Pi-hole + Unbound with VLANs (Ubiquiti UniFi)

Estimated read time: 1:20

    Learn to use AI like a Pro

    Get the latest AI workflows to boost your productivity and business performance, delivered weekly by expert consultants. Enjoy step-by-step guides, weekly Q&A sessions, and full access to our AI workflow archive.

    Canva Logo
    Claude AI Logo
    Google Gemini Logo
    HeyGen Logo
    Hugging Face Logo
    Microsoft Logo
    OpenAI Logo
    Zapier Logo
    Canva Logo
    Claude AI Logo
    Google Gemini Logo
    HeyGen Logo
    Hugging Face Logo
    Microsoft Logo
    OpenAI Logo
    Zapier Logo

    Summary

    In this insightful tutorial, the creator explores the integration of Pi-hole and Unbound in a network using VLANs, particularly with Ubiquiti UniFi devices. The video covers how to resolve DNS-related issues that may arise, demonstrating solutions and configurations to ensure seamless DNS service across different VLANs without compromising security. By employing methods like adjusting firewall rules and configuring network interfaces, the video provides practical solutions for maintaining network efficiency and security.

      Highlights

      • Learn how to tackle DNS issues in VLANs with Pi-hole and Unbound! 🧠
      • Discover two approaches: firewall rules vs. individual DNS services on VLANs. 🌐
      • Observe practical examples using a UniFi network setup and Linux machines. 👨‍💻
      • Figure out how to keep VLANs secure and efficient with minimal configurations. 🔐
      • Make the most of Linux's Network Manager for VLAN interface configurations. ⚙️

      Key Takeaways

      • Pi-hole + Unbound can smooth out DNS woes in VLAN setups! 🛠️
      • Adjusting firewall rules can allow Pi-hole to serve multiple VLANs. 🔥
      • Linux's Network Manager aids in interface configuration for VLANs. 💻
      • Avoid firewall rule mess by configuring distinct interfaces on Pi-hole! 🤓
      • The video uses a UniFi network setup as a practical example. 🎥

      Overview

      In this video, the creator delves into the world of network management by using Pi-hole and Unbound alongside VLANs on Ubiquiti UniFi devices. The goal? Tackle DNS resolution challenges that often come up in such setups. The creator provides a step-by-step guide on configuring both software and hardware components to achieve a smooth and efficient network system.

        To address the DNS issues, two main methods are demonstrated. The first involves modifying firewall rules to enable Pi-hole to serve multiple VLANs, which might sound daunting but proves effective. In contrast, the second method circumvents potential firewall messes by configuring Pi-hole to offer DNS services individually across multiple VLAN interfaces, relying on Linux network management commands for efficiency.

          The video is packed with useful demonstrations on network configurations, leveraging examples like the UniFi network controller and Linux clients to show practical solutions. It's a treasure trove for network enthusiasts looking to streamline their home setups while maintaining robust security measures without frequently tweaking firewall rules.

            Chapters

            • 00:00 - 01:30: Introduction and Overview The chapter covers potential issues you might encounter when running Pyo or Pyle plus Unbound within your home network, particularly concerning DNS domain name resolution. It introduces solutions to these issues. Although the video is not directly related to Unbound, it ties back to a previous video about Pyle.
            • 01:30 - 03:00: UniFi Network Controller Setup The chapter 'UniFi Network Controller Setup' focuses on the configuration and setup of the UniFi Network Controller. The speaker discusses using Ubiquiti UniFi network devices in a lab environment, setting up both Pi-hole and presumably UniFi on a single machine. The machine operates within a VM environment, and the infrastructure setup includes at least three devices.
            • 03:00 - 04:30: Firewall Rules Explanation The chapter titled 'Firewall Rules Explanation' discusses a typical setup involving VLANs. It mentions VLAN 1, which is the default, and VLAN 10, designated for IoT devices with less security. Additionally, there is an admin VLAN in place. The setup shows that the default VLAN has access to IoT VLANs but not to the admin VLAN. In contrast, the admin VLAN has access to both the other VLANs. Different colors of arrows are used to distinguish between these VLANs.
            • 04:30 - 07:00: Configuring VLANs and Pi-hole DNS Chapter Title: Configuring VLANs and Pi-hole DNS Summary: This chapter discusses how to configure VLANs and Pi-hole DNS to manage network requirements within a home network. It explores two different methods to allow Pi-hole to operate across multiple VLANs: 1) modifying firewall rules, and 2) configuring Pi-hole at a specific IP address to serve multiple VLANs.
            • 07:00 - 11:00: Testing DNS Access Across VLANs The chapter discusses setting up PyHole DNS services in different VLANs without modifying firewall rules. It shows the screen layout which includes a UniFi network controller and PyHole machines, along with three Linux clients, each situated in a separate VLAN. The chapter begins by examining the current network configurations.
            • 11:00 - 15:00: Resolving DNS Access Issues The chapter titled 'Resolving DNS Access Issues' provides a walkthrough of navigating the UniFi network controller to address DNS access problems. Specifically, it focuses on checking network settings across defined networks (VLANs 10 and 20) and using a specific network (the admin network with subnet 20) as an example. Key actions include accessing the DHCP service management to verify DNS server configuration, and the intention is to set up pointing to a 'py hole' DNS server, though it hasn't been configured yet.
            • 15:00 - 20:00: Alternative Approach: Separate DNS for Each VLAN The chapter discusses an alternative approach to network configuration, focusing on setting up a separate DNS for each VLAN. The current setup involves pointing to an external DNS server. The chapter also touches on firewall configurations, indicating that a 'drop all' methodology is employed. A specific rule to drop traffic between VLANs is defined to ensure only desired traffic is allowed.
            • 20:00 - 21:00: Conclusion and Summary The chapter concludes by referencing a diagram which shows disallowed directions, achieved by the drop-all rule. It describes the creation of specific rules to allow certain connections, such as 'allow admin to iot' and 'allow default to iot'. It ends with a mention of the DNS settings in Pyle, noting that it does not point to an external Upstream DNS server.

            Pi-hole + Unbound with VLANs (Ubiquiti UniFi) Transcription

            • 00:00 - 00:30 if you run pyo or Pyle plus Unbound within your home network and at the same time if you configure V lens you may encounter issues when it comes to DNS the main name resolution in this video let's talk about how we can resolve that by the way this video is not really related to Unbound but just because a while ago I posted a video about Pyle
            • 00:30 - 01:00 plus mband plus do I want to continue the discussion that's why in the title of this video I have unbounded in this video I'm going to use ubiquity UniFi network devices as example in my lab environment within one machine I configured both py hole and ound and this machine is running within V one in the lower part you can see I have three
            • 01:00 - 01:30 vins just to demonstrate a typical Vine setup Vine one which is default and the vland 10 which is insecure for iot devices and I also have a admin vland you can see from the different colors of the arrows for default vand it can access iot but not admin vand for admin vand it can access both the other V but
            • 01:30 - 02:00 for iot V it cannot access the default and admin V this type of requirements are typical within home network I'm going to discuss two different ways to achieve what we want to use py hole among multiple vas first change our firewall rules and configure the Pyle so that Pyle at this IP address can serve multiple wheelers the second second
            • 02:00 - 02:30 approach let's make py hole so the DNS services in every single whe individually without changing any firewall rules this is the screen layout I'm going to use for this video in the upper right I have UniFi network controller and py hole machines in the lower part I have three Linux clients each one resides in a individual whe let's check the current configurations
            • 02:30 - 03:00 so let me go to UniFi network controller go to settings for network settings you can see I have three Network defined the vine one 10 and 20 for each one of them let me take admin as a example of course the subnet is 20 if I scroll down to the DHCP service management then I can find the DNS server configuration at this moment I have not pointed to the py hole
            • 03:00 - 03:30 yet it's pointing to external DN server so for the other V I have similar configuration when it comes to DNS at this moment if I check the current firewall rules go to security you can see I follow the drop all first methodology I have a drop interv land rule defined in the very beginning I only allow the traffics which I I want
            • 03:30 - 04:00 if we check the diagram side by side you can see all the red disallowed directions they are achieved by this drop all rule right and then for each single green ones I created corresponding rule for example allow admin to iot for example allow default to iot so then move to the right let's check Pyle if I go to settings for DNS you can see it's not pointing to external Upstream DNS server instead
            • 04:00 - 04:30 it's pointing to the local machine with this part number this is for my nbound server my nbound server is pointing to external DNS servers at this moment the pyo machine is ready to be used as DN server even though we haven't used it yet let's see at this moment What's the situation for the three V lens move to the default VL first first in the
            • 04:30 - 05:00 diagram I also indicate the individual IP address for each Linux machine so from default vland let me see whether I'm able to access admin no I cannot correct and Mo on to iot vland let me see whether I'm able to access default vland no I cannot correct and then from admin V whether I'm able to access default ven
            • 05:00 - 05:30 yes I'm able to do that what about the iot V okay no problem right the firewall rules work but let's see whether they are able to access internet ping abc.com yes from default vland no problem from iot vland no problem from admin vand no problem so everything is expected because at this moment we are
            • 05:30 - 06:00 not using py hole yet what if now we point the DNS server to Pyle what will happen go to unify network controller for network setting let me start with default whe go to the DHCP service management for DNS change it to my pyo servers IP address apply changes then quickly do the same thing for the other whe
            • 06:00 - 06:30 before we start testing the DNS the main name resolving again we need to refresh the DHCP configuration in each Linux client otherwise the DNS server change won't be effective so let me do it okay then from the default Vine let me do the same thing pin abc.com okay no problem that's expect it because the pyo itself is also in the
            • 06:30 - 07:00 default vay right there's no reason why this doesn't work for default vay but what about iot V it's just hang there that means the packets were dropped there's no response from the DNS server it failed for the admin whe the same thing happened so only the default V Works let's check the diagram so the root CA is for the iot vine and admin V are not really the same
            • 07:00 - 07:30 let's talk about admin V first yes from the firewall rules the admin whe is able to access the other two whe right theoretically it should be able to access the pyo server why we have failure in the DNS name resolving and the second thing is for the iot vet no matter whether the pyo server works or not from iotv L we simply cannot reach
            • 07:30 - 08:00 out to any machine in the default vay because of our firewall rule so we need to resolve the firewall first then we talk about the pyo server let's resolve the issues starting from iot VL let's work on the firewall rule first so let me go to the iot Linux instead of pin in abc.com let me dig the domain name it will hang there for a
            • 08:00 - 08:30 moment then return error communication error to this IP address what's this this is the Pyle IP address we set in UniFi network controller for this iot vlay because we have the firewall rule so this machine cannot reach out to the machine in default vet that makes sense but how we can change firewall rule to open up this access it's very simple so let me go to firewall rule in udm Pro I
            • 08:30 - 09:00 want to create a new entry allow access to pyo DNS for protocol I only want to allow UDP because that's what DNS service will use for the source type I already have a IP group defined previously this is the RFC 198 subnet which means my local network including all my local V so I don't care which whe
            • 09:00 - 09:30 as long as it's my local network I want it to be included in this firewall Rule and the port group I don't care then about destination for Destination type I only want the access to be the py hole machine so I already defined a IP group for the py hole it's very simple I don't want to waste your time here I will directly select it see here Pyle basically this means this one single . 1.88 machine and that's not enough
            • 09:30 - 10:00 because I don't really want the other V lens to access these Pyle servers any other services I want to limit the access even more for Port group I only want to allow the DNS part for this firewall rule I open up access to the pyo machine to the DNS service only add row let me change the sequence for this new fire rule I will move it to the very top so that it will be processed first
            • 10:00 - 10:30 okay that's it that's our simple firewall rule in the iot Linux machine let me try to dig the abc.com again it seems it still doesn't work yeah you can see time out even though we already enabled the access to Pyle when it comes to DNS service we got the same error that's strange let's try the same
            • 10:30 - 11:00 thing in the admin vay according to the firewall rules we allowed full access from this admin Linux machine to Pyle right so let me see whether it can get the IP address back let me do the same thing dig abc.com too bad we get the exact same error that means it's not just because of firewor rules there are must some
            • 11:00 - 11:30 more fundamental things we are missing right what will that be it is within pyo configuration in pyo go to settings go to DNS scroll down there's this very strange setting you may not be able to understand what this means exactly but this is our root cause for other V lens to be unable to access the Pyle DNS by default pyo only allow the local
            • 11:30 - 12:00 request local means the same whe so that means it only allows the one subnet to access its service we have the three possible options I don't want to spend time explaining the exact differences if you are interested you can go to pyo documentation check the interfaces document so for this video we simply enable this one we allow the py hole to
            • 12:00 - 12:30 respond to this interface regardless from which V the request is from it will serve other vland as well once we make the change save it now it's active let's try the iot Linux machine again let me do the same thing dig abc.com it immediately return with the correct result and for admin V the same thing yeah same result problem is resolved let me summarize in this
            • 12:30 - 13:00 approach we did two different things if you do have firewall rules which prevent your computers from accessing the VL which pyo server resides you need to create firewall rules to open up that access but that's not enough you need to furtherly configure pyo to allow it Serv other vet instead of just the local vet some people may not like it because it
            • 13:00 - 13:30 requires we open up access from other vland to this particular Pyle machine to the DNS service see these three green arrows that's required to allow this approach to work some people may not like it they don't like to mess up with the firewall rules before proceeding we need to revert back the firewall rule changes delete this additional firewall rule we added
            • 13:30 - 14:00 in the first approach in the first approach we just talk about because the Pyle server resides within this one subnet or vland default to allow machines in other vas to be even able to connect to Pyle we need to manipulate the firewall rules right apparently the idea for the second approach is why not provide DNS services
            • 14:00 - 14:30 in each single wheet so then we don't need to touch the firewall rule we even don't need to touch the py hole configurations we simply need to work on the operating systems Network configurations let's do that we have three vens three different subnets the idea is for each subnet on this server for Pyle I have a distinct interface so that the pyo can provide DNS resolving
            • 14:30 - 15:00 service on each subnet This pyo Server you see here is a brand new pyo server is not the one we used in the first approach so you can see from this icon it's managed by Linux network manager and if we go to the network setting we can see currently its IP address is 1.99 it's in the default vand there is no other network interfaces
            • 15:00 - 15:30 okay so this is the default current pyo server network configuration and if we go to the settings remember in the first approach for DNS we change the setting for the interface but you can see here for this default configuration for the brand new py hole it has the default setting allow only local request we don't want to touch this setting we don't even want to touch any configuration Pyle depending on the
            • 15:30 - 16:00 operating system you run your Pyle in my case I run it on debit so what I need to do is on dabing I want to manually configure my network using the configuration file before the configuration I need to know my network interface name depending on the hardware in your system the interface name may be different to easily find it out let me see what's the current configuration okay it's tells me the interface name
            • 16:00 - 16:30 ens s192 in the pyo servers Linux let me edit a network configuration file it's under Etc Network and the file name is interfaces by default the file is pretty simple let me add my new interfaces in the end okay this part is the one I just added so basically what I want to say is in the first section I want to add a new interface with this name and is a static
            • 16:30 - 17:00 IP address configuration and with this IP address I choose a IP address which is different than the previous approach on purpose and then the 24 indicate the subnet mask for Gateway this is my udm Pros IP address for default vland then the second section is for vland 10 for the iot V this is the interface name with special naming convention Dot and then the whe ID for IP address is
            • 17:00 - 17:30 10.98 the Gateway is the corresponding udm Pros IP address similar way for V 20 this is the configuration so you can see pretty simple straightforward network configuration right write the file then exist to make it effective we either restart the network manager or I simply reboot the Linux machine while it's rebooting let me
            • 17:30 - 18:00 explain a additional thing because I'm running this Linux on a esxi server so it's a Linux virtual machine to enable the vland trunk I need to do some special configuration on the esxi level this is the part group used by my Linux virtual machine if you check the setting you can see I set the vet ID to this number this number in the indate I want to enable vand trunk if you happen to
            • 18:00 - 18:30 use exxi you may want to do similar thing but if you run your Linux in different way it's not relevant to you okay let me go back to the rebooted pyo server okay the operating system has been rebooted you can immediately notice one difference is this icon for network configuration now it's showing question mark why because network controller for Linux cannot determine the IP
            • 18:30 - 19:00 configuration anymore because we manually change the configuration file right to validate the current effective one let me simply run this command yes we can see this interface for default vet this one for vland 10 this one for vland 20 from the operating system level we are good remember we haven't changed anything in Pyle right to finish the change we need to go to udm Pro to chck change the DHCP settings for each whe to
            • 19:00 - 19:30 save time I already completed the change let me quickly show you for default vland you can see this is the DNS server I configured in the right side we have the same IP address then for vland 10 we have this DNS server in the right side you can find the same information for vland 20 we have similar thing right I don't want to waste your time so we are done with all the needed config curations now let's validate it before
            • 19:30 - 20:00 we can even test anything remember we just change the DHCP settings in udm Pro right we haven't refreshed the client setting yet we need to do that let me quickly do it okay now let me start with the default vand dig x.com okay I quickly get answer back and this is from the newly configured DNS server no problem we are good of course
            • 20:00 - 20:30 this is default vet we expect it to work right now the moment of choose for iot v v 10 dig x.com as well okay we got answer back quickly this time it's from this IP address you can validate from the py hole as well it's the one we configured for the V 10 on the operating system level good let's validate we 20 okay similar thing from the this Pyle server so we are all good as you can see
            • 20:30 - 21:00 I really like the second approach because it only involves configuration changes on the Linux operating system level and we don't need to mess up the router firewall settings we don't need to change pyol configurations this is the end of the video thanks for watching