Pi-hole as additional ad-firewall and (unbound) DNS within Qubes

I already have a pi-hole running on a SBC. Now, I was wondering if it makes sense and how to setup a pi-hole directly inside Qubes.

My main two questions are

A) what order makes most sense:

  1. firewall > sys-net > pi-hole
  2. firewall > pi-hole > sys-net
  3. pi-hole > firewall > sys-net

and B) what would be the best VM OS and type ?

sources:




1 Like

OK, I run pihole for a few VM from this doc with is based on Patrizio work. As I prefer NextDNS but this setup work with every DNS that you can think of.

I use debian-minimal with Networking essentials but setup work with every template.

My setup is kind of
pi-hole>firewall>sys-net

Im not sure why it would make sense. I run a unbound and pihole on a freenas vm and then my router just hands out them with the dhcp-requests to sys-net.

So, you have a AppVM > firewall > pi-hole (freenas vm) > sys-net Qubes setup, correct?

I don’t know either :slight_smile:
It was just an idea since we already have a Qubes firewall onboard … so why not having your own DNS (unbound) … malware, regex blocklists … within Qubes (before transmitting anything to your router).

The RPi pi-hole with its web interface is already doing an awesome job. My main question, is there any advantage / disadvantage to have it running as Qube vs. on a SBC (wrt privacy and security)?