In this article, we will explore how to set up a homelab Domain Name Server (DNS) using Active Directory and Pi-hole, combining the power of centralised authentication and network-wide ad-blocking for an enhanced browsing experience. An essential component of any Homelab network, DNS helps to translate human-readable domain names into IP addresses.
In today’s interconnected world, having a robust and secure home network is becoming increasingly important. One essential component of such a Homelab network is a Domain Name System (DNS) server, which translates human-readable domain names into IP addresses. In this article, we will explore how to set up a homelab DNS using Active Directory and Pi-hole, combining the power of centralised authentication and network-wide ad-blocking for an enhanced browsing experience.
What is DNS – and why run it locally?
DNS, or Domain Name System, is a vital internet technology that converts human-readable domain names (like www.example.com) into computer-readable IP addresses (such as 192.168.0.1). It acts as a directory service, enabling devices to connect with websites and services by looking up the corresponding IP address associated with a given domain name. DNS operates through a hierarchical structure, involving root servers, top-level domain servers, authoritative name servers, and recursive resolvers, all working together to efficiently resolve DNS queries and facilitate seamless internet communication.
Outcome and project goals
Before we get started its important to understand what we are looking to achieve with this project – and why you want to set this up. By default your network will already reference an external DNS server (usually setup by your router to your ISP). If you’ve followed previous guides, you may have decided to point your DNS at a privacy focused system such as Cloudflare or Google DNS. This guide will continue to build on those setups.
The goals this setup are to;
- Allow for internal DNS resolution (e.g. allowing internal users to use “home.yourdomain” instead of typing ip addresses)
- Utilise a Windows DC for network level authentication and security
- Block ads at the network level using a piHole (or Adguard) setup
Defining your system architecture
To achieve this we’re going to use two self hosted services.
- A Microsoft Windows Domain Controller
- A piHole server
You’ll need to set these up on your self hosted virtualised server, such as Proxmox (if you’re not sure how to get started with Proxmox check out our article here). While its possible to set these up on bare metal, this would be overkill and a waste of energy for all but the largest smart homes.
Setting up your Windows DC
During setup of your Windows DC (which may get covered in another article), you want to make sure the “DNS” role is selected. If you’ve already setup your Windows Server you can do this using the “Roles and Features” installer from the server manager Dashboard.
Once this is installed, you’ll be able to select “DNS” either from the Manage dropdown on Server Manager or from the Windows Server start menu.
The DNS manager will allow you to update hosts and other settings. For now the only zones you should see will be those associated to your Domain Controller settings. Specifically there should be a domain record, in my case this is “ad.buz.by” and the auto-discovery records “_msdcs.ad.buz.by”. We’ll come back here later to update more records once we have the rest of the DNS setup.
Setting up your pi-hole instance
Now that we have our Windows DC setup, we need to move on to setting up our pi-hole. In my network I’ve setup two for redundancy, so I’ll repeat this process twice.
We’ll be setting each pi-hole up as an “LXC” container, this keeps the load on our Proxmox box light, whilst keeping the install easy. This guide will cover the creation of a new LXC container with either Ubuntu 20.04, or 22.04 (these are both LTS releases so they come with the advantage that they will receive security updates for up to 10 years). If you’re on Unraid you can install the LXC plugin or use Docker images.
- The first thing to get started here is to ensure we have the CT templates installed to act as the base of the instance. Go into your Proxmox local storage – select “CT Templates” and click the template button.
- From here, search for ubuntu and install the 22.04 template.
- Ensure the LXC containers have at least 512mb of RAM (this is plenty), and 2GB of disk (I’ve used 8GB)
- Setup the network to a static IP address (do not skip this!) along with any VLAN tag your network may need. If you’ve not setup VLANs yet, leave this blank
- Once you’ve finished installed Ubuntu, enter the console and run the pi-hole setup script. This script will download the install script and “pipe” (pipe is the vertical line) to bash.
curl -sSL https://install.pi-hole.net | bash
If you receive an error, such as
Could not find command-not-found database. Run 'sudo apt update' to populate it. curl: command not found
You’ll need to install curl first by running
apt update && apt install curl
- Continue running the install script, ensuring you have previously set a static IP address. I’d recommend selecting “YES” to all questions for your first install (default block lists, admin interface and web server)
- Finally, if you want a redundant pi-hole setup, repeat this process with a 2nd LXC on a different IP address.
Bringing both DNS servers together
Now you have setup both your Windows DC and your pi-holes, we need to link both together so that your Windows Server is looking up IPs using your pi-holes. The good news is that this is very easy.
- RDP into your Windows Server as an Administrator
- Open the DNS Manager and right click on the server. Select “properties” from the dropdown
- Select “Forwarders”, add both of your pi-hole IP addresses by clicking the “Edit” button, and finally untick the “Use root hints if no forwarders are available” (Although this may seem like a good idea to stay ticked, it the pi-holes take too long to respond, you’ll find the server will ignore them and therefore remove any ad-blocking). Finally click “Apply” to close the dialog box and save your settings.
Updating your router settings
Now we have our Windows Server linked to our pi-hole, we need to update our router settings to ensure these DNS servers are being used. This will vary based on your setup, here in my Homelab I’m using a Unifi setup, so my update will be in the Unifi dashboard.
- Log in to your router dashboard (this will be the same place you’ll go to update your Wifi details). Usually this is on 192.168.0.1 or 192.168.1.1 depending on your setup.
- Find your “Internet” or “WAN” settings, locate DNS and enter the IP address of your Windows Server. Note, you may need to disable “Auto” or “Discovered by DHCP” (but do NOT turn off DHCP).
- Finally, restart your router for the settings to take effect (this may or may not be required – however I’d recommend it with the amount of changes we’ve made)
Verifying your DNS Setup
Finally – we need to test everything is working together – this is the most important step, so don’t skip this or you’ll spend hours troubleshooting later!
- Start by visiting any site in your browser (my default is “google.de”). If this is working thats a good sign you’ve not broken anything during this guide, and lets move onto the more technical tests.
- If nothing is loading you may see a “DNS Probe Failed” (or similar) error. In which case continue down the rest of the steps below and we’ll likely find the issue!
- Test the pi-hole setup : We’re going to start backwards by testing the pi-hole setup first. Open a “terminal” (if you’re on Mac OS) or “Command Window” (if you’re on windows and run
nslookup google.de 192.168.10.250
Where “192.168.10.250” is your pi-hole setup. You should see something similar to
➜ ~ nslookup google.de 192.168.10.250 Server: 192.168.10.250 Address: 192.168.10.250#53 Non-authoritative answer: Name: google.de Address: 22.214.171.124
- Test your Windows DC Setup : Re-run the same command above but this time pointing at your Windows Server. You should see a similar return (depending on your test site you may see a different “Address” being returned
nslookup google.de 192.168.10.50
➜ ~ nslookup google.de 192.168.10.50 Server: 192.168.10.50 Address: 192.168.10.50#53 Non-authoritative answer: Name: google.de Address: 126.96.36.199
If you do not see a response here, then it is likely your Windows Server is not communicating with your pi-hole correctly, go back and check your you completed the steps in “Bringing both DNS Servers together” correctly.
- Test your ad blocking : Finally test your ad-blocking. In this case we’re going to use the domain “app-measurement.com” which should be blocked by the default blocklist on pi-hole.
nslookup app-measurement.com 192.168.10.50
This should result in an address being returned of “0.0.0.0”. This is showing the ad-blocking is working correctly
➜ ~ nslookup app-measurement.com 192.168.10.50 Server: 192.168.10.50 Address: 192.168.10.50#53 Non-authoritative answer: Name: app-measurement.com Address: 0.0.0.0
You should now have a complete, local DNS setup, with Active Directory discovery and authentication and network level ad-blocking. In future articles we’ll discuss more advanced methods, such as keeping multiple pi-holes in sync, and adding your own local DNS entries.