Pi-hole configuration qubes os 4.1

unman · December 11, 2022, 1:35am

let’s think:
traffic from App-vm is encrypted and directed to the VPN server.
When it gets to sys-pihole (and sys-firewall) it is already encrypted
and packaged for the VPN. So those servers can do nothing with it.
This may be what you want.

If you do want to use sys-pihole you need to place it before
sys-vpn, so that the ad and tracker limits take place before traffic is
sent down the VPN.
App-vm > sys-pihole > sys-vpn > sys-firewall > sys-net

The problem with this is that the firewall only see traffic on its way
to the VPN.
If you want to use the Qubes firewall you need to place it before the
VPN. You cant put it after pihole because then it will see only traffic
from that IP, so cant enforce traffic on the App-vm.
App-vm > sys-firewall > sys-pihole > sys-vpn > sys-net

clarinetthelionking · January 9, 2023, 2:15pm

Thanks @unman , I remember reading it in the description, but failed to grasp it
To be precise, I don’t neccessarily want to use unbound, but rather set up pi-hole with a custom dns-server including dnssec. But I think that is more a pi-hole question rather than qubes question.

unman · January 17, 2023, 3:15am

I think you are right.
But if you have a custom server, you can easily apply it from the
Settings option in the Admin site, under DNS.
Just deselect all the built in Upstream DNS servers, specify your own
server as one of the “Custom” upstream DNS servers, and select it.
That’s really all you have to do.