Basic Pihole Configuration

This is a REALLY quick how to for basic PiHole use with Turris and a separate raspberry pi.
I know there are other options and relative problems but for others like me coming to OpenWRT and Turris from an old working setup this is the fastest easiest way to get started.

The following assumes you have a RaspberryPi already setup with PiHole and that device already has a fixed IP.

  1. log into the router and use LuCI
  2. In the top bar select : Network > interfaces
  3. In the “LAN” section select Edit
  4. Scroll to the bottom in the “DHCP Server” section and Click on the “Advanced Settings” tab/link
  5. Find the DHCP options section
  6. Change the address from 6,192.168.1.1 to 6,(IP address of your pihole raspberry)
  7. Reboot the router (maybe? it’ll at least force a refresh for all your clients)

It is really just the last comment here:

This is super simple but some how it took me hours to find how to do this because I kept running into how to either configure DNS forwarding or how running a physical pihole is stupid you should do X,Y,Z instead. In retrospect this makes sense but I wasn’t really aware of how the DNS server address was being disseminated all the DHCP clients.

Sorry if this is the wrong place for this but I wanted to write this down someplace.

This step is the same if you run the pi-hole in the router itself (in a container), I believe – at least it’s one way to have the DNS chain… to just hand out the address of pi-hole directly via DHCP.

BTW, you might consider configuring the pi-hole to forward to the router’s DNS, which would get you DNSSEC validation, optionally TLS forwarding (and possibly other features, put perhaps you don’t care for any of these).

I did not know that, I never looked deep into the container setup as I (wrongly) assumed it wouldn’t relate. I like this idea, it seems the latest version of PiHole supports DNSSEC Validation? It isn’t on by default but in the PiHole Admin console:

Assuming the PiHole has already been setup to use cloud flair or some other DNSSEC supporting dns, there is a short note in the PiHole page near DNSSEC regarding this pre-req.

Settings > DNS > Use DNSSEC (check this box)

and it should have the same/similar effect yeah?

It’s possible, but I’m not a good judge of that. IIRC it’s based on dnsmasq and that claims to support validation for a couple years, I think.

It’s probably less “battle-tested” than for other resolvers (as dnsmasq users typically still don’t enable it, I expect), but for normal people it might not make a noticeable difference.