Hi guys! So…I have a self-hosted DNS server. Initially I’d use pihole, with unbound, and the more or less basic blocklists. But from time to time things would start acting wonky. Sometimes a reboot would fix it. Sometimes…not really and I was really not sure what was going wrong, but it was clearly DNS. Changing the clients settings from my own server to something like 9.9.9.9 would immediately get it sorted out.
So I went with an adguard server. In the last few days I’ve started to notice weird behaviors. Today I’ve lost the Azure desktop I was connected, and it was very clearly looking like DNS. So I checked…and yup, 9.9.9.9 again would sort it all out. So…I’m not sure what’s going wrong. I’m selfhosting these on an LXC container in proxmox. Nothing else seems to have issues connecting, and I see almost no resources being used. Any ideas? Any other DNS server I might be able to try?
Thanks!
I have tried quite a few and found blocky to be very easy and reliable.
I use multiple DoH servers upstream, it sorts out which ones better response times and uses it more often, but splits them still. I have over 20 devices using it and its been running well.
It also can prefetch common domains and caches them per config. I got A 40% cache rate with running 3 of them for redundancy.
Any other DNS server I might be able to try?
I use and warmly recommend Technitium DNS. Unlike most other solutions, it uses the root servers by default while still providing an ad blocker, DoH, DoQ etc. - and it does not even require any command-line kung-fu for that (except for the installation, which is one command).
I absolutely second Technitium as well. That thing is rock solid, can be used for basically everything, has blocking with a multitude of options and does provide a nice graphical GUI.
I have it running in a dual DNS setup (main server+a Zimablade nowadays) and that shit just works - it’s the container that has caused the least amount of problems in the last 3 years.
The API is fairly handy and quite easy - I have it integrated into HomeAssistant so I have a “Disable DNS Blocking” button in my “Network control” tab in the app.
The only downside is the fact that initially it can be quite overwhelming, especially if you are not an DNS guru and just did the step from AdGuard/PiHole - but soon you realise that you actually only need a few fields for basic operations.
The only downside is the fact that initially it can be quite overwhelming
On the other hand, Technitium comes with a fairly useful configuration straight out of the box. If you only want to use it on your home LAN (and therefore don’t necessarily need SSL), the only thing you really need to change is the block list field.
Yeah, absolutely - nevertheless it can inspire that reaction - which is a shame, because it’s indeed fairly easy.
I definitely bounced off of it as it had so much configuration I had no idea where to start. Adguard home was so much easier to set up, particularly because I also had to use it via DHCP as my router doesn’t have a dns option.
In my experience with unbound, it tends to return expired records in the hope that they are still valid, causing issues with services hosted in the cloud, where IP addresses rotate regularly. What I did was update the
serve-expired-ttlsetting in unbound’s configuration to 3 hours (down from the default 24h)Thanks. I think I might rebuild the pihole-unbound server and try again with this setting.
I use Pi-hole, except that I originally retrofitted after setting up DNScrypt years ago to connect to Cisco OpenDNS. That’s not the only DNS server you can use with it, though, and it’s added more features since.
To use DNScrypt with Pi-hole on the same device, set DNScrypt to listen on 127.0.0.1:54 and point Pi-hole to that as the DNS server.
The only time I have ever had any trouble with this setup and DNS resolution is when the network is recovering from a power outage; there’s a race condition somewhere between the Pi and my modem/router that I’ve never found the time to pin down (given outages are so infrequent I just haven’t gotten around to it) and it’s easily resolved by rebooting the Pi.
What’s the use-case for pihole and unbound together?
Aren’t they both DNS servers?
Pi-hole forwards the requests to another DNS server. Unbound can ask the root servers and go down the DNS chain.
I use pihole with DNS over https (my ISP intercepts my non encrypted DNS queries) works great for me. Both in LXC and Raspberry pi.
What issue are you trying to solve?
My 2c.
Changing “DNS” won’t fix it. There are two DNS: dnsmasq and unbound (and bind, ok). What else you use doesn’t matter (pihole, adguard, opnSense) at the end of the day it’s always them inside.
In my experience ISPs will block your direct DNS queries overtime, so it might be that. I set up my unbound as caching and forwarding, not as a pure resolver. This fixed all my issues with DNS self hosted. You can forward to 9.9.9.9 if you like it.
Another issue might be with your blocklists of course, your azure might have been temporary listed maybe.
Over time I ended up choosing a very lax blocklist setup due to this reason
In my experience ISPs will block your direct DNS queries overtime,
I have no idea what ISP you’re using, but that’s probably not true. Lots of devices have hard-coded DNS servers and nothing would work if ISPs stated blocking dns upstream queries.
Above some threshold, the one you will cross when filtering port 53 in your network and setup a custom full resolver, it can happen.
I experienced it, it seems they filter excess dns traffic from inside. Probably more a malware/anti spam measure than an actually DNS blocking.
Just normal dnsmasq without fancy web-ui.
