I’ve been using pi-hole for the last 3 or 4 years and I’m pretty satisfied with it. Now I’m thinking about the next step. Nowadays I have my local network and a tailscale to access my hosts. I’m thinking about a DNS solutions to solve the names on the locla network and thru tailscale simultanely, while been able to block ads on DNS like pi-hole do. What do you think would be a better solution for this next step? I’ve only used bind before, but I think and old dog can learn a new trick.
I use Technitium, for that purpose. You can set up DNS records easily and it still has blocking like pi-hole. You can log DNS requests if you need to track down where certain requests are coming from or which devices are making lots of requests. It has quite a few features but I only need a couple.
You should add your DNS forwarder as its own node in Tailscale, and configure the tailnet to resolve DNS through it. That way you’ll be able to resolve both MagicDNS node names and your local domains, as well as being blocklist-enabled. Besides, I think you can also define custom A/AAAA records on your Tailscale console, skipping local records on Pi-hole altogether.
I’d also recommend Technitium for a new DNS solution, mainly because they’re going to add support for clustering soon. This could be highly useful if you want to configure blocklists once and sync them between different Technitium nodes. Should it works out, I’m thinking of installing it alongside every Tailscale exit node, for the benefit of synced blocklists, local domains, and exit-node geolocated IPs for external domains.
I don’t know about
tailscale, but it seems pihole has got you covered with local DNS, if you’re willing to set the local DNS records manually.I use
piholeas selfhosted DNS server for all my servers and clients. I don’t have many local DNS records (only 2), so if you handle a great amount of ever-changing DNS records, this might not be for you.Did you know you can use pihole as a full DNS server to serve A and cname records?
I have my public DNS at OVH and internal stuff in pihole, split view DNS is amazing.
Could you elaborate on this?
So pihole is a full DNS server, so you can add your own DNS records. You don’t need to run bind.
https://discourse.pi-hole.net/t/local-dns-records/74898
By have some domains in pihole, I access services over vpn or on the local network
Bind is reliable. It’s a good choice.
I’d still keep the pihole, though. You can use one as the upstream for the other. Or, configure the pihole to use your local DNS server only for your local domain name.
I just saw that bind now comes with tls support (for quite some time actually…), which was the reason I originally went with unbound instead. So I guess I have an excuse to look at it again… 😀
I’ve been using technitium dns server for this. It is an all in one solution and is working well for me through tailscale as a global name server.
Yeah. Real DNS zones that transfer are a thing of beauty.
I have been experimenting with this recently. I just have tailscale pointing to adguard on a vm i use as an exit node and run nginx to handle the reverse proxy.
Local Unbound with Tailscale’s split DNS has been solid for me. I use it as an OPNsense service with the web GUI, but the standalone YAML config looks simple enough.
Blocky.
I second this. Very light, feature-rich, configurable and works flawlessly. I use it for ad blocking, proxying all DNS requests to DoT upstreams, and local addresses in LAN and over Wireguard.
I’ve had pihole running in the past, then Adguard, but moved to NextDNS several years ago and have been happy with it. For a small fee, it removes all need for self hosting your own. I set up profiles for the kids, wife etc, then set the DNS in their phones, tablets, so I know its always working wherever they are. You can set local IPs in it if you want, but I use a reverse proxy for all LAN requests instead.
Only slight issue I’ve had with it was recently making several quick changes to DNS in Cloudflare, and NextDNS took several hours to propagate which was a PITA at the time.
Edit: I’ve just seen that they now offer a free tier which they didn’t in the past.
And how do you fix the problem with applications that have hard coded dns?
If you’re referring to network based DNS, I use their script to have it on my Ubiquiti router as well. I have that with its own profile with full blocking for iot etc.
I had PiHole with unbound on my OPNsense way back when, but the internet just needs to work for both me and my family and not go offline with me tinkering with the homelab. NextDNS takes all of that hassle out of the equation.
Thanks. How do you like your ubiquiti?
I love it. I started with pFsense, then really liked Untangle for its ease of use, then went (back) to OPNsense and preferred that for the fact it could run Caddy internally as a reverse proxy and was fast, but I was a bit frustrated at wanting to do more with it and needing to research everything. I already had Unifi APs and decided that it just made sense to have a Ubiquiti router. I’ve found it stable, easy to use with good feature updates, and have also just paid for the annual Cybersecure add-on which is reporting loads.
Not sure what you mean by “network based dns”.
Hard-coded DNS is in the application, you cannot change this from any dhcp option. Browsers do it, lots of versions of prime video apps do it. Google nest and home devices are famous for this.
You can write a NAT rewrite rule at your router to catch any UDP or TCP request on port 53 and send it to your ad-blocking DNS server/forwarder, but you won’t be able to stop DoH (DNS over https), which just leaves the subnet encrypted on 443.
I was being too simplistic in my other reply. I was referring to basic router based DNS and NextDNS as the upstream resolver.
I don’t have an answer for hard coded DNS when it comes to NextDNS, which is essentially an upstream resolver with block lists functionality.
And to be honest, I misinterpreted OPs original question which was to take PiHole to the next level, whereas NextDNS is an alternative to.
I can run app based routing and blocking on my router, but whether that would restrict DNS for those services I don’t know.
Thanks for the clarification, you’ve got me wanting to pursue more DNS control now!
I can run app based routing and blocking on my router, but whether that would restrict DNS for those services I don’t know.
That’s the double-edged sword of DNS over https. It allows us to hide our DNS queries from local ISP and others, but it also allows applications to hide theirs also. It just looks like encrypted web traffic to your router.
