Jump to content

Install pi-hole on RHEL 8


Recommended Posts


1. Install epel repo and remi repo

# dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm -y
# dnf install https://rpms.remirepo.net/enterprise/remi-release-8.rpm -y

2. Check php module list and Install PHP7.4

# dnf module list php
# dnf module enable php:remi-7.4 -y


3. Install PHP and the Extensions

# dnf install php php-cli php-common php-json php-xml php-mbstring php-mysqli php-zip php-intl

Disable SElinux

1. in order to install PI-Hole you need to disable SElinux


2. reboot the server.

Disable Firewall (optional)

1. Disable the Firewall or configure firewall for Pi-hole.

sudo systemctl stop firewalld
sudo systemctl disable firewalld


1 . Download Install Pi-hole

# git clone --depth 1 https://github.com/pi-hole/pi-hole.git Pi-hole
# cd "Pi-hole/automated install/"
# sed -i "s/lighttpd\slighttpd-fastcgi//" basic-install.sh
# chmod +x basic-install.sh
# ./basic-install.sh


Setting up Pi-hole as a recursive DNS server solution

sudo dnf install unbound

1. backup file /etc/unbound/unbound.conf

mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.bak

3. Create a new unbound.conf file

nano /etc/unbound/unbound.conf

4. Add the following line and save.

include: "/etc/unbound/unbound.conf.d/*.conf"

5. Create /etc/unbound/unbound.conf.d/pi-hole.conf:

    # If no logfile is specified, syslog is used
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0

    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    #root-hints: "/var/lib/unbound/root.hints"

    # Trust glue only if it is within the server's authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # IP fragmentation is unreliable on the Internet today, and can cause
    # transmission failures when large DNS messages are sent via UDP. Even
    # when fragmentation does work, it may not be secure; it is theoretically
    # possible to spoof parts of a fragmented DNS message, without easy
    # detection at the receiving end. Recently, there was an excellent study
    # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
    # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
    # in collaboration with NLnet Labs explored DNS using real world data from the
    # the RIPE Atlas probes and the researchers suggested different values for
    # IPv4 and IPv6 and in different scenarios. They advise that servers should
    # be configured to limit DNS messages sent over UDP to a size that will not
    # trigger fragmentation on typical network links. DNS servers can switch
    # from UDP to TCP when a DNS response is too big to fit in this limited
    # buffer size. This value has also been suggested in DNS Flag Day 2020.
    edns-buffer-size: 1232

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1

    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: fd00::/8
    private-address: fe80::/10

Start your local recursive server and test that it's operational:

sudo service unbound restart
dig pi-hole.net @ -p 5335

The first query may be quite slow, but subsequent queries, also to other domains under the same TLD, should be fairly quick.

You should also consider adding


to a config file like /etc/dnsmasq.d/99-edns.conf to signal FTL to adhere to this limit.

Test validation

You can test DNSSEC validation using

dig sigfail.verteiltesysteme.net @ -p 5335
dig sigok.verteiltesysteme.net @ -p 5335

The first command should give a status report of SERVFAIL and no IP address. The second should give NOERROR plus an IP address.

Configure Pi-hole

Finally, configure Pi-hole to use your recursive DNS server by specifying as the Custom DNS (IPv4):


(don't forget to hit Return or click on Save)

Disable resolvconf for unbound (optional)

The unbound package can come with a systemd service called unbound-resolvconf.service and default enabled. It instructs resolvconf to write unbound's own DNS service at nameserver , but without the 5335 port, into the file /etc/resolv.conf. That /etc/resolv.conf file is used by local services/processes to determine DNS servers configured. If you configured /etc/dhcpcd.conf with a static domain_name_servers= line, these DNS server(s) will be ignored/overruled by this service.

To check if this service is enabled for your distribution, run below one and take note of the Active line. It will show either active or inactive or it might not even be installed resulting in a could not be found message:

sudo systemctl status unbound-resolvconf.service

To disable the service if so desire, run below two:

sudo systemctl disable unbound-resolvconf.service
sudo systemctl stop unbound-resolvconf.service

To have the domain_name_servers= in the file /etc/dhcpcd.conf activated/propagate, run below one:

sudo systemctl restart dhcpcd

And check with below one if IP(s) on the nameserver line(s) reflects the ones in the /etc/dhcpcd.conf file:

cat /etc/resolv.conf

Add logging to unbound


It's not recommended to increase verbosity for daily use, as unbound logs a lot. But it might be helpful for debugging purposes.

There are five levels of verbosity

Level 0 means no verbosity, only errors
Level 1 gives operational information
Level 2 gives  detailed operational  information
Level 3 gives query level information
Level 4 gives  algorithm  level  information
Level 5 logs client identification for cache misses

First, specify the log file and the verbosity level in the server part of /etc/unbound/unbound.conf.d/pi-hole.conf:

    # If no logfile is specified, syslog is used
    logfile: "/var/log/unbound/unbound.log"
    verbosity: 1

Second, create log dir and file, set permissions:

sudo mkdir -p /var/log/unbound
sudo touch /var/log/unbound/unbound.log
sudo chown unbound /var/log/unbound/unbound.log

Third, restart unbound:

sudo service unbound restart
Link to comment
Share on other sites


  • Create New...