So there are two types of homelabs:
- A simple setup with a few servers, some docker trash, and a slightly complex internal LAN
- A micro-datacenter
If you have the first type, then any of the existing docs on how to setup Pi-Hole will work just fine for you. But lets imagine for a second you have the second type. Lets imagine you have a "real" DNS setup, not just using someone else's DNS, or just a pure caching setup.
This is my setup. External DNS is purely for sites I host, and not used by any of the internal systems, accessed purely by the WAN. Internal DNS is my LAN, so it contains my host records for all my servers, IOT devices, DHCP stuff, switches, etc etc. It also runs a caching layer for external lookups.
This means, when a server or phone internally wants an address, it hits one of the two internal DNS servers first (bind9), checks if it is an internal record, if not, runs the caching layer and gives the address.
My old setup was to run RBZ on the master, and download a blocklist into bind, and use that for ad filtering. This had problems. The benefit of Pi-Hole is that you can customize it easily. Updates to lists are easy, you can see what is and is not getting blocked, and turn it off. For example, I found I could not watch the CW Streaming channel on my Roku TV, because the RBZ blocked something critical. Turning that off was a major pain, even if it was just for a few hours. Pi-Hole lets you do this quickly and easily.
So I want Pi-Hole. But Pi-Hole won't let you easily do a master/slave setup. You can create local host lists in Pi-Hole, but it's meant for tiny little networks. You can't run something like ansible where you push dns names in and out of it to create VM's on the fly, or basically treat it like a real DNS server. It's specifically designed for the simple case of a homelab, not the big complex one with automation engines and 150+ DNS entries on the internal network.
This is my new setup:
What does this do? Simple, all the desktops and the phones use Pi-Hole. All the servers still use the old internal master/slave pair. But the Pi-Hole is slaved to the bind9 pair, not the internet, so it still can lookup internal addresses just fine.
Now how do you do that?
- Build a VM, install Pi-Hole
- Set the Upstream DNS to custom, and use your internal master/slave setup as the only 2 dns servers it can see.
- Modify your DHCP, so that things that get DHCP addresses, like phones, get the Pi-Hole as the first DNS server (and usually you would give the bind9 pair, or at least the master as the secondary here, that way if the Pi-Hole explodes, you still have DNS)
- With a complex enough DHCP setup, you could even do things like not use the Pi-Hole if the device is a raspberry Pi on DHCP, that would cut down on the downside listed below.
- Don't modify your servers to use the Pi-Hole, but maybe change resolv.conf on something like your desktop if that's not DHCP.
Now on my network, VM's, LXC's, physical devices, they all have static IP's. Phones, IOT crap, laptops, etc, they all use DHCP. This means the stuff most likely to need Pi-Hole, is the stuff that gets it, and servers, who want nothing to do with it, don't.
What is the downside? Well, for example my desktop. Yes, I run a browser and stuff on it, but I still monitor the server itself in Zabbix, so I know if a disk is going bad or whatever. Zabbix does an nslookup on zabbix.my.network about 80k times a day. That means 90% of my DNS traffic is just zabbix lookups, and there is no way in Pi-Hole to exclude that from the stats, meaning, anything monitored by a zabbix agent is going to have crazy high lookups. It just makes the stats harder to read, and therefore its a bit harder to find the needles in the haystack when you are looking for threats/ads to block.
But does it work? Yes. It super works. I can group the TV's into their own group in Pi-Hole, and change the block lists, I can turn it off easily if something breaks, and my internal DNS is still totally functional. I also don't lose the redundancy of the master/slave bind9 pair.
And here you can see the result. I don't have my PI's differentiated to not use it. It doesn't really bother me that much, so what you see there are the large bands for each PI that is wired to it. I use most of those PI's as dashboard interfaces, so they tend to actually run firefox, meaning they are internet connected technically, it's just that they also are monitored by zabbix, so, boom.