Pi-hole DNS Blocking
The Pi-hole project is a “DNS sinkhole” that protects your devices from unwanted content, without installing any client-side software.
Pi-hole is a perfect example to use with AstLinux within a LXC.
Resource Usage: (minimum)
- Memory: 50 MB
- Storage: 0.7 GB
First, it is assumed the lxcbr0
interface is setup per the Quick Start Guide → Enable LXC Support.
Then from the CLI:
lxc-create -t download -n pi-hole -- -d debian -r buster -a amd64 --no-validate
service lxc restart
lxc-attach pi-hole passwd apt update apt install openssh-server iputils-ping curl ... exit
Tip -> Optionally you may want to also…
apt install sudo nano
Tip -> Set PermitRootLogin yes
for sshd and restart sshd. Type exit
to leave the container and do the rest via ssh.
Install Pi-hole:
Either with lxc-attach pi-hole
or ssh root@pi-hole_ip_address
curl -sSL https://install.pi-hole.net -o pihole.sh # Comment out the "set -e" in pihole.sh, then bash pihole.sh
Follow the dialogs and answer the questions.
Change Pi-hole WebGUI password:
/usr/local/bin/pihole -a -p
Tip -> If lighttpd
is not started after the Pi-hole installation (⇒ netstat -tlp
):
apt remove lighttpd bash pihole.sh # choose "Update"
Related Info -> LXC container in AstLinux
Override default DHCP dns-server option
By default, the DHCP server (dnsmasq) offers the dns-server
IP address using the gateway address for that subnet. With Pi-hole you may want all DHCP clients in a subnet to use the Pi-hole server for DNS. You can override the default settings by editing your /mnt/kd/dnsmasq.static
file with the following:
## Override default dns-server option dhcp-option=lan,option:dns-server,192.168.200.10 #dhcp-option=lan2,option:dns-server,192.168.200.10 #dhcp-option=lan3,option:dns-server,192.168.200.10 #dhcp-option=lan4,option:dns-server,192.168.200.10 #dhcp-option=dmz,option:dns-server,192.168.200.10
Replace the 192.168.200.10
IP address with your Pi-hole server's static address and uncomment for each subnet you want it to apply. In the web interface, select “Restart DNS & DHCP” to apply the change to the dnsmasq configuration.
Pi-hole Interface Settings Config
Newer versions (2021/12) of Pi-hole default to “Interface Settings” set to “Allow only local requests”, which does not work on an LXC container with an interface attached to an internal AstLinux lxcbr0
bridge. You will know this is an issue when no DNS is received and Pi-hole dnsmasq logs “Ignoring query from non-local network”.
One solution is to change the Pi-hole Interface Setting from “Allow only local requests” to “Respond only on interface …”.