====== Pi-hole DNS Blocking ====== The [[https://pi-hole.net/|Pi-hole]] project is a "DNS sinkhole" that protects your devices from unwanted content, without installing any client-side software. Pi-hole is a perfect example to use with AstLinux within a LXC. **Resource Usage:** (minimum) * Memory: 50 MB * Storage: 0.7 GB \\ First, it is assumed the ''lxcbr0'' interface is setup per the **[[userdoc:guest_lxc_container#quick_start_guide|Quick Start Guide]]** -> Enable LXC Support. Then from the CLI: lxc-create -t download -n pi-hole -- -d debian -r buster -a amd64 --no-validate service lxc restart lxc-attach pi-hole passwd apt update apt install openssh-server iputils-ping curl ... exit !!Tip ->!! Optionally you may want to also... apt install sudo nano !!Tip ->!! Set ''PermitRootLogin yes'' for sshd and restart sshd. Type ''exit'' to leave the container and do the rest via ssh. \\ __Install Pi-hole:__ \\ Either with ''lxc-attach pi-hole'' or ''ssh root@pi-hole_ip_address'' curl -sSL https://install.pi-hole.net -o pihole.sh # Comment out the "set -e" in pihole.sh, then bash pihole.sh Follow the dialogs and answer the questions. Change Pi-hole WebGUI password: /usr/local/bin/pihole -a -p \\ !!Tip ->!! If ''lighttpd'' is not started after the Pi-hole installation (=> ''netstat -tlp''): apt remove lighttpd bash pihole.sh # choose "Update" \\ !!Related Info ->!! **[[userdoc:guest_lxc_container|LXC container in AstLinux]]** \\ **Override default DHCP dns-server option** By default, the DHCP server (dnsmasq) offers the ''dns-server'' IP address using the gateway address for that subnet. With Pi-hole you may want all DHCP clients in a subnet to use the Pi-hole server for DNS. You can override the default settings by editing your ''/mnt/kd/dnsmasq.static'' file with the following: ## Override default dns-server option dhcp-option=lan,option:dns-server,192.168.200.10 #dhcp-option=lan2,option:dns-server,192.168.200.10 #dhcp-option=lan3,option:dns-server,192.168.200.10 #dhcp-option=lan4,option:dns-server,192.168.200.10 #dhcp-option=dmz,option:dns-server,192.168.200.10 Replace the ''192.168.200.10'' IP address with your Pi-hole server's static address and uncomment for each subnet you want it to apply. In the web interface, select "Restart DNS & DHCP" to apply the change to the dnsmasq configuration. \\ **Pi-hole Interface Settings Config** Newer versions (2021/12) of Pi-hole default to "Interface Settings" set to "Allow only local requests", which does not work on an LXC container with an interface attached to an internal AstLinux ''lxcbr0'' bridge. You will know this is an issue when no DNS is received and Pi-hole dnsmasq logs "Ignoring query from non-local network". One solution is to change the Pi-hole Interface Setting from "Allow only local requests" to "Respond only on interface ...".