Introduction
I'm building out a home lab and this post covers setting up Pi-hole as a custom DNS server so that internal hosts are reachable by name rather than IP address.
This is part of my Physical Network Engineering Home Lab series where I document building and configuring a physical home lab from scratch.
Reason for Choosing Pi-Hole as a custom DNS server
I needed a local DNS server where I could register internal hostnames and have them resolve across the network — so my server is reachable as server.local rather than 192.168.1.2. This becomes especially important as I add more services to the lab.
Pi-hole fits this requirement well. It is primarily a network-level DNS server that supports custom local DNS records, and it comes with a clean web interface for managing them. The fact that it also blocks ads and trackers at the DNS level for every device on the network is a useful side effect — the FBI has even recommended ad blockers as protection against malvertising scams, so having this enforced network-wide without configuring each device individually is a reasonable security baseline.
Setting up Pi-Hole
Pre-requisites
Refer my Physical Network Engineering Home Lab to understand what I already have and working with.
Installing Pi-Hole software on my server
My server runs headless Linux Mint, which is Ubuntu-based and officially supported for Pi-hole.
So I am going to manually download the installer and run it on my server.
wget -O basic-install.sh https://install.pi-hole.net
sudo bash basic-install.sh
The usual install process begins, and I get asked about choosing upstream DNS server.
I went with cloudflare, selected the default ad blocklist, enabled query logging, selected "show everything" because I am the only one using this home lab so there are no privacy issues, and waited for it to finish installing.
The installation is now complete and I get this popup
Post-installation
Pi-hole installs a web interface under /var/www/html/admin. I confirmed it was there after installation.
I visited my server's IP 192.168.1.2 on the browser and it worked fine, like usually.
I tried to access the admin panel at 192.168.1.2/admin and got a 403 error.
Then I remembered the admin panel works only over https. So I tried visiting https://192.168.1.2/admin and it never worked. So I came back to the terminal where I have ssh-ed into the server and ran ss -tulnp | grep :443 to check if the service was running, and the service was indeed running on 0.0.0.0 which means it is supposed to be accessible from the other hosts. That is when I remembered I enabled ufw and had to allow certain ports in the firewall.
I referred the pi-hole docs for the ufw commands and ran the following snippet in the terminal
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 53/tcp
sudo ufw allow 53/udp
sudo ufw allow 67/tcp
sudo ufw allow 67/udp
sudo ufw allow 123/udp
sudo ufw allow 546:547/udp
(Future me here, I just realised I don't need to allow port 67 as I did not setup DHCP server on the pi hole).
Now that I have allowed the ports, I tried visiting https://192.168.1.2/admin/ and got this warning, which I will be taking care of in the next part of my home lab series where I properly configure SSL and get HTTPS on browsers with no warning.
I clicked on "Proceed" and got the pi-hole admin login page, then I entered my admin password I got from the "Installation over" popup and logged in. Now I get this beautiful dashboard.
Note: You can change the default password by running pihole setpassword on the pi hole server.
Pointing Router's DHCP to use pi-hole as DNS
I opened my Tenda router's login page via its IP, went to "Internet Settings" and set the DHCP server to 192.168.1.2
Then I went into System Settings -> LAN settings and did the same
To refresh the DNS server config from the DHCP configuration, I manually turned off the wifi from my laptop and turned it on again.
The DNS server shows up as 192.168.1.2
Verifying Ad blocking at Network level
I checked if the DNS service was working, for both allowed and blocked hosts.
gray@OMEN-Slim-Gaming-Laptop-16:~$ nslookup google.com
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: google.com
Address: 142.251.222.78
Name: google.com
Address: 2404:6800:4009:80b::200e
gray@OMEN-Slim-Gaming-Laptop-16:~$ nslookup ad-assets.futurecdn.net
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: ad-assets.futurecdn.net
Address: 0.0.0.0
Name: ad-assets.futurecdn.net
Address: ::
gray@OMEN-Slim-Gaming-Laptop-16:~$
It works perfectly fine. Ads are blocked in the network level.
Side note: If you are using Cloudflare WARP for privacy, all your internet traffic, including DNS queries are routed through Cloudflare's servers which means the DNS lookup never reaches your Pi-hole and the advertisements domains will be rendered fine. So if you want to access your home lab's hosts using DNS resolution from pi hole or any other DNS server or network level ad blocking for devices where cloudflare warp is not available, you must temporarily turn off Cloudflare WARP.
Setting Up Custom DNS records
pi.hole is a custom DNS entry in pi-hole by default and it works.
I want to add my own DNS records and check them, which is the entire purpose of this project. So I wanted another host with static IP on the same LAN.
Virtualbox VM with static IP in the LAN
I cloned an existing Mint VM, selected to create random MAC addresses for each interface and set it's network adapter to "Bridged" and bridged it with the real interface I use to connect to the LAN, and set "Promiscuous Mode" to allow all. For more information on Virtualbox networking see Virtualbox Manual - Chapter 6 : Virtual Networking.
When I booted it up, it had DHCP by default.
I went to settings and changed it to static IP 192.168.1.23 and turned the interface off and turned it on again and the static IP is available and accessible from the host as well as the server. I also turned off automatic DNS as DHCP will be disabled and manually added 192.168.1.2 as the DNS server.
Adding a custom DNS record in pi hole web GUI
I went to Pi hole admin page -> settings -> Local DNS records and added this entry
Side Note: I want this to be temporary that is why I didn't bind DHCP reservation to MAC address in the router.
Testing the Custom DNS record
DNS query works from both my laptop and the server. So I set up a nginx web server in the VM like usually
sudo apt-get update
sudo apt-get install nginx -y
sudo systemctl enable nginx --now
And edited the default index.html file.
Nginx web page as well as pinging is working from my laptop
as well as the server.
Changing default website on the pi-hole DNS server (not required)
This is the new website hosted on the root folder of the DNS server.
Minor Issues encountered
- Cloudflare WARP conflict (as mentioned above)
- Do not use a custom domain with TLD as
.localbecause all.localdomains are first processed through the host before sending it anywhere else and it is used for mDNS (multicast DNS, for when hosts need to discover each other without a central DNS server) - Make sure to allow the required ports in your firewall as mentioned above
- Every client that is connected to the LAN and is using DHCP has to refresh by disconnecting and reconnecting for this update to work.
CONCLUSION
I have successfully setup pi-hole on an Ubuntu-based server for network wide ad blocking as well as local DNS resolution.
After this, I am going to set up fully local SSL for HTTPS (without browser warnings) on my physical network engineering home lab. I will also document setting up pi-hole in docker as well as a Virtualbox VM as a portable alternative when this pi-hole server is inaccessible.
Top comments (0)