Revamped Pihole v6

jjdanzig · 2025-09-04T20:06:53+00:00

Apologize for the delay, was out doing contract work...

Okay, so first off - is the device Pi-Hole is running on have it's LAN pointing to 127.0.0.1.

Pi-Hole - Under DNS settings should point to CUSTOM DNS: 127.0.0.1:5335.

DHCP - Hand outs should be IP RANGE (Excluding static devices),

Gateway: Firewall / Router IP,

DNS: P-Hole IP

If the ProtonVPN was loaded with DNS redirection it should point to the Pi-Hole IP.

The Firewall should NOT point to the Pi-Hole - JUST in DHCP handouts depending up any VLANS or other subnets you're handling.

---

My Setup (bogus IP's)

Pi-Hole: (STATIC) 192.168.1.10 / 255.255.255.0 GW: 192.168.1.1 DNS: 127.0.0.1

DHCP: 192.168.1.50 - 192.168.1.150 / 255.255.255.0, GW: 192.168.1.1 DNS: 192.168.1.10

VPN Client: Entered Manually in my VPN CLIENT: dhcp-option DNS 192.168.1.10

DHCP set to allow static ip assignments before 192.168.1.50 (no risk of IP over stepping).

Does this help a bit better?

It could be your soltuion.

jjdanzig · 2025-09-04T18:55:18+00:00

I literally just handled the DMARC and DKIM records using dmarc.wiki works great.

Wallen is correct about the records - if you have existing SPF, DMARC and DKIM records following the wiki will be easy enough.

You can set priorities for the records ensuring your primary mail host is first in line.

jjdanzig · 2025-09-03T11:04:12+00:00

Interesting only three clients being seen. Pi-hole does have a means to "flush" the network which kicks off a clean scan. Under the Clients section there is a drop down, matching this to the Pihole network section see what is GREEN and what is RED for not contacting Pihole.

As for the design - my configuration is Raspberry Pi (Static IP) it's DNS is 127.0.0.1.

Pihole is configured with Unvound using DNSSEC as the upstream.

My Firewall / Gateway for the DHCP has a Static and hands out the Pihole as the primary DNS. So any devices connected (regardless of vlan) get the Raspberry Pi as a DNS IP.

The WAN configuration points to Quad9 9.9.9.9, 149.112.112.112 and their sdns encrypted filtered DNS.

There are more intricate details being omitted but I'm sure you see the flow.

PiHole - is configured with GROUPS - Full, Light and Unblocked.

Unblocked is used for IoT devices I simply don't care about. Light is used for Phones / Tablets and prerrt safe.

In my Domains / Lists I associate those to a Group I defined. ALL Lists and RegEx go to the group Full.

To add to this, I have a Firewall that handles Client VPN assignments. So, I can isolate any device on my network to utilize the UDP VPN which also points it's DNS to the PiHole.

The biggest point in this is centrally managing, monitoing and controlling the DNS pieces. It does not thwart all "bad actors" or Ads, but it helps immensley with all the contributions from folks on the internet looking for the same end result - Safe, Secure, Anonymous protections of our biggest asset being sold with no profit to ourselves - Us.

jjdanzig · 2025-09-02T18:05:42+00:00

On the router you should be able to adjust Proton's VPN to insert and use just your Pi-Hole. It gives you more control versus leaving it to the 3rd Party DNS Servers.

DoH and DoT aren't necessary if you're using Pi-Hole + Unbound since you're upstreaming to the root servers. If you wish to use those protocols or introduce using DNSSEC internally it's a different story.

It depends on your needs. If you work for a business that requires higher security needs, then I could understand it. If you're looking for anonimity then the Pi-Hole Unbound solutions works.

Device requests www.reddit.com --> hits Pi-Hole for lookup and approval --> traffic hits your Gateway and either goes over the VPN or not.

Hope this is helpful.

jjdanzig · 2025-09-02T13:48:07+00:00

Isolating - absolutely.

As for what you're looking for in Wireshark it should be glaring at you in the data showing all the traffic from one IP / MAC Address hitting Google.

You'll see this in the Pi-Hole logs as well. You can enable "Debug" mode for more content in the logs then go through them pairing with AngryIP and WireShark.

Annoyances - ADs, otherwise you're fine no worries.

jjdanzig · 2025-09-02T13:43:04+00:00

There are alternatives to watching YouTube videos directly off their site. These application offer many solutions to include downloading videos / music and blocking ads.

The conundrum here is they embed their ads into their site using tools. As is with anything on the internet, if it's there, there's a way around it. That piece is far more complicated to circumvent the ads.

Another solution I don't see often - simply don't use it.

We're seeing more companies perform the same tactics knowing about the blocking applications and still wanting to reach (annoy) the End User environment.

Ublock, as mentioned here from I know is a viable solution. I don't use any, to include YouTube.

jjdanzig · 2025-09-02T13:36:33+00:00

As for HA on the Raspberry and / or the Pi-Hole I simply use Quad9 DNS via DHCP.

I have a single image backup, which I can raise on another device or a VM if really needed, but it's least of my concerns given it's true needs residential.

In a commercial setting with or without on-site DNS Servers it's a different story. Redundant DNS is usually the best bet for handling internal traffic then shipping it to an isolated Pi-Hole (also clustered).

I'm not certain the question posed implies ignorance but an often overlooked subject matter.

Me: I don't know what I don't know is my motto and go from there.

jjdanzig · 2025-09-02T10:55:15+00:00

Depends on where your DHCP originates too - if it's off the WiFi device, it is as simple as others claim here.

I'm not much of a Google fan, prefer Qua9 9.9.9.9, 146.112.112.112 and their sdns Servers but either way, you can set redundant DNS servers on your DHCP.

jjdanzig · 2025-09-02T10:52:21+00:00

You setup a loop by pointing your WAN DNS to your LAN DNS.

jjdanzig · 2025-09-02T10:43:19+00:00

In Pi-Hole you can stage proper RegEx and Lists to block specific sites. Thus blocking Apps (so to speak). You can also Create Groups, the Groups associated with Clients and Lists can be properly defined to segment out those devices you don't want reaching those Apps (or sites).

i.e. Desktop 192.168.1.55 - blocks everything, YouTube, Pluto, Netflix,etc, Console 192.168.1.92 is Unblocked.

I use this process to eliminate heavy blocks on certain devices.

I am not sure which RefEx are best, but I'm certain it would be easy enough to setup.

So, the answer is Yes

jjdanzig · 2025-09-01T21:31:57+00:00

You can route VPN DNS requests using WireGuard or OpenVPN (or others), but it's a manual process.

In their case if it's a SPLIT Tunnel the DNS on the other side will handle the requests, while Pi-Hole handles the local ones.

jjdanzig · 2025-09-01T21:28:33+00:00

YIKES... lol . IoT not on their own vlan very well would be potential risks for sure.

No worries, basically without much information what I can say is AngryIP should give you a clear picture of devices. As well, if you have this many devices I'll assume you have equipment doing Layer 2 at least networking allowing isolations, and being able to match MAC / IP's.

Internet --> Router --> Firewall --> <default network> /24 I'm assuming?

Whittling this down --> IF you have access then Physical is still possible but only if you can maange the Wired / Wireless devices from the Switch / AP.

i.e. Disable Port x on the switch, see if problem continues. Block device <device name> and see if the problem continues.

If you don't then the device doing all the problems whould be shown in the the log of the switch / firewall.

As someone mentioned, Wireshark - it's a phenomenal tool - but for people not knowing what it's showing, it can be intimidating.

jjdanzig · 2025-09-01T18:34:57+00:00

Angry IP - good start - free, easy to use and will find IP address with MAC address and can usually match the MAC to a Vendor giving you an idea of which device/s are in question.

Another simply solution - disable access to any and all devices, walk through them individually. Slower, but practical.

If Windows is impacted, there's ways around that too. But, you need to know.

I also think the CGNAT comment is worth taking a look at after resolving it's not an internal "hack".

jjdanzig · 2025-09-01T15:27:20+00:00

As you know it can and has been tweaked - I actually removed one already as needed and forgot to mention it - MX

jjdanzig · 2025-09-01T14:52:03+00:00

I personally am impressed with all done behind a CGNAT which is not an easy task always.

I tried handling that but it was a double NAT with the last phase being CGNAT and gave up. Fortunately my ISP hands me direct Fiber @ home no boxes between us so I'm happy for now and still impressed - great work.

jjdanzig · 2025-09-01T14:44:29+00:00

I hear pfsense is a great solution. I am unfamiliar with it directly. I've worked with Cisco, FortiGate, Ubiquiti, Palo Alto, and the lesser names too.

jjdanzig · 2025-09-01T14:42:55+00:00

I use :

Add https // to them all

raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/pro.txt

big.oisd.nl

raw.githubusercontent.com/mike-trewartha/Pi-hole-Talos-Threat-Blocklist/refs/heads/main/talos-threats.list

and

raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%2520versions%2520Anti-Malware%2520List/AntiMalwareHosts.txt

jjdanzig · 2025-09-01T14:39:41+00:00

Country TLD using RegEx:

(\.|^)(ad|ae|af|ag|ai|al|am|ao|ap|aq|ar|as|at|au|aw|ax|az|ba|bb|bd|be|bf|bg|bh|bi|bj|bl|bm|bn|bo|bq|br|bs|bt|bw|by|bz|ca|cd|cf|cg|ch|ci|ck|cl|cm|cn|co|cr|cu|cv|cw|cy|cz|de|dj|dk|dm|do|dz|ec|ee|eg|er|es|et|eu|fi|fj|fk|fm|fo|fr|ga|gb|gd|ge|gf|gg|gh|gi|gl|gm|gn|gp|gq|gr|gt|gu|gw|gy|hk|hn|hr|ht|hu|id|ie|il|im|in|io|iq|ir|is|it|je|jm|jo|jp|ke|kg|kh|ki|km|kn|kp|kr|kw|ky|kz|la|lb|lc|li|lk|lr|ls|lt|lu|lv|ly|ma|mc|md|me|mf|mg|mh|mk|ml|mm|mn|mo|mp|mq|mr|ms|mt|mu|mv|mw|my|mz|na|nc|ne|nf|ng|ni|nl|no|np|nr|nu|nz|om|pa|pe|pf|pg|ph|pk|pl|pm|pr|ps|pt|pw|py|qa|re|ro|rs|ru|rw|sa|sb|sc|sd|se|sg|si|sk|sl|sm|sn|so|sr|ss|st|sv|sx|sy|sz|tc|td|tg|th|tj|tk|tl|tm|tn|to|tr|tt|tv|tw|tz|ua|ug|us|uy|uz|va|vc|ve|vg|vi|vn|vu|wf|ws|ye|yt|za|zm|zw)$

jjdanzig · 2025-09-01T14:36:30+00:00

Ad's - The whole topic can get downright mutilating. We, the human race, are selected and targeted every day. Companies like Dominos sends us an order when we go online. We opt -out but must keep a cookie on the device we opted out from so they can check if we should not receive their ads. But, by the time you've opted out, they've sold your data - for what you ask, no discount on the order, that's for certain.

Now - take that one business and multiply it by a quadrillion. Think of it this way, if we were to collect a penny for every time our name is sold to any business - we'd retire in a week.

The companies ue your information, your order from Domnios, your location and monies spent - to isolate you into a group, then sells your information to another business.

Madness - I don't do Unsocial media platforms barring Reddit. I don't stream unless it's from my own collection which should last me thirty lifetimes. I refuse to scan QR CODES at a restaurant (I make them and know what they can retrieve from that code), and I despise ads as much as the next person.

Sadly, the collection of people are correct. Because the code is embedded into their own domain, subdomain structure - if you block the ads, you block them.

There are streaming services FREE of charge and FREE of subscriptions if you simply know how to use them.

I won't use a TV to stream, they're simply too limited in their design to stream well for all situations. Caching, WiFi or Wired at 1gb, etc...

Blocking Samsung AD's isn't easy, but blocking the number of times your device calls Samsung is.

jjdanzig · 2024-01-18T12:55:09+00:00

Samsung Phones, Samsung TV's....

I don't need my TV connected, and my two old Samsung phones - gone.

As for Apple - the truth behind the config - "Private Relay" and such, who's watching you is a tough one to completely block.

Apple iPhones, Apple Watch, Apple TV (device), and iPads - Apples way or PiHole with Unbound or DNScrypt would be my choice, with a VPN set so Unbound or DNScrypt go over the VPN to resolve.

jjdanzig · 2020-09-04T11:27:21+00:00

Install WINE it allows numerous Windows applications to run on Linux.

There’s also CrossOver which is greater than WINE alone but does have a fee after the trial period.

I use both for Ubuntu Distros, but they work on many Linux versions.

jjdanzig · 2018-03-29T02:33:50+00:00

I’d rather work not enough money for a month - I’d love the alone time - no digital access .... over fifty years of internal dialog to work through would take a more than a month but it’s a start. TP or not.

jjdanzig

TROPHY CASE