Knot with DNSSEC + CloudFlare DNSoverTLS + Pakon + Pi-Hole?

Tomov · October 16, 2018, 12:52pm

Hey,
I have this configuration:

Knot resolver with DNSSEC enabled (without forwarding)
CloudFlare with DNS-over-TLS https://doc.turris.cz/doc/en/public/dns_knot_misc
Pakon

Can I add Pi-hole to this set? https://doc.turris.cz/doc/cs/public/pihole
Does Pi-hole require resignation from Knot / DNSSEC?
Best Regards!
Andrew

jklaas · October 16, 2018, 1:37pm

You could ad pi-hole to this. Make sure you know what you’re doing with LXC containers on this platform. Mostly keep the container off the built-in storage. Use a pci-e ssd or a USB drive.

I was using a home-rolled ad-blocking set of scripts, but recently moved to using the adblock package which has been updated to work with kresd. Also, you probably really want to make sure your adblock file ends up on an ssd or USB drive as well, or leave it in /tmp.

The pi-hole does offer graphs and monitoring of DNS lookups, so if that’s what you’re looking for then go for it.

From a DNS perspective, the pi-hole would sit between your clients and the Turris, so you can leave your Turris in DNSSEC mode, but your clients would hit the pi-hole which would then hit the Turris DNS. The pi-hole would not have DNSSEC since it’s modifying the DNS lookups anyway by giving a false answer to the sites you’re blocking.

I think the reason I didn’t end up running the pi-hole long term was for performance reasons. That may have changed since I first tried it.

dkomrska · October 16, 2018, 1:54pm

I have similar configuration. In fact only the PAKON is missing in my case.

At first I tried to run the Pi-Hole using Debian, but from whatever reason no version was working for me. The web interface of Pi-Hole was broken (no updates etc).

So at the end I have selected the Ubuntu Xenial. That one works fine with Pi-Hole (my version is 3.3.1).

In the Pi-Hole configuration I have selected my Omnia to be the DNS provider.

I have configured the DHCP server to provide IP of the Pi-Hole as a first option and IP of my Omnia as a second option. With this approach I am trying to avoid issues in case the LXC container would not work.

vcunat · October 16, 2018, 2:00pm

You may also consider adblock instead of pi-hole, depending on your preferences. It simply integrates with knot-resolver, but it doesn’t have such shiny GUI and perhaps some other goodies.

If you go for pi-hole (or any other non-integrated DNS-modifying thing), I agree it’s better to put it between knot-resolver and the real clients. Otherwise the modifications will be seen as MITM attacks (in secure zones), so knot-resolver will keep retrying for a while, etc.

Tomov · October 16, 2018, 2:15pm

Hmmmm …
I have a problem with the decision;)

It seems to me that the Adblock solution will be more stable than Pi-Hole in a container. I’m wrong?
Did anyone compare, does Pi-hole block more content from Adblock?
Does Adblock not have any blocking statistics?

vcunat · October 16, 2018, 2:31pm

I don’t expect so, but I know very little about pi-hole.
blocklists are probably independent of the SW you use (but I didn’t try).
It doesn’t.