Howdy Everyone!
As I am setting up my infrastructure at home using docker I wanted to ask, is it better to have DNS, something like pi-hole, on my main docker swarm or would it be better to have it on a dedicated machine/docker host separate from the rest of my infrastructure?
Thanks for the input!
I would suggest 2 pi-hole + unbound stacks on different hardware, preferably on different switches. That way you can restart/fiddle with things without your family going crazy about “internet not working”.
I remember Watchtower helpfully stopping Pihole before pulling the new image when I only had the one instance running… All while I was out at work with the fiancée on her day off. So many teaching moments in so little time.
💭➕🙏
I have 3 separate machines:
-
That fat home server with NAS and VM’s etc.
-
A Pi serving my smart home.
-
A plastic router with OpenWrt doing DNS and (I like to believe) some security, and giving WiFi to many small devices.
They all run 24/7 but I just don’t want everything to be dead and dark when one machine is down for whatever reason.
-
While we’re at the topic, which DNS do you guys usually use as upstream? On my router I think I set quad9 and cloudflare over TLS but sometimes I notice on new websites I need to refresh a couple of times until it works, might be DNS. Was too lazy to look into it since gaming and apps work without issues.
https://docs.pi-hole.net/guides/dns/cloudflared/
I use this to translate DNS to DoH, and use cloudflare, and quad9 upstream.
environment: - TUNNEL_DNS_UPSTREAM=https://1.1.1.1/dns-query,https://1.0.0.1/dns-query,https://9.9.9.9/dns-query,https://149.112.112.9/dns-query
Haven’t really noticed any DNS based lag.
I run my Pi-Hole on a dedicated Raspberry Pi. I have another Pi that runs my SSH tarpit. These are the only 2 things I keep on separate devices, the rest is containerized on my main server.
I have a quite rich selfhosted stack, and DNS is indeed part of it.
For such a critical piece of infrastructure I didn’t needed a container, just installed Unbound and did some setup for ad blocking and internal DNS rules.
Here my setup: https://wiki.gardiol.org/doku.php?id=router:dhcp-dns
You could go with an independent pihole maybe, but that would double the chances of a hardware failure…
Using one device for everything might seem risky, but actually has less chances of failure ;)
Either is fine: the question is what happens when something breaks and if you care about issues and such.
If your docker host depends on the pihole it’s running, there can be some weirditry if it’s not available during boot and whatnot (or if it crashes, etc.).
…I ended up with a docker container of pihole and an actual pi as the secondary so that it’s nice and redundant.
Depending on the network’s setup, having Pihole fail or unavailable could leave the network completely broken until Pihole becomes available again. Configuring the network to have at least one backup DNS server is therefore extremely important.
I also recommend having redundant and/or highly available Pihole instances running on different hardware if possible. It may also be a good idea to have an additional external DNS server (eg: 1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) configured as a last resort backup in the event that all the Pihole instances are unavailable (or misconfigured).
have an additional external DNS server
While I agree with you that additional DNS server is without a question a good thing, on this you need to understand that if you set up two nameservers on your laptop (or whatever) they don’t have any preference. So, if you have a pihole as one nameserver and google on another you will occasionally see ads on things and your pihole gets overrided every now and then.
There’s multiple ways of solving this, but people often seem to have a misinformed idea that the first item on your dns server list would be preferred and that is very much not the case.
Personally I’m running a pihole for my network on a VM and if that’s down for a longer time then I’ll just switch DNS servers from DHCP and reboot my access points (as family hardware is 99% on wifi) and the rest of the family has working internet while I’m working to bring rest of the infrastructure back on line, but that’s just my scenario, yours will most likely be more or less different.
people often seem to have a misinformed idea that the first item on your dns server list would be preferred and that is very much not the case
I did not know that. TIL that I am people!
Do you know if it’s always this way? For example, you mentioned this is how it works for DNS on a laptop, but would it behave differently if DNS is configured at the network firewall/router? I tried searching for more info confirming this, but did not find information indicating how accurate this is.
As far as I know it is the default way of handling multiple DNS servers. I’d guess that at least some of the firmware running around treats them as primary/secondary, but based on my (limited) understanding at least majority of linux/bsd based software uses one or the other more or less randomly without any preference. So, it’s not always like that, but I’d say it’s less comon to treat dns entries with any kind of preference instead of picking one out randomly.
But as there’s a ton of various hardware/firmware around this of course isn’t conclusive, for your spesific case you need to dig out pretty deep to get the actual answer in your situation.
For Windows it absolutely is in order of listing however. Typical behaviour is no reply after a second against the primary DNS results in it moving down the list.
Redundancy aside, this is more important when you span multiple datacenters and always want lookups going to the completely local or most local DC available.
TIL about the Linux/BSD not having preference though. Good to know.
My preferred way of solving this is to run a PowerDNS cluster with DNSDist and keepalived. You get all the redundancy via a single (V)IP.
Technitium is probably more user friendly for greenhorns, though… and offers DHCP too. Beats pihole by a mile.
Weirditry. Holy shit my brain melted.
This approach sounds good.
I think the correct approach is both, if you have the option.
Most devices accept two name servers. Redundancy is always good, especially for DNS.
Why not both?
My primary DNS is pihole on a rpi dedicated to the task; but I run a second instance of pihole via my main docker stack for redundancy. Should one or the other be unavailable, there’s a second one to pick up the slack.
I just provide both DNS IPs to LAN clients via DHCP.
Gravity Sync is a great tool to keep both piholes settings/records/lists in sync.
Gravity sync looks cool but it looks like it was depreciated, any alternatives for it?
Oh damn, I hadn’t noticed. My setup is still functioning just fine.
There is an alternative though: Orbital-Sync
I haven’t actually used it, so I can’t say much about it; but I’ll probably look into replacing gravity-sync with that.
AdGuard Home is a better choice than PiHole since it uses DNS-over-HTTPS by default. There’s also an app called AdGuardHome-Sync to sync settings between multiple instances.
I’d recommend running two DNS servers, and at least one of those separately from the rest of your infrastructure like on a Pi. That way, if you need to pull one of them offline, the internet still works.
You can accomplish the same with dnscrypt-proxy and Orbital Sync for Pi-Hole. You can also run a recursive DNS server using Unbound.
But why deal with separate software like dnscrypt-proxy when AdGuard Home has it built-in?
Why should I use a piece of software that’s controlled by a corporate entity in Russia?
Not sure what you mean by “controlled” given it’s open-source?
Open source projects still need a maintainer/owner. For example, Facebook “controls” react, Microsoft “controls” Visual Studio Code, and AdguardTeam “controls” AdGuardHome. There are several reasons to not trust a maintainer (eg, license changes, prioritizing or implementing undesired functionality and anti-features, converting to “open core”, abandoning the project, selling out to less trust worthy entities, etc.).
Per Adguard’s website, the legal entity behind the various AdGuard products is
ADGUARD SOFTWARE LIMITED
. A quick search on that company shows that there are 3 founders and they seem to have some ties to Russia. There is more information online about this, but whether this means they can be trusted or not is up to each potential user of one of the AdGuard products.
I would say Pihole is a better choice than AdGuard home because PiHole just runs on top of dnsmasq. Throw Unbound on there too as your upstream recursive resolver and you’re set. You don’t even need to worry about an encrypted session to your upstream anymore because your upstream is now your loopback.
Throw Unbound on there too as your upstream recursive resolver
If you want to run your own recursive DNS server, why would you run two separate DNS servers?
You don’t even need to worry about an encrypted session to your upstream anymore because your upstream is now your loopback.
Your outbound queries will still be unencrypted, so your ISP can still log them and create an advertising profile based on them. One of the main points of DoH and DoT is to avoid that, so you’ll want them to be encrypted at least until they leave your ISP’s network.
If you want to run your own recursive DNS server, why would you run two separate DNS servers?
I’m not sure I understand your question. A recursive DNS server and a local DNS cache/forwarder/are two different things with two different purposes. You will always need both. You yourself are using AdguardHome and that is just connecting to recursive DNS server upstream. In my scenario you’re just running both yourself instead of you running one and then letting a 3rd party run the other for you.
Your outbound queries will still be unencrypted, so your ISP can still log them and create an advertising profile based on them.
You can encrypt the recursive queries through your ISP if you want to. Though the effectiveness of any profiling your ISP would do to you are minimized by Qname minimization that Unbound does by default.
If you’re just using DoH then you’re just shifting who’s making that advertising profile on you from your ISP to whoever is hosting your upstream recursive DNS server. It doesn’t matter how much encryption you do because on the other end of that encrypted connection is the entity who you’re giving all your queries to.
No you don’t need two: in fact I have only unbound setup to do everything with one piece of software.
Better or worse? No idea, but it works and its one less piece that might fail.
I mean if you want to build something around Unbound to do ad blocking and set up a monitoring stack for metrics and all that jazz that’s great, more power to you. But you already have two things built for purpose, there’s no reason to go out of your way to do that. And I don’t think OP here is prepared to do all that.
All that? Well, I understand your point, but honestly I have more fun learning something new, and was really little work.
Anyway… Its an option too
Getting all the functionality of Pihole into Unbound would be a good deal more than “a little work” lol. And for no real practical reason when all you’re trying to do is set up secure DNS with some ad blocking on your network. And this is coming from a professional who wouldn’t have to “learn” anything to do it. If it was really that little work, Pihole + Unbound wouldn’t be the go-to solutions for so many people.
A recursive DNS server and a local DNS cache/forwarder/are two different things with two different purposes. You will always need both.
Why do you need two separate ones though? Recursive DNS servers also cache responses. Usually the only reason you’d run a local forwarder/cache is if you’re not running a local recursive server.
For the same reason you’re running AdGuard and not just pointing all your devices at the recursive upstream.
You’re using AdGuard / Pihole as an ad sinkhole, not just to cache and forward DNS requests. Like if you really wanted to you could hack together something in Unbound to do that, but why would you do that when Pihole already exists? You have two things built for purpose.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters DHCP Dynamic Host Configuration Protocol, automates assignment of IPs when connecting to a network DNS Domain Name Service/System HTTP Hypertext Transfer Protocol, the Web HTTPS HTTP over SSL IP Internet Protocol NAS Network-Attached Storage PiHole Network-wide ad-blocker (DNS sinkhole) SSH Secure Shell for remote terminal access SSL Secure Sockets Layer, for transparent encryption TLS Transport Layer Security, supersedes SSL
8 acronyms in this thread; the most compressed thread commented on today has 5 acronyms.
[Thread #970 for this sub, first seen 13th Sep 2024, 17:25] [FAQ] [Full list] [Contact] [Source code]