From 705808d8b6e86ed4835efbd0a0c4149a8d4b5ba5 Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Fri, 5 Jan 2024 17:45:04 +0100 Subject: [PATCH] feat: allow sys-pihole to use pi-hole for queries --- salt/sys-pihole/README.md | 26 ++++++++++++++++--- .../server/network-hooks.d/50-sys-pihole.sh | 4 +++ 2 files changed, 27 insertions(+), 3 deletions(-) diff --git a/salt/sys-pihole/README.md b/salt/sys-pihole/README.md index d8d2f55..ca0ca24 100644 --- a/salt/sys-pihole/README.md +++ b/salt/sys-pihole/README.md @@ -7,6 +7,10 @@ Pi-hole DNS Sinkhole in Qubes OS. * [Description](#description) * [Installation](#installation) * [Usage](#usage) + * [Web interface](#web-interface) + * [Torified Pi-Hole](#torified-pi-hole) + * [Local DNS server](#local-dns-server) + * [DNS issues after netvm restart](#dns-issues-after-netvm-restart) * [Credits](#credits) ## Description @@ -55,6 +59,8 @@ qubesctl state.apply sys-pihole.prefs ## Usage +### Web interface + Pi-hole will be installed with these default settings: - The DNS provider is Quad9 (filtered, DNSSEC) @@ -76,16 +82,30 @@ running. The browser qube is offline and only has access to the admin interface. In other words, it has control over the server functions, if the browser is compromised, it can compromise the server. -You can clone `sys-pihole`. If you do, you must manually change the IP address -of the clone. +### Torified Pi-Hole If you want to combine Pi-Hole with Tor, then you should reconfigure your netvm chaining (will break tor's client stream isolation) as such: - qube -> sys-pihole -> Tor-gateway -> sys-firewall -> sys-net +### Local DNS server + +If you want sys-pihole to use itself to resolve DNS queries, enable the +service `local-dns-server` from Dom0 to sys-pihole: +```sh +qvm-service sys-pihole local-dns-server 1 +``` + +Don't forget to restart sys-pihole after the changes. + +Note that if Pi-hole as a problem the host will not not be able to reach the +internet for updates, syncing time etc. + +### DNS issues after netvm restart + If you encounter problems with DNS after having upstream netvm route changes, -restart Pi-Hole DNS from `sys-pihole` and run the following as root: +restart Pi-hole DNS from sys-pihole: ```sh pihole restartdns ``` diff --git a/salt/sys-pihole/files/server/network-hooks.d/50-sys-pihole.sh b/salt/sys-pihole/files/server/network-hooks.d/50-sys-pihole.sh index d06304a..0514d78 100644 --- a/salt/sys-pihole/files/server/network-hooks.d/50-sys-pihole.sh +++ b/salt/sys-pihole/files/server/network-hooks.d/50-sys-pihole.sh @@ -13,3 +13,7 @@ for vif in /proc/sys/net/ipv4/conf/vif*/route_localnet; do test -w "${vif}" || continue echo 1 | tee "${vif}" >/dev/null done + +if test -f /var/run/qubes-service/local-dns-server; then + echo "nameserver 127.0.0.1" | tee /etc/resolv.conf +fi