pi hole active directory

What is pi hole? Please look here https://pi-hole.net/
Works at the DNS level, ads can be blocked on any device and even in apps.

Yes it´s possible and not very hard to implement in an existing environment.

Install two or more pi hole in your network and adjust your DNS forwarders in your DNS server properties. Attention forwarders properties must configuread for each DNS server in your Active Directory. That´s it.

See screenshot

pihole_active_directory_forwarders
pihole statistik

pihole stats

2 thoughts on “pi hole active directory

  1. There are just a few issues with this article:

    1. By putting in 2 other internal DNS servers into your forwarders list, these will be contacted for queries alongside Pi-hole. In other words, clients have up to 4 DNS servers to make requests from, two of them being Pi-hole, and the other two of them being standard forwarding DNS servers (non-adblocking). Because of this, clients will likely still see ads because when they make queries, they may be making them with the other two DNS servers instead of the Pi-hole servers. The best practice for this would be to set those two DNS servers as Pi-hole’s forwarders, so it will look like this:

    Client —> AD DNS —> Pi-hole —> Internal DNS forwarders —> Internet

    2. If you use the pi-hole servers as a forwarder, that means that the order of client connections is the following:

    Client —> AD DNS —> Pi-hole —> Internet

    With this set up, Pi-hole will only show requests from two IP addresses: the IP addresses of the two AD DNS servers. This gives you no way of tracking which clients made queries to websites using Pi-hole. So if you wanted to block Facebook for example for a single device, you would have no way of doing that because the only two devices you can block are the AD DNS servers. This would mean you either have to block Facebook on the client itself using local software, or you would have to just block it for every user, which is not practical if only one user needs to be blocked from Facebook (or any website for that matter).

    The solution for this would be to set all clients to use Pi-hole as their primary and secondary DNS servers, and then within Pi-hole, set up a conditional forward to the AD DNS servers for the domain name. That way, client reports will show up in Pi-hole and all requests to the internal AD domain will work.

    Liked by 1 person

Leave a Reply to Konkretor Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s