Pi-hole DNS Blocking

The Pi-hole project is a “DNS sinkhole” that protects your devices from unwanted content, without installing any client-side software.

Pi-hole is a perfect example to use with AstLinux within a LXC.

Resource Usage: (minimum)


First, it is assumed the lxcbr0 interface is setup per the Quick Start Guide → Enable LXC Support.

Then from the CLI:

lxc-create -t download -n pi-hole -- -d debian -r buster -a amd64 --no-validate
service lxc restart
lxc-attach pi-hole
  passwd
  apt update
  apt install openssh-server iputils-ping curl
  ...
  exit

Tip -> Optionally you may want to also…

  apt install sudo nano

Tip -> Set PermitRootLogin yes for sshd and restart sshd. Type exit to leave the container and do the rest via ssh.


Install Pi-hole:

Either with lxc-attach pi-hole or ssh root@pi-hole_ip_address

curl -sSL https://install.pi-hole.net -o pihole.sh
# Comment out the "set -e" in pihole.sh, then
bash pihole.sh

Follow the dialogs and answer the questions.

Change Pi-hole WebGUI password:

/usr/local/bin/pihole -a -p


Tip -> If lighttpd is not started after the Pi-hole installation (⇒ netstat -tlp):

apt remove lighttpd
bash pihole.sh
# choose "Update"


Related Info -> LXC container in AstLinux


Override default DHCP dns-server option

By default, the DHCP server (dnsmasq) offers the dns-server IP address using the gateway address for that subnet. With Pi-hole you may want all DHCP clients in a subnet to use the Pi-hole server for DNS. You can override the default settings by editing your /mnt/kd/dnsmasq.static file with the following:

## Override default dns-server option
dhcp-option=lan,option:dns-server,192.168.200.10
#dhcp-option=lan2,option:dns-server,192.168.200.10
#dhcp-option=lan3,option:dns-server,192.168.200.10
#dhcp-option=lan4,option:dns-server,192.168.200.10
#dhcp-option=dmz,option:dns-server,192.168.200.10

Replace the 192.168.200.10 IP address with your Pi-hole server's static address and uncomment for each subnet you want it to apply. In the web interface, select “Restart DNS & DHCP” to apply the change to the dnsmasq configuration.


Pi-hole Interface Settings Config

Newer versions (2021/12) of Pi-hole default to “Interface Settings” set to “Allow only local requests”, which does not work on an LXC container with an interface attached to an internal AstLinux lxcbr0 bridge. You will know this is an issue when no DNS is received and Pi-hole dnsmasq logs “Ignoring query from non-local network”.

One solution is to change the Pi-hole Interface Setting from “Allow only local requests” to “Respond only on interface …”.