In a burst of good intentions and desire to bring some automation to chores like planning the shopping list for the week, spread some information for the upcoming wedding, and other things, I decided to buy a domain and start building my homelab on my rpi4. To start with, I had troubles with my provider that forced me to take some extra steps in what would have otherwise been a very smooth and easy installation. I may make a different post about my whole homelab setup.
Here, I just want to focus on DNS, DHCP and Pi-hole.
Pi-hole configuration
On the discourse platform for pi-hole, people were pointing out at the same solution. You need to configure dnsmasq to provide the DNS servers.
It wasn't super clear where to set it, as the config file (/etc/pihole/dnsmasq.conf) is auto auto-generated by FTL.
##################################################################################
# #
# FILE AUTOMATICALLY POPULATED BY PI-HOLE #
# ANY CHANGES MADE TO THIS FILE WILL BE LOST WHEN THE CONFIGURATION CHANGES #
# #
# IF YOU WISH TO CHANGE ANY OF THESE VALUES, CHANGE THEM IN #
# /etc/pihole/pihole.toml #
# and restart pihole-FTL #
# #
# ANY OTHER CHANGES SHOULD BE MADE IN A SEPARATE CONFIG FILE #
# WITHIN /etc/dnsmasq.d/yourname.conf #
# (make sure misc.etc_dnsmasq_d is set to true in /etc/pihole/pihole.toml) #
# #
# Last updated: 2025-02-26 21:43:39 CET #
# by FTL version v6.0 #
# #
##################################################################################There were also different version of the configuration line that configures dnsmasq to instruct the clients with a specific set of DNS server. Some suggested dhcp-option=option:66,192.168.1.4 but the correct one is option 6: dhcp-option=6,192.168.178.138.
After you restart pi-hole, you can tail the /etc/pihole/dnsmasq.conf file and see
#### Additional user configuration - START ####
dhcp-option=6,192.168.178.138
#### Additional user configuration - END ####I found confirmation of what was the correct way of setting dnsmasq in the great eter guide. The example conf file provide on the GitHub dnsmasq only provides examples for IPv6
# Send DHCPv6 option. Note [] around IPv6 addresses.
#dhcp-option=option6:dns-server,[1234::77],[1234::88]Also the spec RFC 2132 show a code 6 for the DNS servers to provide in a DHCP response.
As I have said, other people pointed that out, but in the wrong format. Writing files in dnsmasq does not work well. As the final file is generated automatically. See link
To run a quick test, I sent a new DHCP request with dhcpcd -k interface while listening with dhcpdump dhcpdump -i wlan0 # or whatever interface you are using
You can verify that the response contains the correct DNS server.
Note: iOS, as far as I understood always uses IPv6, so in the unfortunate like mine where you still use a router from an exceptionally strict provider, the device will still get DNS servers from the router, bypassing de-facto the pi-hole. One has to remove the extra DNS servers fro the iOS device.
Networking
There was a bit of extra work that I had to do, for a simple reason. DHCP clients broadcast a DHCP DISCOVERY message (see RFC2131) so this could not have worked using a bridge network my Pi-hole.
I have found a useful thread on Pi-hole discussion where DerFetzer outlined a possible solution. The trick was to use a relayer for the DHCP requests. So following the suggestions, I have used dhcphelper a wonderful dhcp relay written by the same author of dnsmasq. By the way, there is an interview to Simon Kelley here. Not surprisingly, I have found that I wasn't the first in this situation. Veerendra was facing the same situation some tie ago.
Of course there are alternatives, there is this Macvlan networks that can be used to bypass the need of a relayer, Maybe, I will play with it later.
So, to sum it up, I have used dhcphelper to run the dhcpserver inside the Pi=hole (bridged) container. https://github.com/homeall/dhcphelper This is how the setup looks like.
+-----------------------------+
| |
| Internet |
| |
+-------------+---------------+
|
|
+--------------+---------------+
| | This was supposed to be the DHCP server
| Router/Modem | Providing IPs and DNS servers
| |
+----+----+---+------+---------+
| | | |
+---------------------------------------+ | | +-------------------------+
| +--------------------------+ | |
+---------+------------+ | +-----------------+ +------+---------+ Static IP
| | | +-------+---------+ | |
| Laptop | | | | | RPI4 |
| | | | iPhone | | |
+----------------------+ | | | +-------+-----+--+
| +-----------------+ | |
| +--------------+ +------------+
+---------+----------+ | |
| | xxxxxxxxxx|xxxxxxxx xxxxxxxxxxxx|xxxxxxxxxxxxx
| Android | x x x x
| | x Host network x x Bridge network x
+--------------------+ x x x x
x x x x
xxxxxxxxx|xxxxxxxxx xxxxxxxxxxxx|xxxxxxxxxxxxx
| |
+--------+---------+ +----------+------------+
| | | |
| DHCP relayer | | Pi-hole with DNS/DHCP
| | | |
+--------+---------+ +-----------+-----------+
| |
+---------------+-------------------+
xxxxxxxxxxxxxxxxxxxx|xxxxxxxxxxxxxxxxxxxxxxxxx
x x
x Shared network x
x x
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Docker compose file looks like this:
networks:
shared-network:
ipam:
config:
- subnet: 172.31.0.0/16
bridge-network:
# Specify driver options
driver: bridge
services:
pihole:
container_name: pihole
image: pihole/pihole:latest
ports:
# DNS Ports
- "53:53/tcp"
- "53:53/udp"
# Default HTTP Port
- "5380:80/tcp"
# Default HTTPs Port. FTL will generate a self-signed certificate
- "53443:443/tcp"
env_file:
# Set a password to access the web interface. Not setting one will result in a random password being assigned
- stack.env
environment:
# Set the appropriate timezone for your location (https://en.wikipedia.org/wiki/List_of_tz_database_time_zones), e.g:
TZ: 'Europe/Amsterdam'
# Disable FTL logs
TAIL_FTL_LOG: 1
FTLCONF_dns_listeningMode: 'all'
# Volumes store your data between container upgrades
volumes:
# For persisting Pi-hole's databases and common configuration file
- './etc-pihole:/etc/pihole'
cap_add:
# See https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
# Required if you are using Pi-hole as your DHCP server, else not needed
- NET_ADMIN
# Required if you are using Pi-hole as your NTP client to be able to set the host's system time
- SYS_TIME
# Optional, if Pi-hole should get some more processing time
- SYS_NICE
restart: unless-stopped
depends_on:
- dhcphelper
networks:
shared-network:
ipv4_address: '172.31.0.10'
bridge-network: {}
dhcphelper:
restart: unless-stopped
container_name: dhcphelper
network_mode: "host"
userns_mode: "host"
image: homeall/dhcphelper:latest
environment:
IP: '172.31.0.10'
TZ: 'Europe/Amsterdam'
cap_add:
- NET_ADMINEt voilà!
Possibly, useful information
- Pi-hole blacklist rep: https://firebog.net/
- If you use systemd and you see 127.0.0.53, check your resolver