is from from my experience so those are two options that you want to set and then click next for the domain names if your proxbox host is on a different network than your container you'll want to set this DNS server to be the DNS server of your land Network mine's not going to be in the same network so probably okay if I just left it blank but I always like to specify the DNS server for each of my containers because if you're on a different network it's going to try to use the host DNS server of the proximox host and if you don't have the firewall rules in place in open sense you you won't have access to servers finally we're going to click Start after created and click finish you'll see that it's starting to create the container here and when this once it says task okay we can hit close on this and we still need to wait a few seconds here and you notice it's loaded up and we'll click on pie hole over here and now we have the login prompt we're also going to use the root user and log in using the password we used when we first created the container so first thing I want to do is update your software because it's going to be out of day a little bit when you're using a container because it doesn't have all the latest updates it's just going to be whatever it was when you first got that container which is like the base Ubuntu installation so let's do apt disk update upgrade okay yes okay now that that's done we need to install curl using apt install curl this is something that's going to be necessary to run the pie hole installation script so let's install this before installing pie hole in the container let's set up a static IP address for the pie hole DNS container so let's go to network and let's double click on here and we'll see there's a MAC address here we'll copy and paste this and we'll save this for later after we're logged into opensense now that we're in opensense dashboard let's go to services dhcpv4 click on the Lan Network and scroll to the bottom and we'll we'll go down here and click on this plus button to add a new static DHCP reservation let's paste that Mac address in let's use the IP address of 192.168.1.10 and the host name would just be Pi hole okay the description is you can just put whatever you want here pie hole DNS server and scroll to the bottom click save and then click apply changes now let's jump back over to proxmox now that we set a static IP address in open sense for this container we can either reboot by typing the reboot command or you can go over to this menu and click reboot um if since we're already in the console we can just type reboot and then we'll just wait for it to restart which doesn't take very long at all so let's go to the root user here and go back log back in let's do IPA to see if the IP address has changed and as you can see we now have 192.168 1.10 so now we have a static IP so now let's go ahead and install pie hole so here's the commander on piyo so let's get started all right it says this will transform your device into Network wide ad blocker that's our goal right hit enter and it's free but powered by donations so hit enter and it says it needs a static IP address which we just configured so we can say continue and this is important because it is a server and the IP address you know can't change because everything on the Network's gonna be using the IP address for your DNS continue and since we're going to use um open sense the Unbound DNS as the Upstream DNS server just go to custom and type in 192.168.1 1.1 since that's going to be our open sense DNS server for the Lan Network so hit OK and yes and this is going to be the block list that's going to be used this is the default block list for pie hole we might as well hit yes so you at least have some domains to be blocked in there it says you want to install the admin web interface most users are going to say yes to this because most people like that web interface to have the graphs and charts and be able to manage pie hole but some people might want to do command line for everything and that's a possibility but let's just hit yes it says they're gonna need a web server for that so hit yes to install a web server now it's going to ask if you want to log your queries which most likely you want to do so you can have the detailed information about your logs but I can see where if you have a micro SD card or something like that you're using you might not want a lot of wear and tear on the device you might want to disable that but I feel like that kind of reduces the usefulness of pile because you need to look at those detailed logs sometimes to see what's actually being blocked in detail so let's get yes on this for the privacy mode we're just going to show everything because I can see if you're doing maybe like a public Wi-Fi network that maybe you want to make some of these requests Anonymous to protect maybe some privacy of your users but for home network we're just going to default to show everything so we can look at everything all right now it's installing some things here and doing some checks now you have arrived at the final screen and it tells you the IP address of your pie hole server as well as the default login password that's auto-generated so it's not admin admin you actually have a default password it's randomly generated which is a little bit more secure so make note of this password so you'll be able to log into your web interface okay now let's log into the pie hole web interface and make sure everything's loaded properly so in your web browser let's go to 192 168 1.10 admin as you can see here's the pie hole interface now what we need to do is type in the password that was Auto generated as you can see here it shows that there's the total queries is zero and zero queries blocked zero percentage blocked but you'll see that the domains are 193 000 domains are on the add list this is what we would expect since we're not fully set up with pie hole on open sense yet but we can at least get into the web interface which is a good sign of everything is set up properly now we're at the dashboard of open sense so let's go to Services DHCP V4 and go to the Land network and what we're going to do is we'll scroll down here to the DNS server section and we're going to type in our PI hole address which you should know it by now okay the Scrolls at the bottom and we'll click save now that we've done this we need to release and renew our dacp addresses of our client machines so that it would actually take effect because it's the hcp server is actually going to provide this IP address for the DNS server for all the clients that are using DHCP so let's do that next okay now we're in our Linux machine and if we type resolve CTL you actually see that our current DNS server is 192 168 1.1 and that is our Lan Network DNS server and it should be 1.10 so one thing we can do is just simply disconnect and reconnect which is one easy way to do it you can also run a command to release some renewed DHCP addresses so you could say sudo dhclient Dash r and it kills the old DHCP client and they can say sudo client or sudo however you want to say it without the dash R and it'll actually refresh and renew the IP address so if we do resolve CTL again you'll see that it now says 192.168.1.10 so if we go back to our web browser and go to Google for example if we go to pie hole and we refresh this page now you'll see there's actually DNS lookups going through Pi hole now uh from my device on My Lan Network that I just refreshed and you'll see the name of it down here as the total top clients and you'll see the total requests and some of the and the block counts down here so that that's all you need to do to get it working for the land Network so now what I want to show you is what you need to do if you have multiple local networks that you have separated you know the vlans or just other interfaces on the firewall there's a couple extra steps that you need to do to actually make this work so let's go to settings on here we'll go ahead and change the settings on pie hole first and then we'll we'll go ahead and change opensense to account for these changes okay so let's look at the settings page let's go to DNS and you'll notice here it's set to allow only local networks and this means it only accepts queries from devices that are at least one hop way so it means uh any devices that are on the same subnet local network so only clients on the land network will be allowed with this setting and this is set by default for security in case you just set this up and you don't really you know configure anything away from the defaults it's just kind of a safer setting because if you allow everything like down here then that means and you have it open to the internet it means people can use DNS amplification attacks which is not a good thing for the security of your network you can take it DDOS your network essentially but so they say potential dangerous options but since we're not opening up the DNS server to the Internet it's okay to select these options down here because it'll even say if you have not forwarded your Port 53 on your router these options are actually safe to use in a typical home network setup down here so what we'll do down here here is we'll just click this first option that says respond only on the interface eat zero it's a little bit less open than to prevent all Origins I believe that's trying to determine what the difference is you know from the documentation and then let's go down to the advanced DNS settings section because these two these two options here you can actually um you probably want to uncheck them because we're going to be forwarding all of our requests to our Unbound DNS on opensense which is going to be able to handle all of these private IP addresses and then private host names that we're using and we don't want pi hole to interfere with local hostname resolutions or anything like that or reverse IP lookups within our Network because these would actually potentially block some of that when going upstream and since you know we're using open sensors or Upstream provider we can uncheck these boxes and we'll scroll down and hit save all right so now that we have this we're going to go back to open sense and we're going to the iot network yeah so we're going to go down to the DNS servers in on the iot network just like we did with the Lan Network so this is going to look the same right we're going to put the IP address for the pie hole server and let's click save so what we're going to do now is switch over to my devices on the iot network and refresh that DHCP release so that it'll get this DNS server and so we did that same exact process we did for this machine as you can see we're back on our other machine we got the different hostname here and we're going to do the resolve CTL command again and you can see that our DNS server is our interface IP address of dot 20.1 so we are going to release and renew the DHCP lease so that we can get the pie hole server IP address so let's do sudo DH client Dash r okay and we'll just do the same thing without the dash r and we'll check resolve and then we'll check resolve CTL and you'll see now we have the pie hole DNS address so if we go up here let's see if we can access a domain name and notice we can't access anything just yet because now we're on a different network and the pie hole DNS server is now in another Network so we actually need to go back and change our firewall rules let's go back to open sense and make those changes so we're back in our open sense web interface and let's go up to firewall and go to rules and iot Network as you can see I have the default rules here that I use I like to use to separate my networks from each other and I have a rule to allow DNS and then I have a rule that blocks all private networks but allows access to all other networks which would be the internet so this first rule here we need to go and edit it because now we want to use the pie hole DNS server and not Unbound DNS because remember the pie hole DNS server is going to be using Unbound DNS as the Upstream server so it's still going to use Unbound DNS eventually but we're not going to use it directly by our clients on our Network so now we need to go to this rule we want to scroll down to the destination we have it set the iot address we need to go up to scroll up to where you say see single host or network and we're going to type in the pie hole DNS address server address right okay let's set this to 32 since it's a single host okay now we'll scroll down and click save and we click apply changes so now let's go back to the other system see if we can access the microsoft.com again okay and now we're back on our other system and we're going to try microsoft.com again and hit enter as you can see when you can now access microsoft.com and let's go back to the pie hole dashboard and see if we can see this new client that's on our Network on the iot network and see if it shows up in the pie hole web interface okay so now we're back on the pie hole web interface and let's scroll down and see if we see our new client down here at the bottom as you can see we have the vert1 and the vert2 virtual machine clients that have set up and so both of these machines are now showing up under pie hole so I hope you found this information helpful in setting up Pi hole in a network whether you're using a single Network or you're using multiple networks you can actually set pile on any number of networks that you want on your home network and you can take advantage of all the features that piyo has which is pretty cool so until next time I'll see you guys later and [Music]
Info
Channel: Home Network Guy
Views: 11,251
Rating: undefined out of 5
Keywords:
Id: jiiQUTQTNtk
Channel Id: undefined
Length: 17min 42sec (1062 seconds)
Published: Fri Sep 15 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.