Post

Building A DNS Server With Raspberry Pi

Overview

Building on last week’s project I’m going to add a DNS server to my Project Pi. This is replacing an existing Pi 3B already running the service.

🐘 𓃰

Will running DNS service affect my time server on the Pi? Probably. The Pi is never going to be atomic clock accurate. I’ve accepted it.

Hardware

I used the following hardware:

  • Raspberry Pi 4B 8GB

The 4B 8GB is overkill for the task. It is what I have. I’ve accepted that too.

Installing Raspbian

The easiest way to install Raspberry Pi OS is to use the Raspberry Pi Imager. I used Raspberry Pi OS Lite (64-bit) for this project. For brevity I won’t cover the installation of Raspberry Pi OS. You can find help installing the OS on the download page.

Network

I prefer wired networking for NTP servers, so I won’t cover Wi-Fi. I’m sure you can run your server over wireless if you’re determined. One thing you should do here is set a static IP. I accomplish this in my DHCP server. You can also do the same by modifying the Pi.

Edit the configuration file /etc/dhcpcd.conf.

1
sudo vi /etc/dhcpcd.conf

Insert your config lines:

1
2
3
4
interface eth0
static ip_address=192.168.0.2/24
static routers=192.168.0.1
static domain_name_servers=192.168.0.1

Reboot the Pi or restart networking to have the changes take effect.

1
service networking restart

Updates

Update Raspberry Pi OS with following commands and reboot. Press “Y” when it asks otherwise you won’t install any updates.

1
2
3
4
sudo apt update
sudo apt upgrade

sudo reboot

Install Pi-hole

The Pi-hole project has some easy to deploy scripts in the docs. The first one is a non-starter for me. I’m sure everything is on the up-and-up here, but I’m not going to pipe someone’s script to bash without a hash or looking it over. I opted for Alternative 2, manually downloading the installer.

1
wget -O basic-install.sh https://install.pi-hole.net

Let’s look this script over. less is a neat little program for looking at a file’s contents. It has commands similar to vi.

1
less basic-install.sh 

I usually just skim things over, look for options I can set, and check for common connections to the internet. curl, wget, http, etc. At some point you need to give in and have faith the script will do what is advertised, nothing more. This is The X-Files: I Want to Believe…

Let’s get the installer going. We will install with following:

1
sudo bash basic-install.sh

Hit OK and OK. Feel free to donate.

Pi-hole Installer

Hit Continue. We have some options later if you skipped the above.

Pi-hole Installer Static IP

Set your interface. I’m using eth0

Pi-hole Installer Ethernet Interface

If you’re not statically setting your IP hit Yes. No point in having a DNS server if it bounces around your network.

Pi-hole Installer Static IP

If you do hit Yes to the previous question, this message is letting you know some routers are dumb and don’t check or care if an IP is in use.

Pi-hole Installer Warning

Picking your DNS servers.

I like Cloudflare for Families. For now I’m going to select the Cloudflare DNSSEC option.

Pi-hole Installer Pick DNS Servers

This loads a default blocklist. More on this topic below.

Pi-hole Installer blocklist

The Admin Web Interface isn’t required, but it is nice. Select Yes.

Pi-hole Installer enable admin

Select Yes to install the web server.

Pi-hole Installer enable web interface

Select Yes to enable query logging.

Pi-hole Installer query logging

I select Show everything.

Pi-hole Installer log level

Note the password and IP then click click OK.

Pi-hole Installer complete

If you see the the web interface, it works! Login and set any special values you want.

Pi-hole web interface

Change Pi-hole’s Password

You can change the Pi-Hole web interface password with the following command:

1
pihole -a -p
1
2
3
Enter New Password (Blank for no password): 
Confirm Password: 
  [✅] New password set

Special Options

I personally set the some of the following options:

  • Groups - group your clients into special rule groups.
  • Clients (you will need to wait until devices start using the service before they show up)
  • Domains - RegEx filters to always allow or block something.
  • Adlists - More below on this.
  • Local DNS - I give some of my internal sites a DNS name.

RegEx filters

I give my Wife’s iPhone some special permit RegEx filters.

I permit the following:

1
2
(^|\.)apple\.com$
(^|\.)icloud\.com$

Pi-hole reg-ex

Adlists/Blocklists

Blocklists are an important part of the Pi-hole. They are the lists that help you filter ads, spam, botnets, malware, etc. This post covers the blocklist topic very well. I’ll give you a short overview from my perspective.

  1. Pick your blocklists wisely. This is the core of your network. Someone can inject all kinds of nasty problems if you pick poorly.
  2. Consider your “threat” model or what you wish to accomplish.
  3. Consider devices that live on your network. Some things don’t work properly or at all if you block domains they want. I have a payment app on my phone that errors out when I make a payment on my network.
  4. More is not always better. More lists is more problems. Learn how to troubleshoot DNS issues in the browser and on your PC.
  5. Don’t be afraid to Whitelist. My wife has an app on her phone she likes, I whitelist everything to do with it so I don’t have to hear about it.

Conclusions

That should about cover it. You next step is to start updating your clients. For things like IP phones and some network gear you can set option 42 in your DHCP server. This specifies servers that provide NTP/SNTP (RFC 1769) on the network.

You can likely get similar results with NTP and a RTC module. Here is a tutorial that looks like it covers all the points.

You can also build you own RTC.

This post is licensed under CC BY 4.0 by the author.

Comments powered by Disqus.

© Kevin Schwickrath. Some rights reserved.

Using the Chirpy theme for Jekyll.