I’ve been using pi-hole for the last 3 or 4 years and I’m pretty satisfied with it. Now I’m thinking about the next step. Nowadays I have my local network and a tailscale to access my hosts. I’m thinking about a DNS solutions to solve the names on the locla network and thru tailscale simultanely, while been able to block ads on DNS like pi-hole do. What do you think would be a better solution for this next step? I’ve only used bind before, but I think and old dog can learn a new trick.
I use Technitium, for that purpose. You can set up DNS records easily and it still has blocking like pi-hole. You can log DNS requests if you need to track down where certain requests are coming from or which devices are making lots of requests. It has quite a few features but I only need a couple.
Yeah, came here to write about Technitium. It is rock solid. Absolutely. It looks intimidating at first but you soon figure out you hardly need 10% of the options in the beginning.
Bind is reliable. It’s a good choice.
I’d still keep the pihole, though. You can use one as the upstream for the other. Or, configure the pihole to use your local DNS server only for your local domain name.
I just saw that bind now comes with tls support (for quite some time actually…), which was the reason I originally went with unbound instead. So I guess I have an excuse to look at it again… 😀
I don’t know about
tailscale, but it seems pihole has got you covered with local DNS, if you’re willing to set the local DNS records manually.I use
piholeas selfhosted DNS server for all my servers and clients. I don’t have many local DNS records (only 2), so if you handle a great amount of ever-changing DNS records, this might not be for you.This is the way I do it. I keep a file with info about all my hosts that I use for various tracking and configuration things. I have a script in my pihole config repo that reads that file and creates all the hostnames to the etc/pihole dir. that way whenever I launch pihole all the mappings are already set up. When I use pihole over WireGuard it all just works.
Local Unbound with Tailscale’s split DNS has been solid for me. I use it as an OPNsense service with the web GUI, but the standalone YAML config looks simple enough.
Blocky.
I’ve had pihole running in the past, then Adguard, but moved to NextDNS several years ago and have been happy with it. For a small fee, it removes all need for self hosting your own. I set up profiles for the kids, wife etc, then set the DNS in their phones, tablets, so I know its always working wherever they are. You can set local IPs in it if you want, but I use a reverse proxy for all LAN requests instead.
Only slight issue I’ve had with it was recently making several quick changes to DNS in Cloudflare, and NextDNS took several hours to propagate which was a PITA at the time.
Edit: I’ve just seen that they now offer a free tier which they didn’t in the past.
And how do you fix the problem with applications that have hard coded dns?
If you’re referring to network based DNS, I use their script to have it on my Ubiquiti router as well. I have that with its own profile with full blocking for iot etc.
I had PiHole with unbound on my OPNsense way back when, but the internet just needs to work for both me and my family and not go offline with me tinkering with the homelab. NextDNS takes all of that hassle out of the equation.
Thanks. How do you like your ubiquiti?
I love it. I started with pFsense, then really liked Untangle for its ease of use, then went (back) to OPNsense and preferred that for the fact it could run Caddy internally as a reverse proxy and was fast, but I was a bit frustrated at wanting to do more with it and needing to research everything. I already had Unifi APs and decided that it just made sense to have a Ubiquiti router. I’ve found it stable, easy to use with good feature updates, and have also just paid for the annual Cybersecure add-on which is reporting loads.
Not sure what you mean by “network based dns”.
Hard-coded DNS is in the application, you cannot change this from any dhcp option. Browsers do it, lots of versions of prime video apps do it. Google nest and home devices are famous for this.
You can write a NAT rewrite rule at your router to catch any UDP or TCP request on port 53 and send it to your ad-blocking DNS server/forwarder, but you won’t be able to stop DoH (DNS over https), which just leaves the subnet encrypted on 443.
I was being too simplistic in my other reply. I was referring to basic router based DNS and NextDNS as the upstream resolver.
I don’t have an answer for hard coded DNS when it comes to NextDNS, which is essentially an upstream resolver with block lists functionality.
And to be honest, I misinterpreted OPs original question which was to take PiHole to the next level, whereas NextDNS is an alternative to.
I can run app based routing and blocking on my router, but whether that would restrict DNS for those services I don’t know.
Thanks for the clarification, you’ve got me wanting to pursue more DNS control now!
I can run app based routing and blocking on my router, but whether that would restrict DNS for those services I don’t know.
That’s the double-edged sword of DNS over https. It allows us to hide our DNS queries from local ISP and others, but it also allows applications to hide theirs also. It just looks like encrypted web traffic to your router.