Pi-hole configuration qubes os 4.1

Once you have verified the iptables rules placed in /rw/config/network-hooks.d/fw-update.sh and /rw/config/qubes-firewall-user-script show up in the firewall, then the only remaining step to have a working pi-hole vm is to bind the local interface by editing /etc/dnsmasq.conf. You can then restart the vm and check the Pi-hole Query Log in an upstream browser to verify that it’s showing requests from the upstream vms (eg, sys-firewall). Just enter http://<sys-pihole IP>/admin in the browser.

If you chose 127.0.0.1 as your dns server, then you will have to complete the remaining steps to setup unbound before the dns queries will be resolved correctly. I’m using my vpn’s dns, so I didn’t follow the instructions any further.

Thank you @TheGardner! This is an excellent how-to and the block list recommendations are highly appreciated too!

1 Like

I redid a whole new installation following step by step, in the end it does not work, pi-hole is present is installed, 10.137.0.51/admin, but it does not block the advertisements of my appvm,

The errors I got during the installation process are the ones I mentioned above in this post as well,

[lovely@dom0 ~]$ qvm-run --pass-io --no-gui --user root PiholeVM 'apt-get install -y unbound && \ systemctl enable unbound'
Reading package lists...
Building dependency tree...
Reading state information...
unbound is already the newest version (1.13.1-1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
/bin/bash: line 1:  systemctl: command not found
[lovely@dom0 ~]$ 





[lovely@dom0 ~]$ qvm-run --pass-io --no-gui --user root PiholeVM 'apt-get install -y unbound && \systemctl enable unbound'
Reading package lists...
Building dependency tree...
Reading state information...
The following additional packages will be installed:
  libunbound8 unbound-anchor
Suggested packages:
  apparmor
The following NEW packages will be installed:
  libunbound8 unbound unbound-anchor
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 1537 kB of archives.
After this operation, 5942 kB of additional disk space will be used.
Get:1 https://deb.debian.org/debian bullseye/main amd64 libunbound8 amd64 1.13.1-1 [504 kB]
Get:2 https://deb.debian.org/debian bullseye/main amd64 unbound-anchor amd64 1.13.1-1 [169 kB]
Get:3 https://deb.debian.org/debian bullseye/main amd64 unbound amd64 1.13.1-1 [864 kB]
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
debconf: unable to initialize frontend: Dialog
debconf: (TERM is not set, so the dialog frontend is not usable.)
debconf: falling back to frontend: Readline
debconf: unable to initialize frontend: Readline
debconf: (This frontend requires a controlling tty.)
debconf: falling back to frontend: Teletype
dpkg-preconfigure: unable to re-open stdin: 
Fetched 1537 kB in 1s (1709 kB/s)
Selecting previously unselected package libunbound8:amd64.
(Reading database ... 40889 files and directories currently installed.)
Preparing to unpack .../libunbound8_1.13.1-1_amd64.deb ...
Unpacking libunbound8:amd64 (1.13.1-1) ...
Selecting previously unselected package unbound-anchor.
Preparing to unpack .../unbound-anchor_1.13.1-1_amd64.deb ...
Unpacking unbound-anchor (1.13.1-1) ...
Selecting previously unselected package unbound.
Preparing to unpack .../unbound_1.13.1-1_amd64.deb ...
Unpacking unbound (1.13.1-1) ...
Setting up libunbound8:amd64 (1.13.1-1) ...
Setting up unbound-anchor (1.13.1-1) ...
Setting up unbound (1.13.1-1) ...
Created symlink /etc/systemd/system/multi-user.target.wants/unbound.service ___ /lib/systemd/system/unbound.service.
Created symlink /etc/systemd/system/unbound.service.wants/unbound-resolvconf.service ___ /lib/systemd/system/unbound-resolvconf.service.
Job for unbound.service failed because the control process exited with error code.
See "systemctl status unbound.service" and "journalctl -xe" for details.
Job for unbound.service failed because the control process exited with error code.
See "systemctl status unbound.service" and "journalctl -xe" for details.
invoke-rc.d: initscript unbound, action "start" failed.
___ unbound.service - Unbound DNS server
     Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
     Active: activating (auto-restart) (Result: exit-code) since Thu 2022-07-21 03:06:25 CEST; 4ms ago
       Docs: man:unbound(8)
    Process: 1871 ExecStartPre=/usr/lib/unbound/package-helper chroot_setup (code=exited, status=0/SUCCESS)
    Process: 1874 ExecStartPre=/usr/lib/unbound/package-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
    Process: 1877 ExecStart=/usr/sbin/unbound -d -p $DAEMON_OPTS (code=exited, status=1/FAILURE)
    Process: 1878 ExecStopPost=/usr/lib/unbound/package-helper chroot_teardown (code=exited, status=0/SUCCESS)
   Main PID: 1877 (code=exited, status=1/FAILURE)
        CPU: 17ms

Jul 21 03:06:25 PiholeVM systemd[1]: Failed to start Unbound DNS server.
Processing triggers for man-db (2.9.4-2) ...
Processing triggers for libc-bin (2.31-13+deb11u3) ...
Synchronizing state of unbound.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable unbound
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
[lovely@dom0 ~]$ 

hello epile, how to bind the local interface by editing /etc/dnsmasq.conf? what should I put in the etc/dnsmasq.conf file?

help

It’s the same step in either set of instructions:

Restarting after this step, you should be able to observe pi-hole logging dns queries.

At this point there are a few things to check to verify pi-hole is set up as intended:

  • systemctl status systemd-resolved : should be disabled
  • the query log in pihole : should not be empty
  • iptables -L -v : should reflect the rules appended by /rw/config/network-hooks.d/fw-update.sh and /rw/config/qubes-firewall-user-script
  • netstat -antpu : should show pihole listening on port 53

If you’re in a minimal template then you may need to install the net-tools package to perform the last check. you can also try different -flags when checking iptables or netstat.

when I check in the terminal of my pihole,

systemctl status

`t gives me status: running, when I type,

systemctl stop systemd-resolved
systemctl disable systemd-resolved`

then I check, it still remains status: running, it does not change even after restarting,

the query log in pihole : should not be empty

where can i see the log in pihole request? or how to see it?

type or pa iptables -L -v : should reflect the rules appended by /rw/config/network-hooks.d/fw-update.sh and /rw/config/qubes-firewall-user-script ste code here

I find the rules fine

# Add a rule that redirects all the DNS traffic to localhost:53
iptables -t nat -I PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to-destination 127.0.0.1

I successfully executed the following commands as root: ```
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved

you should see a menu item for Query Log after you log into the admin page in the browser. I imagine there is also a log file, but I am unaware of its location.

thank you

for me it doesn’t want to stop, it’s weird yet I run the same commands as root

I thank you very much without you I would not have had this adventure coll, it’s been almost 3 days that I think I gave just to have pi-hole but I can’t do it with these errors that I had, in no more being a beginner in linux qubes os, I didn’t succeed, I’m going to see and look for a secure vpn, as well as a new firewall and I’m coming back to redo everything with pihole, again thank you very much

TheGardner :kissing_heart::kissing_heart: ephile

If this didn’t work, you could always try opening a terminal as root

qvm-run -u root <pi-hole vm> xterm

and then entering the systemctl commands to disable the resolver. If you’re unable to disable it, then pihole will not even see the request. But if that’s the case, then I’d suggest trying to set up something more simple than pihole just to figure out why you’re not able to execute basic commands as root. If you’re unsuccessful, consider starting another thread to diagnose this problem specifically.

It’s not as powerful as pihole, but Mullvad offers some dns filtering, even if you do not use their vpn:

hello, I finally managed to install and configure the newly installed pihole, it’s thanks to you it works with my current configuration, I don’t know how really thank you, and I’m sorry again for taking your time


sys-net > Net qube (none) (current)
pi-hole >, Net qube : sys-net (current)
sys-firewall > Net qube : pi-hole (current)
ChocolatVM > Net qube : sys-firewall (current)

after pihole and set and walk,
I created my sys-vpn which also works with this configuration, but without sys-vpn

in what order should be configured
the goal I am looking for is to have my ChocolatVM filter by pi-hole, and also go through the vpn do you have a solution?
of course I try several combinations, but it doesn’t work either only the vpn works or only pi-hole works and thank you

Here is the list of machines I have

sys-net
sys-firewall
sys-vpn
PiholeVM

chocolatVM
bananavm

First of all, congrats on the working pihole qube. I’m happy to help since I had pi-hole on the backburner for awhile and TheGardner’s post prompted me to give it another try.

getting pihole to work with my sys-vpns is still a work-in-progress, so I don’t have any specific advice to give that I know will work. However, I can suggest something to try… I’d first try cloning the pi-hole vm and inserting the clone between sys-vpn and ChocolateVM. In the cloned pi-hole vm be sure to set the dns IPs to dns servers that are used by your vpn.

Since I already had a standalone sys-vpn, I tried installing pi-hole directly in this vpn. It’s going to require some effort on my part to get it to work properly though. I’m guessing that the above arrangement will be easier to set-up, but take my intuition with a grain of salt…

thank you, just to confirm that I understood correctly,
so i will clone my piholeVM,
I will have
piholeVM
piholeVM-clone
chocolateVM
sys-firewall
sys-vpn
sys-net

and the configuration that I will apply and this one:

sysnet > n/a
firewall >sys-net
vpn > firewall
piholeVM-clone > vpn
chocolateVM > pihole

and for piholeVM?

is it good like that?

so i didn’t understand these In the cloned pi-hole vm, make sure you set the dns ip addresses to the dns servers used by your vpn.

sysnet > n/a
piholeVM >sys-net
firewall >piholeVM
vpn > firewall
piholeVM-clone > vpn
chocolateVM > piholeVM-clone

I’d try this setup, at least as an experiment. Any traffic exiting the vpn qube will be tunneled and bypass the original piholeVM, which will be be filtering non-vpn’d dns queries.

it will depend on your vpn provider. For example, proton and mullvad each provide proxied dns servers with IP addresses of the form 10.x.x.x, as well as publicly accessible servers with non-local IPs.