Tag: pi-hole

Alex's Guardian > Blog >
Expanding Pi-Hole Stats with Prometheus

Expanding Pi-Hole Stats with Prometheus

The other day I came across a Prometheus Exporter for Pi-hole (found in a comment on /r/pihole) that gives WAY more stats/data compared to the InfluxDB script I posted about awhile back. With this exporter, I was able to setup a more detailed dashboard.

Now currently I only have this setup for a single instance of Pi-Hole. I am currently in the process of setting up a second instance as a backup when my primary one goes down for updates. This dashboard can be easily updated to have either a clone of this info for your second instance or a drop down selector for instances. You’ll have to update your queries to support dashboard variables, which isn’t very hard to do.

The dashboard json can be found here.

Forcing devices to use Pi-Hole

Forcing devices to use Pi-Hole

So currently I have a few “smart home” devices and a few of them have hard coded DNS servers they use for DNS queries. Most notably my Google devices…

Anyway, I went a head and setup two NAT rewrite rules on my ER-Lite that basically force all devices to go through my Pi-Hole DNS server for DNS queries. These rules basically fake a connection to the hard coded DNS servers but actually the queries are going to my Pi-Hole server.

So if you want to setup your own rewrite rules to do this, you can by running these configuration commands from your ER’s CLI interface. Make sure to swap out IP.OF.PIHOLE.SERVER with the IP of your Pi-Hole server, ETH-INTERFACE-HERE with your ethernet interface you wish to set the rule to, and YOUR.SUBNET-RANGE.HERE to your subnet range (ie 10.9.9.2-10.9.9.254).

configure
set service nat rule 1 description 'Pi-Hole DNS'
set service nat rule 1 destination address '!IP.OF.PIHOLE.SERVER'
set service nat rule 1 destination port 53
set service nat rule 1 inbound-interface ETH-INTERFACE-HERE
set service nat rule 1 inside-address address IP.OF.PIHOLE.SERVER
set service nat rule 1 inside-address port 53
set service nat rule 1 log enable
set service nat rule 1 protocol tcp_udp
set service nat rule 1 source address '!IP.OF.PIHOLE.SERVER'
set service nat rule 1 type destination
set service nat rule 5011 description 'Masquerade Pi-Hole DNS'
set service nat rule 5011 destination address IP.OF.PIHOLE.SERVER
set service nat rule 5011 destination port 53
set service nat rule 5011 log disable
set service nat rule 5011 outbound-interface ETH-INTERFACE-HERE
set service nat rule 5011 protocol tcp_udp
set service nat rule 5011 source address YOUR.SUBNET-RANGE.HERE
set service nat rule 5011 type masquerade
commit
save
exit

You can then verify if they are enabled by running:

show nat rules
[email protected]:~$ show nat rules

Type Codes:  SRC - source, DST - destination, MASQ - masquerade
              X at the front of rule implies rule is excluded

rule   type  intf     translation
----   ----  ----     -----------
2      DST   eth1     daddr !10.9.9.116 to 10.9.9.116
    proto-tcp_udp     dport 53 to 53
                      when saddr !10.9.9.116, sport ANY

3      DST   eth2.3   daddr ANY to 9.9.9.9
    proto-tcp_udp     dport 53 to 53

5010   MASQ  eth0     saddr ANY to xxx.xxx.xxx.xxx
    proto-all         sport ANY

5012   MASQ  eth1     saddr 10.9.9.2-10.9.9.254 to 10.9.9.1
    proto-tcp_udp     sport ANY
                      when daddr 10.9.9.116, dport 53

Your devices should now hit your Pi-Hole DNS server over the one they were hard coded with as the Masquerade source nat rule makes it look like it still queried the original server.

Goodbye hard coded DNS servers! :)

PS: A friend from work actually helped me fix this as originally I only had a destination NAT rule set which made it seem like it was working but it actually wasn’t.