Pi-Hole on multiple interfaces

Hi,

I am a more sophisticated user and am currently running my own private DNS. My current configuration has two VLANs each of which has separate DNS servers with one, the kids network, being more restricted. (The kids network is using OpenDNS as an upstream resolver and a local DNS list that blocks inappropriate sites. The adults network uses a different upstream DNS and does not have the block list active.) I run four DNS instances on two VMs (VM1 runs an instance of the parents and kids DNS and VM2 is a redundant instance of each). VM1 and VM2 each have two virtual NICs - one is associated with Kids VLAN and the other the Adults, and each DNS instance only communicates with the appropriate NIC. DHCP is handled by my router which is serving the VLANs and so is not related to this. I manually configure DHCP to deliver the appropriate DNS servers.

Sorry for the lengthy discussion, but I wanted to set the background. Here are my Pi-Hole questions:

  1. Can I configure pi-hole in a similar manner?
  2. If I do this, is there an automated way to sync the configs of the primary and secondary DNS instances?
  3. How would a configuration like this map to the Pi-Hole GUI? Would there be one GUI that would understand all of this or would I have separate ones?
  4. Is there documentation somewhere that helps me dig into this? I have not found any.

Thank you.

Edits: Clarified configuration and corrected grammar.

I don't think there's a way to achieve that unless you build a second set of VMs for the kids that run through the OpenDNS upstream severs.

Pi-Hole, even though has the ability to listen to multiple interfaces, funnels all incoming requests, through the upstream DNS servers specified in the settings, regardless of origin.

You'd have to have designated separate instances/ips for a pi-hole DNS set up for the kids and for adults.

1 for each (+1 redundancy one) .

I have a slightly similar system with the exception that mine is running pi-hole as the DHCP server, pushing OpenDNS servers to the kids devices based on MAC. Adults go through the pi-hole, kids have the OpenDNS pushed to their devices.

I have a secondary device with another instance of pi-hole that takes over if device 1 is offline or has issues (from a DHCP perspective).

Device 1 and 2 are my adults DNS servers. Kids always get the OpenDNS ones ...

I have a 48port enterprise switch and the VLAN option was a lot more tedious to work with (only because i'm using a raspberry pi as my DHCP server and I needed DHCP server redundancy - hence running a second raspberry pi as my backup).

i don't know of a way to server the pi-hole AND openDNS to the kids unless i do the same (2 separate raspberry pi devices) designated ONLY for them.
I'd be able to push the kids pi-hole DNS' via my main DHCP server .. but again that would mean 2 for adults, 2 for kids.

I believe the latest version of RaspBian enables the usage of Containers on the Pi so maybe use those instead of a extra Raspberry Pi ?

Hi,

Yes, I am actually running LXC containers on my hypervisor and so I am fully onboard with the container idea. They work great! In case anyone asks, I am running Proxmox and have been happy with it.

The own downside of the point raised by @ramset is that I would likely need four containers to support this Pi-Hole configuration which would also require two GUIs. This is certainly doable, but a bit of a headache. It feels like a step back from my current config which only requires two containers.

This makes me ponder. Can I run two separate Pi-hole instances on one server?

Theoretically that would solve the issue. However, wouldn't they conflict for port 53 ?

I don't know how FTL/dnsmasq would forward the requests to the designated pi-hole instance depending on origin.

I think one can only enable 1 instance of FTL/dnsmasq and that instance can listen to either one or all interfaces ...

This is getting pretty complicated and it's only in theory, implementing this would be tough (if even possible).

Some more pointer that might be of use.
You can use <tags> to assign different DHCP options to different DHCP pools:

$ man dnsmasq

DNSMASQ(8)                          System Manager's Manual                         DNSMASQ(8)

NAME
       dnsmasq - A lightweight DHCP and caching DNS server.

SYNOPSIS
       dnsmasq [OPTION]...

DESCRIPTION
       dnsmasq  is  a  lightweight DNS, TFTP, PXE, router advertisement and DHCP server. It is
       intended to provide coupled DNS and DHCP service to a LAN.

[...]
OPTIONS
       Note  that  in  general  missing  parameters  are allowed and switch off functions, for
       instance "--pid-file" disables writing a PID  file.  On  BSD,  unless  the  GNU  getopt
       library  is  linked, the long form of the options does not work on the command line; it
       is still recognised in the configuration file.
[...]
       -F,                --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-addr>[,<end-
       addr>|<mode>][,<netmask>[,<broadcast>]][,<lease time>]

       -F,            --dhcp-range=[tag:<tag>[,tag:<tag>],][set:<tag>,]<start-IPv6addr>[,<end-
       IPv6addr>|constructor:<interface>][,<mode>][,<prefix-len>][,<lease time>]

              Enable  the DHCP server. Addresses will be given out from the range <start-addr>
              to <end-addr> and from statically defined addresses given in dhcp-host  options.
              If  the  lease time is given, then leases will be given for that length of time.
              The lease time is in seconds, or minutes (eg 45m) or hours  (eg  1h)  or  "infi‐
              nite".  If not given, the default lease time is one hour. The minimum lease time
              is two minutes. For IPv6 ranges, the lease time maybe  "deprecated";  this  sets
              the  preferred  lifetime  sent  in a DHCP lease or router advertisement to zero,
              which causes clients to use other addresses, if available, for  new  connections
              as a prelude to renumbering.
[...]
              The optional set:<tag> sets an alphanumeric label which marks  this  network  so
              that  dhcp options may be specified on a per-network basis.  When it is prefixed
              with 'tag:' instead, then its meaning changes from setting a tag to matching it.
              Only one tag may be set, but more than one tag may be matched.
[...]

Below an example of using those tags to hand out different DHCP options to the pools/scope:

#Create different dhcp scopes for each of the three simulated subnets here, using tags for ID
#Format is: dhcp-range=<your_tag_here>,<start_of_scope>,<end_of_scope>,<subnet_mask>,<lease_time>
#
dhcp-range=subnet0,10.0.0.5,10.0.0.250,255.255.255.0,8h
dhcp-range=subnet1,10.0.1.5,10.0.1.250,255.255.255.0,8h
dhcp-range=subnet2,10.0.2.5,10.0.2.250,255.255.255.0,8h

#Setup different options for each of the unique subnets, since default gateways will be different
#The format for this is: dhcp-options=<your_tags_here>,<option>,<option_value> - 3 is router
#
dhcp-options=subnet0,3,10.0.0.1
dhcp-options=subnet1,3,10.0.1.1
dhcp-options=subnet2,3,10.0.2.1

If you create DHCP (static) reservations for known clients, you can assign them to the different pools:

   -G,            --dhcp-host=[<hwaddr>][,id:<client_id>|*][,set:<tag>][,<ipaddr>][,<host‐
   name>][,<lease_time>][,ignore]
          Specify per host parameters for the DHCP server. This allows a  machine  with  a
          particular hardware address to be always allocated the same hostname, IP address
          and lease time. A hostname specified like this overrides  any  supplied  by  the
          DHCP  client  on  the machine. It is also allowable to omit the hardware address
          and include the hostname, in which case the IP  address  and  lease  times  will
          apply    to    any   machine   claiming   that   name.   For   example   --dhcp-
          host=00:20:e0:3b:13:af,wap,infinite tells dnsmasq to give the machine with hard‐
          ware  address  00:20:e0:3b:13:af  the  name  wap,  and  an  infinite DHCP lease.
          --dhcp-host=lap,192.168.0.199 tells dnsmasq to always allocate the  machine  lap
          the IP address 192.168.0.199.

Great question. My current DNS Server has an option that allows you to choose the interface that it listens on. This way, I can run two DNS servers on the same server as I just assign each to a separate interface and voila! Problem solved. That said, FTL/dnsmasq may not support that in which case I am back to the 4 container configuration which seems overly complex.

To your point, it is getting too complex now and so the take away appears to be that Pi-Hole is not a good fit for my use case.

Hi,

Thank you. As mentioned in my original post, I am focused on DNS in this configuration as my router handles DHCP and associated VLANs.

FTL/dnsmasq has the ability to listen to specific interface(s) however i don't think pi-hole(as a product) has the ability to "route" the requests through different upstream DNS servers, based on interface origin.

Oops sorry.
Was focused on this one a little too much: