Hello!
I want to set up a pi-hole on my home and connect from my parent’s.
Both setups have a dynamic IP assigned by my isp and are different networks.
I have a couple of questions:
I can get a domain that updates automatically. But how would I resolve it on the client side?
Is there any way to authenticate on the server? By Mac maybe? That can be spoofed right?
Edit: my bad, thanks for correcting me, Mac is another layer completely
DynDNS. That will give you a hostname, but check if your ISP offers a static IP tbh. Client side shouldn’t matter overmuch if you’re returning requests it’s made
I’ll second this recommendation and add a bit more. I’d recommend using DuckDNS’s dynamic DNS service. It’s free (donate if you can!) and fairly simple to set up. I run it on my router since it supports it but it’s easy to run in a docker container too.
For all intends and purposes, let’s assume there isn’t. Running a DNS server on the ‘open internet’ is notoriously difficult if you are not familiar with the intricacies, especially with regards to security.
Running it through a VPN is really the best option you have here.
I would get a domain name and use ddns to update your rotating IP. Then I would setup wireguard VPN in split tunnel and have your parents network tunnel back to your piholes for dns resolution.
I use cloudflare API for ddns updates but there are plenty of choices for that. If you’re using cloudflare for DNS just keep in mind you can’t proxy the DNS entry for the ip for your VPN host as CF only forwards traffic over certain ports and they are not configurable (on free plan anyway not sure about paid).
You can’t configure DNS server by name on anything, so you’d need some kind of script/automation to query current IP address of your pihole from google/your ddns provider/someone and update that on your parents router which can be a bit tricky or straight impossible depending on the hardware.
VPN would solve both 1 and 2 from your list as your pihole would be available with static address on both locations. You can’t authenticate on DNS server by MAC as you don’t receive originating MAC at all. Other solution would be to get a static IP address from some provider and tunnel traffic so that your pihole could be reached trough that static address.
If both routers support it: S2S VPN. Also has the advantage of being able to access the stuff from each others side.
Disadvantage: Viruses can traverse the tunnel.
Set up both locations with Dynamic DNS providers. DuckDNS is free, but if you’re building infrastructure you may as well buy your own domain and set it up through that (Namecheap is what I use and recommend).
Set up a Wireguard tunnel between both locations. Do *not* specify an endpoint for either. You could specify endpoints to boost security (barely), but it will cause your system to fail during IP changes, for the duration of the TTL.
@papelitofeliz
3. Set up your PiHole on a static private IP.
Ensure both sites can route across the tunnel. Based on your experience level and scope, dynamic routing is not recommended or necessary, which means static routes. Point a route for each side’s subnet to the Wireguard tunnel IPs so your firewalls know how to reach and respond to each other across the tunnel.
Configure your devices to use PiHole for their DNS, via DHCP ideally.
I didn’t look anything up yet. But can the wireguard tunnel be setup on the router level (I have a cheap Mikrotik) or as a network service? So clients don’t have to install custom stuff
But there’s some beauty in DoH/DoT/Quic ports opened
You should check adguard-home for the dns stuff
For your questions:
I don’t quite get what you mean. But if you say “my domain’s dns updates regularly, how would one of the clients of the dns get the new IP”, then I would say upstream dns, and maybe pi-hole/adguard have something up their sleeve
In adguard you can have client ids, it can be different things I forgot, but mainly it can be the domain you’re using as dns, so john.dns.mysite.com, and you can give 0.0.0.0 response to every client that is not a client. Maybe there are more clever ways to do this
Yes, but for 1 is not so straightforward, you have many options, you either need to update your dns in some way anyway to connect to VPN, or rent a cloud to host(or port forward) the entry point there (or the theoretical option, some selfhosted vpns allow you to do everything without any ports opened)
Adguard-home, using a public dns, route through tor, cloudflare’s tunnels, host on a cloud, forward ports to a cloud, and many more
And for dynamic IP, I personally use cloudflare(although I don’t trust them) (he-he, I didn’t expect previous point to be so long, I wrote this at the beginning)
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !selfhosted@lemmy.world
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
selfh.st Newsletter and index of selfhosted software and apps
DynDNS. That will give you a hostname, but check if your ISP offers a static IP tbh. Client side shouldn’t matter overmuch if you’re returning requests it’s made
I’ll second this recommendation and add a bit more. I’d recommend using DuckDNS’s dynamic DNS service. It’s free (donate if you can!) and fairly simple to set up. I run it on my router since it supports it but it’s easy to run in a docker container too.
I recommend DuckDNS as well, you can run it both sides and set up a daemon to update the domain when there is an IP change automatically.
And with Wireguard you can set up a tunnel between both locations so you can share anything you need.
deleted by creator
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
[Thread #315 for this sub, first seen 30th Nov 2023, 16:15] [FAQ] [Full list] [Contact] [Source code]
For all intends and purposes, let’s assume there isn’t. Running a DNS server on the ‘open internet’ is notoriously difficult if you are not familiar with the intricacies, especially with regards to security. Running it through a VPN is really the best option you have here.
I would get a domain name and use ddns to update your rotating IP. Then I would setup wireguard VPN in split tunnel and have your parents network tunnel back to your piholes for dns resolution.
I use cloudflare API for ddns updates but there are plenty of choices for that. If you’re using cloudflare for DNS just keep in mind you can’t proxy the DNS entry for the ip for your VPN host as CF only forwards traffic over certain ports and they are not configurable (on free plan anyway not sure about paid).
You can do DoH over proxied cloudflare I believe
edit: now I’m wondering, is it possible to proxy headscale??
Don’t you get a short break in connectivity as the ip changes?
yes but most isp’s (at least where I live) change the IP in the middle of nobody-should-be-awake-anyway o’clock
Plus the connection drops only for a minute or two at most unless ypu set a really high ttl on the domain dns record
You can’t configure DNS server by name on anything, so you’d need some kind of script/automation to query current IP address of your pihole from google/your ddns provider/someone and update that on your parents router which can be a bit tricky or straight impossible depending on the hardware.
VPN would solve both 1 and 2 from your list as your pihole would be available with static address on both locations. You can’t authenticate on DNS server by MAC as you don’t receive originating MAC at all. Other solution would be to get a static IP address from some provider and tunnel traffic so that your pihole could be reached trough that static address.
If both routers support it: S2S VPN. Also has the advantage of being able to access the stuff from each others side.
Disadvantage: Viruses can traverse the tunnel.
@papelitofeliz
VPN for sure:
Set up both locations with Dynamic DNS providers. DuckDNS is free, but if you’re building infrastructure you may as well buy your own domain and set it up through that (Namecheap is what I use and recommend).
Set up a Wireguard tunnel between both locations. Do *not* specify an endpoint for either. You could specify endpoints to boost security (barely), but it will cause your system to fail during IP changes, for the duration of the TTL.
@papelitofeliz
3. Set up your PiHole on a static private IP.
Ensure both sites can route across the tunnel. Based on your experience level and scope, dynamic routing is not recommended or necessary, which means static routes. Point a route for each side’s subnet to the Wireguard tunnel IPs so your firewalls know how to reach and respond to each other across the tunnel.
Configure your devices to use PiHole for their DNS, via DHCP ideally.
I didn’t look anything up yet. But can the wireguard tunnel be setup on the router level (I have a cheap Mikrotik) or as a network service? So clients don’t have to install custom stuff
Yes
A lot of people are suggesting VPNs
But there’s some beauty in DoH/DoT/Quic ports opened
You should check adguard-home for the dns stuff For your questions:
I don’t quite get what you mean. But if you say “my domain’s dns updates regularly, how would one of the clients of the dns get the new IP”, then I would say upstream dns, and maybe pi-hole/adguard have something up their sleeve
In adguard you can have client ids, it can be different things I forgot, but mainly it can be the domain you’re using as dns, so john.dns.mysite.com, and you can give 0.0.0.0 response to every client that is not a client. Maybe there are more clever ways to do this
Yes, but for 1 is not so straightforward, you have many options, you either need to update your dns in some way anyway to connect to VPN, or rent a cloud to host(or port forward) the entry point there (or the theoretical option, some selfhosted vpns allow you to do everything without any ports opened)
Adguard-home, using a public dns, route through tor, cloudflare’s tunnels, host on a cloud, forward ports to a cloud, and many more
And for dynamic IP, I personally use cloudflare(although I don’t trust them) (he-he, I didn’t expect previous point to be so long, I wrote this at the beginning)