Pi-hole
Pi-hole is reasonable choice for DNS service, especially if you don’t have a separate metrics and reporting system. A single instance will scale to 1000 active clients with just 1 core and 500M RAM and do a good job showing what’s going on.
There are some caveats when you pass 1000 users when logging all queries, but it’s a
Preparation
Prepare and secure a Debian system
Set a Static Address
sudo vi /etc/network/interfaces
Change
# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp
to
auto eth0
iface eth0 inet static
address 192.168.0.2/24
gateway 192.168.0.1
Secure Access with Nftables
Nftables is the modern replacement for iptables and preferred for setting netfilter rules.
sudo apt install nftables
sudo systemctl enable nftables
sudo vi /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
# accept any localhost traffic
iif lo accept
# accept already allowed and related traffic
ct state established,related accept
# accept DNS and DHCP traffic from internal only
define RFC1918 = { 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 }
udp dport { domain, bootps } ip saddr $RFC1918 ct state new accept
tcp dport { domain, bootps } ip saddr $RFC1918 ct state new accept
# accept web and ssh traffic on the first interface or from an addr range
iifname eth0 tcp dport { ssh, http } ct state new accept
# or
ip saddr 192.168.0.1/24 ct state new accept
# Accept pings
icmp type { echo-request } ct state new accept
# accept neighbor discovery otherwise IPv6 connectivity breaks.
ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
# count other traffic that does match the above that's dropped
counter drop
}
}
sudo nft -f /etc/nftables.conf
sudo systemctl start nftables.service
Add Unattended Updates
This an optional, but useful service.
apt install unattended-upgrades
sudo sed -i 's/\/\/\(.*origin=Debian.*\)/ \1/' /etc/apt/apt.conf.d/50unattended-upgrades
sudo sed -i 's/\/\/\(Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";\)/ \1/' /etc/apt/apt.conf.d/50unattended-upgrades
sudo sed -i 's/\/\/\(Unattended-Upgrade::Remove-Unused-Dependencies\) "false";/ \1 "true";/' /etc/apt/apt.conf.d/50unattended-upgrades
sudo sed -i 's/\/\/\(Unattended-Upgrade::Automatic-Reboot\) "false";/ \1 "true";/' /etc/apt/apt.conf.d/50unattended-upgrades
Installation
Unbound
sudo apt install unbound
Pi-hole
sudo apt install curl
curl -sSL https://install.pi-hole.net | bash
Configuration
Unbound
The pi-hole guide for [unbound]:(https://docs.pi-hole.net/guides/dns/unbound/) includes a config block to copy and paste as directed. You should also add a config file for dnsmasq while you’re at it, to set EDNS packet sizes. (dnsmasq comes as part of pi-hole)
sudo vi /etc/dnsmasq.d/99-edns.conf
edns-packet-max=1232
When you check the status of unbound, you can ignore the warning: subnetcache:...
as it’s just reminding you that data in the subnet cache (if you were to use it) can’t pre-fetched. There’s some conversation1 as to why it’s warning us.
The config includes prefetch
, but you may also wish to add serve-expired
to the same config file from above.
# serve old responses from cache while waiting for the actual resolution to finish.
serve-expired: yes
sudo systemctl restart unbound.service
No additional setup is needed, but see the unbound page for more info.
Pi-hole
Pi-hole can be configured via it’s two main config files, /etc/pihole/setupVars.cong
and pihole-FTL.conf
, but it’s convenient to use the GUI’s left-hand settings menu.
- Settings -> DNS -> Upstream DNS Servers -> Custom 1 (Check and add 127.0.0.1#5335 as shown in the unbound guide linked above)
- Settings -> DNS -> Interface settings -> Permit all origins (needed if you have multiple networks)
Very busy pi-hole installations generate lots of data and (seemingly) hang the dashboard. If that happens, limit the about of data being displayed.
vi /etc/pihole/pihole-FTL.conf
# Don't import the existing DB into the GUI - it will hang the web page for a long time
DBIMPORT=no
# Don't import more than an hour of logs from the logfile
MAXLOGAGE=1
# Truncate data older than this many days to keep the size of the database down
MAXDBDAYS=1
sudo systemctl restart pihole-FTL.service
Operation
Local DNS Entries
You can enter local DNS and CNAME entries via the GUI, (Admin Panel -> Local DNS), but you can also edit the config file for bulk entries.
For A records
vim /etc/pihole/custom.list
10.50.85.2 test.some.lan
10.50.85.3 test2.some.lan
For CNAME records
vim /etc/dnsmasq.d/05-pihole-custom-cname.conf
cname=test3.some.lan,test.some.lan
Block Lists
Pi-hole ships with one ad list; StevenBlack. You may need to disable this for google or facebook search results to work as expected. The top search results are often ads and don’t work as expected when pi-hole is blocking them.
- Admin Panel -> Ad Lists -> Status Column
You might consider adding security only lists instead, such as Intel’s below
Search the web for other examples.
Upgrading
Unbound will be upgraded via the Unattended Upgrades service. But pi-hole requires a manual command.
sudo pihole -up
Troubleshooting
DNS Cache Size
The default cache size of 10,000 serves thousands clients easily. This is because entries expire faster than the cache runs out. But you can check your evictions - cache entries removed to make room before they expire - to see.
settings -> System -> DNS cache evictions:
You’ll notice that insertions keep climbing as things are added to the cache, but the cache number itself represents only those entries that are current. If you do see evictions, edit CACHE_SIZE
in /etc/pihole/setupVars.conf
You can also check this at the command line
dig +short chaos txt evictions.bind @localhost
dig +short chaos txt cachesize.bind
dig +short chaos txt hits.bind
dig +short chaos txt misses.bind
However, we are advised that unused cache is wasted, when it could be used for disk buffers, etc. So don’t add it just in case.
Rate Limiting
The system has a default limit of 1000 queries in a 60 seconds window for each client. If your clients are proxied or relayed, you can run into this. This event is displayed in the dashbaord2 and also in the logs3.
sudo grep -i Rate-limiting /var/log/pihole/pihole.log /var/log/pihole/pihole.log
You may find the address 127.0.0.1 being rate limited. This can be due to pi-hole doing a reverse of all client IPs every hour. You can disable this with:
# In the pihole-FTL.conf
REFRESH_HOSTNAMES=NONE
DNS over HTTP
Firefox, if the user has not yet chosen a setting, will query use-application-dns.net
. Pi-hole respods with NXDOMAIN4 as a signal to use pi-hole for DNS.
/etc/pihole/pihole-FTL.conf
Apple devices include a private relay5 that the user may decide to enable if they pay for it. Pi-hole by default blocks queries for mask.icloud.com
and the user will be notified you are blocking it.
# Signal that Apple iCloud Private Relay is allowed
BLOCK_ICLOUD_PR=false
sudo systemctl reload pihole-FTL.service
Searching The Query Log Hangs DNS
On a very busy server, clicking show-all
in the query log panel will hang the server as pihole-FTL works through it’s database. There is no solution, just don’t do it. The best alternative is to ship logs to a Elasticsearch or similar system.
Ask Yourself
The system continues to use whatever DNS resolver was initially configured. You may want it to use itself, instead.
# revert if pi-hole itself needs fixed.
sudo vi /etc/resolv.conf
nameserver 127.0.0.1
-
https://www.reddit.com/r/pihole/comments/11xb7pt/unbound_warning_subnetcache_prefetch_and/ ↩︎
-
https://pi-hole.net/blog/2021/09/11/pi-hole-ftl-v5-9-web-v5-6-and-core-v5-4-released/#page-content ↩︎
-
https://discourse.pi-hole.net/t/include-log-entry-in-pihole-ftl-log-when-client-hits-rate-limit/46798/12A ↩︎
-
https://www.reddit.com/r/pihole/comments/113qkp5/i_am_seeing_useapplicationdnsnet_being_blocked/ ↩︎
-
https://docs.pi-hole.net/ftldns/configfile/?h=mask#icloud_private_relay ↩︎
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.