Install & Setup Pi-Hole on CentOS 7 with Active Directory
What is Pi-Hole?:
Pi-hole is a DNS sinkhole project that was started back in 2014 by Jacob Salmela. Pi-Hole like most other Linux based software is open-source and free to use. Pi-Hole cunningly makes use of some really simple features available to all Linux operating systems such as dnsmasq, php, and Lighttpd. Take some well knows tools and services like this and make them work together and you have yourself one heck of a product.
Now as someone who hates ads and even more hates slow networks, this project immediately caught my eye. Yes I know I have ads on my site but they are very clearly labeled and at the bottom of my posts. Hey I have to pay for this site somehow. But I digress, I thought it would be interesting to take the Pi-Hole service and set it up in my active directory domain so that I could help reduce my overall internal network traffic to my clients.
Goal of this Article:
In this article, my goal is to go over how to install & setup Pi-Hole on CentOS 7 with Active Directory in a somewhat redundant manner. Meaning that if one Pi-Hole goes down or has issues then my clients\servers will pull from the next available Pi-Hole. As is with most of my other articles this will give you a good proof of concept to later grow and build up more yourself.
Before I start showing you how to install & setup Pi-Hole on CentOS 7 with Active Directory there are a few things I would like you to know. I will be using two CentOS 7 minimal installations running 1804 as my Linux systems. Each CentOS 7 system is running with 2 cores and 2GB of ram. My active directory domain is already setup and running at a 2016 level.
Please note that your domain does not need to be at 2016 level to complete this guide. You will also need some form of administrative permissions on both your Linux and windows systems. For active directory you will again need some form of administrative permissions such as domain admin.
To start you will need to open some ssh sessions to your CentOS 7 machines, if you are on windows you can use putty to achieve this. Once you are logged into your systems run the following commands:
yum -y install epel-release
yum -y install net-tools vim wget mlocate
I will only say this once in a blue moon, but since SELinux does not play well and is not supported by Pi-Hole we have to make some tweaks in order for Pi-Hole to work correctly. So here it goes, we need to set SELinux into a permissive state. We are not disabling SELinux, we are setting SELinux into a state where it will still log and track problems but will not act on those problems.
Once you have set SELinux into a permissive state you will need to reboot each CentOS 7 system and log back in for the changes to take affect. On a side note, if anyone figures out how to get Pi-Hole and SELinux working correctly, please send me an email. I have spent close to a week setting custom SELinux policies to allow Pi-Hole to work correctly but I still have not had any luck.
After the quick inital tool installs we can jump right into our Pi-Hole installations. Run the following command to get started.
curl -sSL https://install.pi-hole.net | bash
Once the required packages have been downloaded you will be brought to the Pi-Hole setup screen where you can begin your configuration. Please reference the images below and make the necessary changes to fit the environment they are in.
You should not get a Enforced warning. This is just an example
After the setup is complete, open up a web browser and go to the IP’s of each of your Pi-Holes and you will be presented with the following dashboard
- Example: 192.168.1.100/admin
Active Directory Setup:
After the Pi-Holes have be setup you need to be able to tell your clients where to look for their DNS queries. However this cannot be done at a client level as we have an active directory domain and our clients\servers need to be able to talk to our domain controllers to resolve any internal names.
To get around this issue you will need to edit the forwarders on each of your domain controllers. This is a simple task and all you need to do, is open up DNS on each domain controller, “right-click”, go to properties, and select the forwarders section. In the forwarders section enter in the IP addresses of each of your newly created Pi-Holes. This will configure your internal DNS traffic so that when clients query a DNS entry that query will hit your domain controllers first and if they don’t have an entry for that query then it is forwarded out to the Pi-Holes.
In my domain I set Pi-Hole-1 as the first forwarder on DC01 and Pi-Hole-2 as the first forwarder on DC02. This will provide some load balancing and redundancy in event that one Pi-Hole goes down.
Test it Out:
To test and see if your Pi-Holes are working correctly you can head on over to the following link provided by Pi-Hole. This is a great page that gives you lots of options for testing. My favorite page would have to be “lingscars.com”, while there is not really a ton of ads its one of those that you just have to check out and go “what the hell.
- This was after 10 minutes of my Pi-Holes running. I’m very excited to see how much ad traffic is blocker by this service!
Thank you for taking the time to read this article, I hope that it was helpful in some way to you. If you noticed anything wrong or have a better way of doing this please don’t hesitate to comment below or send me a email. Thank you!