How do you host your DNS sinkhole/resolver?
-
Currently have nice long docker compose file that hosts my PiHole V6 container (along with a bunch of other containers) however, reason i ask this question is because whenever I go to pull an updated image and recreate the container I experience about 20 minutes of no DNS resolution which to my knowledge is due to the NTP clock being out of sync.
What’s the best way to host a DNS sinkhole/resolver that can mitigate this issue?
Was thinking of utilizing Proxmox & LXC but I suspect I’ll get the same experience.
Update: Turns out PiHole doesn’t support two instances, I got both of them on separate devices also set the 2nd DNS server in my routers WAN & LAN DNS settings which did in fact split DNS between both instances however, I lost access to my routers web-ui, my Traefik instance & reverse proxies died and I lost all internet access.So, don’t do what I did.Update 2: So everything I said in my first update let’s disregard that, turns out I had my router forcing all DNS to PiHole server 1 which caused my issues mentioned above.
Two servers appears to work!
I would do a single instance of Pihole. If you need HA there are ways to do that. If you need something more switch to a proper DNS service.
-
If you run a single DNS server, you will always have downtime when it's restarted.
The only way to mitigate that, is to run 2 DNS servers.
I setup my network to use pihole as the first DNS and the router as the second, most of the time pihole is used. Unless it's down
Why wouldn't you just use DNS on your router
-
2 pihole instances 1 pi5 1 pi4
Keepalived provides vrrp at a set address.Instances kept in sync via orbital
1 goes down the other takes over.
Quite elegantly.
Where do you do DHCP? I had a primary pihole with DHCP enabled and a secondary with a cron job that enabled DHCP if the primary was down or disabled it if the primary was working. The cron job did sync DHCP leases from one to the other but it was a bit janky. I tried to update the secondary to pihole v6 and hosed it so I have no backup for now. I'd like to re-image the secondary and get a better setup - when I have time.
Edit to say I really wanted to try keepalived - that's really cool to fail over without clients noticing.
-
Yeah, you can't. There is no guarantee that clients will use dns servers in any particular order.
Not that it particularly matters for just queries. The problem is that DHCP can only be enabled on one host. If that one fails then devices can't get on to the network themselves. I'd like to know a good way to have a failover DHCP server - my janky cronjob isn't great.
-
Currently have nice long docker compose file that hosts my PiHole V6 container (along with a bunch of other containers) however, reason i ask this question is because whenever I go to pull an updated image and recreate the container I experience about 20 minutes of no DNS resolution which to my knowledge is due to the NTP clock being out of sync.
What’s the best way to host a DNS sinkhole/resolver that can mitigate this issue?
Was thinking of utilizing Proxmox & LXC but I suspect I’ll get the same experience.
Update: Turns out PiHole doesn’t support two instances, I got both of them on separate devices also set the 2nd DNS server in my routers WAN & LAN DNS settings which did in fact split DNS between both instances however, I lost access to my routers web-ui, my Traefik instance & reverse proxies died and I lost all internet access.So, don’t do what I did.Update 2: So everything I said in my first update let’s disregard that, turns out I had my router forcing all DNS to PiHole server 1 which caused my issues mentioned above.
Two servers appears to work!
I run 2 separate adguard home containers on separate hosts and set DNS for both IPs. If I take one down, requests just get sent to the other.
-
Currently have nice long docker compose file that hosts my PiHole V6 container (along with a bunch of other containers) however, reason i ask this question is because whenever I go to pull an updated image and recreate the container I experience about 20 minutes of no DNS resolution which to my knowledge is due to the NTP clock being out of sync.
What’s the best way to host a DNS sinkhole/resolver that can mitigate this issue?
Was thinking of utilizing Proxmox & LXC but I suspect I’ll get the same experience.
Update: Turns out PiHole doesn’t support two instances, I got both of them on separate devices also set the 2nd DNS server in my routers WAN & LAN DNS settings which did in fact split DNS between both instances however, I lost access to my routers web-ui, my Traefik instance & reverse proxies died and I lost all internet access.So, don’t do what I did.Update 2: So everything I said in my first update let’s disregard that, turns out I had my router forcing all DNS to PiHole server 1 which caused my issues mentioned above.
Two servers appears to work!
I run Pihole+Unbound, Debian baremetal on a tinypc. RPi was too unreliable. I was too often dealing with issues.
My router is the failback, as it has blocking too.
-
Not that it particularly matters for just queries. The problem is that DHCP can only be enabled on one host. If that one fails then devices can't get on to the network themselves. I'd like to know a good way to have a failover DHCP server - my janky cronjob isn't great.
You can just run two DHCP servers. Give them non-overlapping ranges or give them the same MAC to IP mapping.
-
Why wouldn't you just use DNS on your router
Router may not have a function you want.
-
You can just run two DHCP servers. Give them non-overlapping ranges or give them the same MAC to IP mapping.
How do the DNS servers resolve local hostnames then? The pihole DHCP integration adds local hostnames to DNS when they are assigned an address. If there's two DHCP servers handing out leases, presumable only one would be accepted, how then would the DNS servers sync those names?
I think I had my secondary pihole resolve local names from the primary, and leases were copied over on a cronjob in case the secondary DHCP server had to be enabled.
-
Currently have nice long docker compose file that hosts my PiHole V6 container (along with a bunch of other containers) however, reason i ask this question is because whenever I go to pull an updated image and recreate the container I experience about 20 minutes of no DNS resolution which to my knowledge is due to the NTP clock being out of sync.
What’s the best way to host a DNS sinkhole/resolver that can mitigate this issue?
Was thinking of utilizing Proxmox & LXC but I suspect I’ll get the same experience.
Update: Turns out PiHole doesn’t support two instances, I got both of them on separate devices also set the 2nd DNS server in my routers WAN & LAN DNS settings which did in fact split DNS between both instances however, I lost access to my routers web-ui, my Traefik instance & reverse proxies died and I lost all internet access.So, don’t do what I did.Update 2: So everything I said in my first update let’s disregard that, turns out I had my router forcing all DNS to PiHole server 1 which caused my issues mentioned above.
Two servers appears to work!
I'm looking into Technitium, which doesn't get a ton of attention here. It looks to be much more feature packed than PiHole (DNS over HTTPS, for example), and similar to AdGuard Home.
-
How do the DNS servers resolve local hostnames then? The pihole DHCP integration adds local hostnames to DNS when they are assigned an address. If there's two DHCP servers handing out leases, presumable only one would be accepted, how then would the DNS servers sync those names?
I think I had my secondary pihole resolve local names from the primary, and leases were copied over on a cronjob in case the secondary DHCP server had to be enabled.
Use the second option of a static MAC to IP map and add the relevant records to each pihole’s local DNS.
-
Where do you do DHCP? I had a primary pihole with DHCP enabled and a secondary with a cron job that enabled DHCP if the primary was down or disabled it if the primary was working. The cron job did sync DHCP leases from one to the other but it was a bit janky. I tried to update the secondary to pihole v6 and hosed it so I have no backup for now. I'd like to re-image the secondary and get a better setup - when I have time.
Edit to say I really wanted to try keepalived - that's really cool to fail over without clients noticing.
On the router.
My router is locked down so i assign the vrrp address to wach client (pain in the ass) but it works.
Pivpn takes care or wireguard too.
-
I'm looking into Technitium, which doesn't get a ton of attention here. It looks to be much more feature packed than PiHole (DNS over HTTPS, for example), and similar to AdGuard Home.
Man, I was excited about Technitium, but I've had a hell of a time trying to get it to work. I'm not sure if it's intended to be on a DMZ in order to get TLS working or something, but I've not been able to get it to acknowledge a single DNS request, even when I think I've shut down DNSSec entirely.
-
Currently have nice long docker compose file that hosts my PiHole V6 container (along with a bunch of other containers) however, reason i ask this question is because whenever I go to pull an updated image and recreate the container I experience about 20 minutes of no DNS resolution which to my knowledge is due to the NTP clock being out of sync.
What’s the best way to host a DNS sinkhole/resolver that can mitigate this issue?
Was thinking of utilizing Proxmox & LXC but I suspect I’ll get the same experience.
Update: Turns out PiHole doesn’t support two instances, I got both of them on separate devices also set the 2nd DNS server in my routers WAN & LAN DNS settings which did in fact split DNS between both instances however, I lost access to my routers web-ui, my Traefik instance & reverse proxies died and I lost all internet access.So, don’t do what I did.Update 2: So everything I said in my first update let’s disregard that, turns out I had my router forcing all DNS to PiHole server 1 which caused my issues mentioned above.
Two servers appears to work!
How do you host your DNS sinkhole/resolver?
Like this, baby:
services.adguardhome = { enable = true; mutableSettings = false; openFirewall = true; settings = { dns = { # Web Interface bootstrap_dns = ["9.9.9.9" "149.112.112.112"]; upstream_dns = ["https://dns.quad9.net/dns-query"]; fallback_dns = ["tls://dns.quad9.net"]; }; filters = [ { name = "AdGuard DNS filter"; url = "https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt"; enabled = true; } ]; filtering = { blocked_services = { ids = [ ]; }; protection_enabled = true; filtering_enabled = true; rewrites = [ ]; };Deploy to the main home server, and the backup instance. NixOS is fucking awesome. No sync tool needed.
-
Router may not have a function you want.
Instead of paying for a raspberry Pi you could just get a OpenWRT device. You can get the router equivalent of a rust bucket since chances are you are not using the Wireless portion anyway.
-
Currently have nice long docker compose file that hosts my PiHole V6 container (along with a bunch of other containers) however, reason i ask this question is because whenever I go to pull an updated image and recreate the container I experience about 20 minutes of no DNS resolution which to my knowledge is due to the NTP clock being out of sync.
What’s the best way to host a DNS sinkhole/resolver that can mitigate this issue?
Was thinking of utilizing Proxmox & LXC but I suspect I’ll get the same experience.
Update: Turns out PiHole doesn’t support two instances, I got both of them on separate devices also set the 2nd DNS server in my routers WAN & LAN DNS settings which did in fact split DNS between both instances however, I lost access to my routers web-ui, my Traefik instance & reverse proxies died and I lost all internet access.So, don’t do what I did.Update 2: So everything I said in my first update let’s disregard that, turns out I had my router forcing all DNS to PiHole server 1 which caused my issues mentioned above.
Two servers appears to work!
I don't rely on it, but for guests etc I use adblock on OpenWrt with https://oisd.nl/. It's supposed to have no false positives
-
Where do you do DHCP? I had a primary pihole with DHCP enabled and a secondary with a cron job that enabled DHCP if the primary was down or disabled it if the primary was working. The cron job did sync DHCP leases from one to the other but it was a bit janky. I tried to update the secondary to pihole v6 and hosed it so I have no backup for now. I'd like to re-image the secondary and get a better setup - when I have time.
Edit to say I really wanted to try keepalived - that's really cool to fail over without clients noticing.
Debian & ubuntu sudo apt install keepalived
sudo apt install libipset13
Configuration
Find your IP
ip a
edit your config
sudo nano /etc/keepalived/keepalived.conf
First node
vrrp_instance VI_1 {
state MASTER
interface ens18
virtual_router_id 55
priority 150
advert_int 1
unicast_src_ip 192.168.30.31
unicast_peer {
192.168.30.32
}
authentication {
auth_type PASS
auth_pass C3P9K9gc
}
virtual_ipaddress {
192.168.30.100/24
}
}
Second node
vrrp_instance VI_1 {
state BACKUP
interface ens18
virtual_router_id 55
priority 100
advert_int 1
unicast_src_ip 192.168.30.32
unicast_peer {
192.168.30.31
}
authentication {
auth_type PASS
auth_pass C3P9K9gc
}
virtual_ipaddress {
192.168.30.100/24
}
}
Start and enable the service
sudo systemctl enable --now keepalived.service
stopping the service
sudo systemctl stop keepalived.service
get the status
sudo systemctl status keepalived.service
Make sure to change ip and auth pass.
Enjoy
-
Pi Zero uses the CPU from the 3
No, the original Pi Zero uses the CPU of the Pi1 (only clocked higher). So it is quite a bit slower than a Pi 2, since it has only a single ARMv6 CPU core. Still fine for a DNS server on a typical home network.
Aha, thank you. Shouldn't have riffed from memory on that one, I suppose!
But very much agreed: the Zero series has plenty of beef for a DNS server. Maybe when the 3 comes out I'll add one as a backup for my 4 server.
-
How do you host your DNS sinkhole/resolver?
Like this, baby:
services.adguardhome = { enable = true; mutableSettings = false; openFirewall = true; settings = { dns = { # Web Interface bootstrap_dns = ["9.9.9.9" "149.112.112.112"]; upstream_dns = ["https://dns.quad9.net/dns-query"]; fallback_dns = ["tls://dns.quad9.net"]; }; filters = [ { name = "AdGuard DNS filter"; url = "https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt"; enabled = true; } ]; filtering = { blocked_services = { ids = [ ]; }; protection_enabled = true; filtering_enabled = true; rewrites = [ ]; };Deploy to the main home server, and the backup instance. NixOS is fucking awesome. No sync tool needed.
How do I use nixos for docker? I've tried before but what I want is to be able to pull docker compose from a git and deploy it. I haven't been able to find an easy way to do that on docker
-
Instead of paying for a raspberry Pi you could just get a OpenWRT device. You can get the router equivalent of a rust bucket since chances are you are not using the Wireless portion anyway.
Sure, OpenWRT is good and there’s an Adguard Home plugin for it. You don’t need to buy any hardware to use Pihole though, many people run it in a container on an existing machine. So it comes down to the functionality you need or want and the software you prefer, right?
