Friday, January 5, 2024

Mastering Home Network Security: A Step-by-Step Guide to Fortify Your DNS with Pi-Hole and Raspberry Pi Across Multiple VLANs

Recently, I delved into the realm of setting up secure DNS for our home network, aiming to encrypt DNS requests en route to the name server. Unfortunately, Unifi lacks support for secure DNS (neither DoH nor DoT). To address this, I decided to explore the installation of Pi-hole on a Raspberry Pi at home.

However, the standard Pi-Hole install for Raspberry Pi required additional setup steps on my network. Firstly, Pi-hole lacks built-in support for secure DNS, necessitating an additional configuration. Secondly, the default Raspberry Pi lacked VLAN support, prompting me to configure it to function seamlessly within our network.

Raspberry Pi and Pi-hole Setup

I began by installing the Raspberry Pi OS Lite 64-bit on the Raspberry Pi, intending to use it as a headless device on the network. Once the operating system was installed and updated, I proceeded to install Pi-hole. This was a straightforward process, thanks to Pi-hole's automated installation script.

curl -sSL | bash

Setting up DNS over HTTPS for Pi-hole

To ensure secure DNS, I followed the instructions on the Pi-hole site to configure cloudflared, allowing DNS requests to be made over HTTPS. Once configured, Pi-hole forwards requests to cloudflared, which handles DNS requests securely.

Enabling Support for Multiple VLANs

While Pi-hole successfully handled requests for the native network, extending its support to other VLANs posed a challenge. Instead of opting for solutions involving firewall rule modifications to permit VLAN requests to the native network, I chose to ensure the Raspberry Pi could seamlessly join the VLAN networks I intended to use Pi-hole on.

Following the instructions on this page for enabling VLAN support on the Raspberry Pi, I configured an interface for each VLAN I wanted the Pi-hole to respond on.

Enabling Firewall Rules

To secure the Raspberry Pi, especially since I had relocated some less trusted devices to certain VLANs, I implemented the following steps:

Firstly, accepting connections on localhost and on eth0 (default network):

sudo ufw allow in on lo
sudo ufw allow in on eth0

Then, accepting DNS connections (applying to all interfaces/VLANs):
sudo ufw allow DNS

By taking these steps, I successfully configured a secure DNS setup for our home network, ensuring the Raspberry Pi and Pi-hole worked seamlessly across multiple VLANs while maintaining robust firewall rules for enhanced security.

No comments:

Post a Comment

Unlocking Raspberry Pi Potential: Navigating Network Booting Challenges for Enhanced Performance and Reliability

I've set up several Raspberry Pis around our house for various projects, but one recurring challenge is the potential for SD card failur...