2 thoughts on “pi hole active directory”

1. There are just a few issues with this article:

   1. By putting in 2 other internal DNS servers into your forwarders list, these will be contacted for queries alongside Pi-hole. In other words, clients have up to 4 DNS servers to make requests from, two of them being Pi-hole, and the other two of them being standard forwarding DNS servers (non-adblocking). Because of this, clients will likely still see ads because when they make queries, they may be making them with the other two DNS servers instead of the Pi-hole servers. The best practice for this would be to set those two DNS servers as Pi-hole’s forwarders, so it will look like this:

   Client —> AD DNS —> Pi-hole —> Internal DNS forwarders —> Internet

   2. If you use the pi-hole servers as a forwarder, that means that the order of client connections is the following:

   Client —> AD DNS —> Pi-hole —> Internet

   With this set up, Pi-hole will only show requests from two IP addresses: the IP addresses of the two AD DNS servers. This gives you no way of tracking which clients made queries to websites using Pi-hole. So if you wanted to block Facebook for example for a single device, you would have no way of doing that because the only two devices you can block are the AD DNS servers. This would mean you either have to block Facebook on the client itself using local software, or you would have to just block it for every user, which is not practical if only one user needs to be blocked from Facebook (or any website for that matter).

   The solution for this would be to set all clients to use Pi-hole as their primary and secondary DNS servers, and then within Pi-hole, set up a conditional forward to the AD DNS servers for the domain name. That way, client reports will show up in Pi-hole and all requests to the internal AD domain will work.

   LikeLiked by 1 person

   Reply

   • Hi Rod, thanks for your improvements

     LikeLike

     Reply