Permanently Deleted

Matt The Horwood@lemmy.horwood.cloud · 1 year

If you run a single DNS server, you will always have downtime when it’s restarted.

The only way to mitigate that, is to run 2 DNS servers.

I setup my network to use pihole as the first DNS and the router as the second, most of the time pihole is used. Unless it’s down

natch@lemmy.today · 1 year

Just be sure that the second server in the list is also a black hole. If you don’t, all black holed requests will fallback to the second DNS… which, if it doesn’t also black hole them, will wind up serving you ads and defeating the point!

Personally I find a single Pi is just fine for DNS. It only takes like 10 seconds to reboot. Less, if you use M.2 storage via a HAT or boot from USB! That’s pretty fine downtime. But if you’re afraid you’ll knock over the network and get yelled at by your family or housemates, best to use a backup :)

tofu@lemmy.nocturnal.garden · 1 year

How do you set up clients so they will always use the first one? I thought if a client knows 2 servers they will switch between them.

I plan to add a second Pihole at some point and keep them synced

atzanteol@sh.itjust.works · 1 year

Yeah, you can’t. There is no guarantee that clients will use dns servers in any particular order.

Morphit @feddit.uk · 1 year

Not that it particularly matters for just queries. The problem is that DHCP can only be enabled on one host. If that one fails then devices can’t get on to the network themselves. I’d like to know a good way to have a failover DHCP server - my janky cronjob isn’t great.

ddh@lemmy.sdf.org · 1 year

You can just run two DHCP servers. Give them non-overlapping ranges or give them the same MAC to IP mapping.

Morphit @feddit.uk · 1 year

How do the DNS servers resolve local hostnames then? The pihole DHCP integration adds local hostnames to DNS when they are assigned an address. If there’s two DHCP servers handing out leases, presumable only one would be accepted, how then would the DNS servers sync those names?

I think I had my secondary pihole resolve local names from the primary, and leases were copied over on a cronjob in case the secondary DHCP server had to be enabled.

ddh@lemmy.sdf.org · 1 year

Use the second option of a static MAC to IP map and add the relevant records to each pihole’s local DNS.

themachine@lemmy.world · 1 year

Are you using pihole to also create custom local DNS records?

tofu@lemmy.nocturnal.garden · 1 year

Yes, mostly just the hostnames

AtariDump@lemmy.world · 1 year

When it comes to a “secondary”DNS… [there is nothing like a primary and secondary DNS server. These indications are quite misleading but many systems adopted it this way. Pihole only list the DNS servers as primary and secondary, because this is what the providers write on their pages. The bad phrasing is supported especially by how Windows handles it.](https://discourse.pi-hole.net/t/primary-vs-secondary-dns/1536/2)

[Most operating systems implement DNS servers as alternatives, not as fallbacks, i.e. they will query any of both servers from time to time, so it is quite likely that you will loose your Pi-hole filtering capabilities (at least partially) [if you specify a secondary DNS server on your network].](https://discourse.pi-hole.net/t/secondary-dns-server-for-dhcp/1874)

The **ONLY** DNS server you should have set on your network is a/the PiHole(s).

tofu@lemmy.nocturnal.garden · 1 year

That’s what I thought. Btw, your formatting seems to be broken.

AtariDump@lemmy.world · 1 year

Thanks for that; the formatting is broken.

I’ll try and figure out how to fix it (it was formatted for the “site that shall not be named”)

AtariDump@lemmy.world · 1 year

When it comes to a “secondary”DNS… [there is nothing like a primary and secondary DNS server. These indications are quite misleading but many systems adopted it this way. Pihole only list the DNS servers as primary and secondary, because this is what the providers write on their pages. The bad phrasing is supported especially by how Windows handles it.](https://discourse.pi-hole.net/t/primary-vs-secondary-dns/1536/2)

[Most operating systems implement DNS servers as alternatives, not as fallbacks, i.e. they will query any of both servers from time to time, so it is quite likely that you will loose your Pi-hole filtering capabilities (at least partially) [if you specify a secondary DNS server on your network].](https://discourse.pi-hole.net/t/secondary-dns-server-for-dhcp/1874)

The **ONLY** DNS server you should have set on your network is a/the PiHole(s).

Possibly linux@lemmy.zip · 1 year

Why wouldn’t you just use DNS on your router

ddh@lemmy.sdf.org · 1 year

Router may not have a function you want.

Possibly linux@lemmy.zip · 1 year

Instead of paying for a raspberry Pi you could just get a OpenWRT device. You can get the router equivalent of a rust bucket since chances are you are not using the Wireless portion anyway.

ddh@lemmy.sdf.org · 1 year

Sure, OpenWRT is good and there’s an Adguard Home plugin for it. You don’t need to buy any hardware to use Pihole though, many people run it in a container on an existing machine. So it comes down to the functionality you need or want and the software you prefer, right?

Lantier@jlai.lu · 1 year

For a critical service like DNS, I decided to set it up bare metal on a Raspberry Pi 2 (even a Pi Zero should work). It’s been working fine for years, I just update it from time to time. That way I can mess with my homelab without worrying about DNS issues.

natch@lemmy.today · 1 year

Funny enough, the Pi Zero uses the CPU from the 3 and the Zero 2 uses the CPU from the 3+, so they’re both more powerful than a 2 anyway :)

486@lemmy.world · 1 year

Pi Zero uses the CPU from the 3

No, the original Pi Zero uses the CPU of the Pi1 (only clocked higher). So it is quite a bit slower than a Pi 2, since it has only a single ARMv6 CPU core. Still fine for a DNS server on a typical home network.

natch@lemmy.today · 1 year

Aha, thank you. Shouldn’t have riffed from memory on that one, I suppose!

But very much agreed: the Zero series has plenty of beef for a DNS server. Maybe when the 3 comes out I’ll add one as a backup for my 4 server.

johntash@eviltoast.org · 1 year

I think something else may be wrong if it breaks for 20 minutes. How long does it take for compose to bring the stack up?

Also assuming you run ntpd or chrony, it should always keep your clock in sync.

ohshit604@sh.itjust.works · 1 year

I think something else may be wrong if it breaks for 20 minutes.

When I originally setup my PiHole many, many, many months ago when I was still learning the Docker engine I had little to no issue.

I don’t know what caused it either being a power-outage or network loss but ever since I’ve been experiencing DNS related issues (I suspect it’s NTP not syncing), some days I’ll wake up before work realizing “oh shit I have no internet access” frantically trying to fix the issue.

I think i might take the advice of other commenters here and host two PiHole servers on separate devices/stacks, just got to hope my router supports it.

bigDottee@geekroom.tech · 1 year

I am running AdGuard Home DNS, not PiHole… but same idea. I have AGH running in two LXCs on proxmox (containers). I have all DHCP zones configured to point to both instances, and I never reboot both at the same time. Additionally, I watch the status of the service to make sure it’s running before I reboot the other instance.

Outside of that, there’s really no other approach.

You would still need at least 2 DNS servers, but you could setup some sort of virtual IP or load balancing IP and configure DHCP to point to that IP, so when one instance goes down then it fails over to the other instance.

dmtalon@infosec.pub · 1 year

spin up a second pihole docker and upgrade them separately so they can failover to the other one while upgrading. I do not have an issue with 20min lose of DNS after updating my pi.hole docker, but I did spin up a second one when I wanted to try unbound+pi.hole and just kept them both up/running.

ohshit604@sh.itjust.works · 1 year

spin up a second pihole docker and upgrade them separately so they can failover to the other one while upgrading.

Think I’m going to take this advice and put it in action! Thank you!

Hexarei@programming.dev · 1 year

I run my pi-hole on a dedicated Pi, and I pull the updated image first without any trouble. Then after the updated image is pulled, recreating the container only takes a few seconds.

Dunno what’s broken about your setup, but it definitely sounds like something unusual to me.

Shimitar@downonthestreet.eu · 1 year

Running unbound on my opnSense with the appropriate blacklists for ad filtering.

Jjoiq@lemmy.world · 1 year

2 pihole instances 1 pi5 1 pi4 Keepalived provides vrrp at a set address.

Instances kept in sync via orbital

1 goes down the other takes over.

Quite elegantly.

Morphit @feddit.uk · 1 year

Where do you do DHCP? I had a primary pihole with DHCP enabled and a secondary with a cron job that enabled DHCP if the primary was down or disabled it if the primary was working. The cron job did sync DHCP leases from one to the other but it was a bit janky. I tried to update the secondary to pihole v6 and hosed it so I have no backup for now. I’d like to re-image the secondary and get a better setup - when I have time.

Edit to say I really wanted to try keepalived - that’s really cool to fail over without clients noticing.

Jjoiq@lemmy.world · 1 year

Debian & ubuntu sudo apt install keepalived

sudo apt install libipset13

Configuration

Find your IP

ip a

edit your config

sudo nano /etc/keepalived/keepalived.conf

First node

vrrp_instance VI_1 {

state MASTER

interface ens18

virtual_router_id 55

priority 150

advert_int 1

unicast_src_ip 192.168.30.31

unicast_peer {

192.168.30.32

}

authentication {

auth_type PASS

auth_pass C3P9K9gc

}

virtual_ipaddress {

192.168.30.100/24

}

Second node

vrrp_instance VI_1 {

state BACKUP

interface ens18

virtual_router_id 55

priority 100

advert_int 1

unicast_src_ip 192.168.30.32

unicast_peer {

192.168.30.31

}

authentication {

auth_type PASS

auth_pass C3P9K9gc

}

virtual_ipaddress {

192.168.30.100/24

}

Start and enable the service

sudo systemctl enable --now keepalived.service

stopping the service

sudo systemctl stop keepalived.service

get the status

sudo systemctl status keepalived.service

Make sure to change ip and auth pass.

Enjoy

Jjoiq@lemmy.world · 1 year

On the router.

My router is locked down so i assign the vrrp address to wach client (pain in the ass) but it works.

Pivpn takes care or wireguard too.

pezhore@infosec.pub · 1 year

This is overkill.

I have a dedicated raspberry pi for pihole, then two VMs running PowerDNS in Master/Slave mode. The PDNS servers use the Pihole as their primary recursive lookup, followed by some other Internet privacy DNS server that I can’t recall right now.

If I need to do maintenance on the pihole, power DNS can fall back to the internet DNS server. If I need to do updates on the PowerDNS cluster, I can do it one at a time to reduce the outage window.

EDIT: I should have phrased the first sentence: “My setup is overkill” rather than “This is overkill” - the Op is asking a very valid question and the passive phrasing of my post’s first sentence could be taken multiple ways.

AtariDump@lemmy.world · 1 year

When it comes to a “secondary”DNS… [there is nothing like a primary and secondary DNS server. These indications are quite misleading but many systems adopted it this way. Pihole only list the DNS servers as primary and secondary, because this is what the providers write on their pages. The bad phrasing is supported especially by how Windows handles it.](https://discourse.pi-hole.net/t/primary-vs-secondary-dns/1536/2)

[Most operating systems implement DNS servers as alternatives, not as fallbacks, i.e. they will query any of both servers from time to time, so it is quite likely that you will loose your Pi-hole filtering capabilities (at least partially) [if you specify a secondary DNS server on your network].](https://discourse.pi-hole.net/t/secondary-dns-server-for-dhcp/1874)

The **ONLY** DNS server you should have set on your network is a/the PiHole(s).

pezhore@infosec.pub · 1 year

Sorry, I wasn’t clear - I use PowerDNS so that I can more easily deploy services that can be resolved by my internal networks (deployed via Kubernetes or Terraform). In my case, the secondary PowerDNS server does regular zone transfers from the primary in order to ensure it has a copy of all A, PTR, CNAME, etc records.

But PowerDNS (and all DNS servers really), can either be authoritative resolvers or recursors. In my case, the PDNS servers are authoritative for my homelab zone/domain and they perform recursive lookups (with caching) for non-authoritative domains like google.com, infosec.pub, etc. By pointing my PDNS servers to PiHole for recursive lookups, I ensure that I have ad blocking while still allowing for my automation to handle the homelab records.

HRYDJPCHNMNDGBLTFIYA@lemm.ee · 1 year

I don’t rely on it, but for guests etc I use adblock on OpenWrt with https://oisd.nl/. It’s supposed to have no false positives

sugar_in_your_tea@sh.itjust.works · 1 year

I’m looking into Technitium, which doesn’t get a ton of attention here. It looks to be much more feature packed than PiHole (DNS over HTTPS, for example), and similar to AdGuard Home.

ikidd@lemmy.world · 1 year

Man, I was excited about Technitium, but I’ve had a hell of a time trying to get it to work. I’m not sure if it’s intended to be on a DMZ in order to get TLS working or something, but I’ve not been able to get it to acknowledge a single DNS request, even when I think I’ve shut down DNSSec entirely.

大きいＢＯＹ@lemmy.blahaj.zone · 1 year

How do you host your DNS sinkhole/resolver?

Like this, baby:

services.adguardhome = {
      enable = true;
      mutableSettings = false;
      openFirewall = true;
      settings = {
        dns = {
          # Web Interface
          bootstrap_dns = ["9.9.9.9" "149.112.112.112"];
          upstream_dns = ["https://dns.quad9.net/dns-query"];
          fallback_dns = ["tls://dns.quad9.net"];
        };
        filters = [
          {
            name = "AdGuard DNS filter";
            url = "https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt";
            enabled = true;
          }
        ];
        filtering = {
          blocked_services = {
            ids = [
            ];
          };
          protection_enabled = true;
          filtering_enabled = true;
          rewrites = [
          ];
        };

Deploy to the main home server, and the backup instance. NixOS is fucking awesome. No sync tool needed.

Lem453@lemmy.ca · 1 year

How do I use nixos for docker? I’ve tried before but what I want is to be able to pull docker compose from a git and deploy it. I haven’t been able to find an easy way to do that on docker

Morphit @feddit.uk · 1 year

If you have the docker-compose.yml locally, you can nix run github:aksiksi/compose2nix to translate it into a nix file for inclusion in your nixos system config. I think that could be done in the config itself with a git url but I’m not that great at nix. You will surely still need some manual config to e.g. set environment variables for paths and secrets.

大きいＢＯＹ@lemmy.blahaj.zone · 1 year

Most of the time you don’t need docker. NixOS isolates runtimes.

That being said, you could use nix to build the docker container, and then run it using the built-in oci-container options.

curbstickle@lemmy.dbzer0.com · 1 year

Two lxc’s, one pi 3b.

Higgs boson@dubvee.org · 1 year

I run Pihole+Unbound, Debian baremetal on a tinypc. RPi was too unreliable. I was too often dealing with issues.

My router is the failback, as it has blocking too.

MMAniacle@lemm.ee · 1 year

I run 2 separate adguard home containers on separate hosts and set DNS for both IPs. If I take one down, requests just get sent to the other.

AdguardHome-Sync works great for keeping them in sync