Hello!
I want to set up a pi-hole on my home and connect from my parent's.
Both setups have a dynamic IP assigned by my isp and are different networks.
I have a couple of questions:
I can get a domain that updates automatically. But how would I resolve it on the client side?
Is there any way to authenticate on the server? By Mac maybe? That can be spoofed right?
Edit: my bad, thanks for correcting me, Mac is another layer completely
You can't configure DNS server by name on anything, so you'd need some kind of script/automation to query current IP address of your pihole from google/your ddns provider/someone and update that on your parents router which can be a bit tricky or straight impossible depending on the hardware.
VPN would solve both 1 and 2 from your list as your pihole would be available with static address on both locations. You can't authenticate on DNS server by MAC as you don't receive originating MAC at all. Other solution would be to get a static IP address from some provider and tunnel traffic so that your pihole could be reached trough that static address.
I would get a domain name and use ddns to update your rotating IP. Then I would setup wireguard VPN in split tunnel and have your parents network tunnel back to your piholes for dns resolution.
I use cloudflare API for ddns updates but there are plenty of choices for that. If you're using cloudflare for DNS just keep in mind you can't proxy the DNS entry for the ip for your VPN host as CF only forwards traffic over certain ports and they are not configurable (on free plan anyway not sure about paid).
Set up both locations with Dynamic DNS providers. DuckDNS is free, but if you’re building infrastructure you may as well buy your own domain and set it up through that (Namecheap is what I use and recommend).
Set up a Wireguard tunnel between both locations. Do *not* specify an endpoint for either. You could specify endpoints to boost security (barely), but it will cause your system to fail during IP changes, for the duration of the TTL.
@papelitofeliz
3. Set up your PiHole on a static private IP.
Ensure both sites can route across the tunnel. Based on your experience level and scope, dynamic routing is not recommended or necessary, which means static routes. Point a route for each side’s subnet to the Wireguard tunnel IPs so your firewalls know how to reach and respond to each other across the tunnel.
Configure your devices to use PiHole for their DNS, via DHCP ideally.
I didn't look anything up yet. But can the wireguard tunnel be setup on the router level (I have a cheap Mikrotik) or as a network service? So clients don't have to install custom stuff
If both routers support it: S2S VPN. Also has the advantage of being able to access the stuff from each others side.
Disadvantage: Viruses can traverse the tunnel.
DynDNS. That will give you a hostname, but check if your ISP offers a static IP tbh. Client side shouldn't matter overmuch if you're returning requests it's made
I'll second this recommendation and add a bit more. I'd recommend using DuckDNS's dynamic DNS service. It's free (donate if you can!) and fairly simple to set up. I run it on my router since it supports it but it's easy to run in a docker container too.
But there's some beauty in DoH/DoT/Quic ports opened
You should check adguard-home for the dns stuff
For your questions:
I don't quite get what you mean. But if you say "my domain's dns updates regularly, how would one of the clients of the dns get the new IP", then I would say upstream dns, and maybe pi-hole/adguard have something up their sleeve
In adguard you can have client ids, it can be different things I forgot, but mainly it can be the domain you're using as dns, so john.dns.mysite.com, and you can give 0.0.0.0 response to every client that is not a client. Maybe there are more clever ways to do this
Yes, but for 1 is not so straightforward, you have many options, you either need to update your dns in some way anyway to connect to VPN, or rent a cloud to host(or port forward) the entry point there (or the theoretical option, some selfhosted vpns allow you to do everything without any ports opened)
Adguard-home, using a public dns, route through tor, cloudflare's tunnels, host on a cloud, forward ports to a cloud, and many more
And for dynamic IP, I personally use cloudflare(although I don't trust them) (he-he, I didn't expect previous point to be so long, I wrote this at the beginning)