So I’ve been a pihole user for a long long time…but seeing the advancements in AdGuard Home and some of the nicer UI facets, I was interested in giving it a try. I also have an active directory domain that I need to manage as well.
So, prior to recently, I had routed all DNS requests thought the AD DCs, and their upstream resolver was PiHole, and then Pihole routed to its internal install of cloudflared with DNS over HTTPS to the cloudflare DNS services.
More recently, I changed my DNS services in DNS to point directly to pihole, managed my local dns records in pihole and then used conditional forwarding to my AD DCs for local DNS resolution. The biggest benefit I saw in this adjustment is that I can identify what hosts are making what requests.
More recently than that, I brought Adguard Home into the environment and am using it as a secondary DNS server. I ended up taking it out of the mix for the moment. My thought process was having one DNS server on each of my active VM hosts just in case…but managing internal DNS records in adguard home is a bit of a pain in the ass, and there is no way to import in bulk.
So, the questions, 1) do you just use one or the other… pihole, vs adguard home… 2) do you use multiple dns servers or just a single one upstream…3) whats your preferred method of internal dns management in conjunction w/ pihole/adguard home?
Opnsense Unbound
Me three.
I use nextdns as I can use that when mobile but if you want a local solution adguard home has DOH/DOT built in and a nicer interface than pihole IMHO
I use Unbound as a DNS resolver and pfBlockerNG for ad blocking. My firewall blocks external DNS, DoH, & DoT servers except for
dns.adguard-dns.com
, which I use on my phone.Pinhole+unbound
clients>pihole>unbound
Same. Although I really wish Pihole supported wildcard domains in local DNS. I haven’t quite figured out how to add wildcard domain with unbound.
It does, but you have to tinker a bit more than usual. Because pihole uses dnsmasq, you can modify the dnsmasq configuration file to allow for wildcard subdomains. Unfortunately, while this will be picked up by pihole, you can view or modify it through their Web interface, so it’s much less convenient.
If you use helm charts this is really easy!! The one I use from mojo exposes this in the helm chart / config.
Wait, is your unbound querying the root servers directly? Aren’t services that use cdn having their performance affected ?
Not that I’ve noticed
This!
I run 2 pihole containers on my k8s cluster. They serve up DNS to the rest of my network. This is extremely easy as I can just use helm to launch the pihole containers into two different namespaces using 2 different site specific files. Then I use teleport to keep them in sync when I change something, which is seldom. I run 2 because DNS is important and I like automated patching / reboots. This requires I have redundant services.
Client >> Pinole >> unbound but gonna take a look at Adguard now reading this thread.
I have a rather complex setup. I have a PiHole that is accessible over a VPN, but I only route DNS traffic over the VPN.
I stopped using pihole years ago because it didn’t support wildcards. Technitium DNS server is fantastic. The dev is super responsive and keeps things updated.
Another vote for Technitium DNS. I used PiHole then Adguard Home and Technitium is much better for me. I actually run two of them so I never have more than one down outside of power outages. One on my Pi and one on my server that runs my Docker containers for my other services.
Technitium
I do the same, just waiting for that cluster feature to come out!
Check this out. I’ve been using it with 3 nodes for years and it works perfectly.
https://github.com/TechnitiumSoftware/DnsServer/issues/231#issuecomment-783114395
Yep, that’s how I’m doing mine too, just the full sync would be nice. If I need to temporarily disable ad blocking for example, currently I have to login to both. It’s the best dns tool I’ve used though, after PiHole for years and then Adguard for a short period until I found this.
My biggest issue with pihole is that you can’t really sync between multiple servers natively. Does technetium support this?
I know others pointed to it a way to partly do this, but I wanted to just say that I don’t replicate mine on purpose at this point. The one running on my Pi updates automatically and the other one does not. That allows me to test new releases on one DNS without borking my whole setup. Then I update the other manually once I know the Pi is working fine.
I think that was the longest feature list I have ever seen! 😁This looks more complete then any of the other popular ones. Do you agree?
This guy DNSes.
AGH with upstream lookups over DoH, and adblock list from oisd.nl.
Split-brain topology to give internal IP in preference to public IPs for my selfhosted services, and selective routing of a defined set of domains to a geo-unblocking service so I can access things like BBC iplayer etc. from my home network.
Clients>Bind>pihole>unbound
CoreDNS as my central DNS manager in my home(lab).
Currently two nodes are running CoreDNS with the same config for resilence. I really hate long DNS chains, because if something breaks in between, DNS is out … wife and children scream … me unhappy.
Current setup with five zones:
- .fritz.box - resolved to the provider-supplied router which also manages my network printer
- .home - forwarded to my UDM which runs DHCP in my home
- .lab.home - zone file which define s a wildcard to resolve all requests to my Traefik reverse proxy
- .consul - forwarded to Consul service catalog for service discovery
- . - everything else (internet) is either forwarded to AdGuard Home (and then to Cloudflare DNS) if the AdGuard service is running. If not, forward directly to the UDM. Nomad + Consul are amazing for this kind of templating and dynamic re-configuration.
Works quite well for me :-)
deleted by creator
I was using two instances of Pihole, one on a Pi and one via WSL on my Win10 host. Unfortunately my Win10 host no longer works, it’s randomly stopped and I haven’t had the time to try and fix it. I’ve got backups of the config luckily, but to be honest if I can do a more friendly local install with Adguard I’m probably going to give that a go on windows instead. Never tried it but I’m willing to give it a shot if it means it’s not going to break. My Pi install has been bulletproof so far and kept my network running whilst my Windows install has been broken.
I use two Technitium DNS servers, the primary server runs in a container under Proxmox and the secondary as a failover on a Pi4. I only use Pihole for a handful of clients (mobile phone, FireTV etc.) these are assigned the DNS address from PiHole via DHCP, all other devices use the Technitium DNS directly. As internal domains I use the scheme “host.in.lan” and all devices (except servers) get their IP via DHCP (the Technitium DNS server also has this built in) and a DNS entry is automatically created for them via DDNS