Hi guys! So…I have a self-hosted DNS server. Initially I’d use pihole, with unbound, and the more or less basic blocklists. But from time to time things would start acting wonky. Sometimes a reboot would fix it. Sometimes…not really and I was really not sure what was going wrong, but it was clearly DNS. Changing the clients settings from my own server to something like 9.9.9.9 would immediately get it sorted out.
So I went with an adguard server. In the last few days I’ve started to notice weird behaviors. Today I’ve lost the Azure desktop I was connected, and it was very clearly looking like DNS. So I checked…and yup, 9.9.9.9 again would sort it all out. So…I’m not sure what’s going wrong. I’m selfhosting these on an LXC container in proxmox. Nothing else seems to have issues connecting, and I see almost no resources being used. Any ideas? Any other DNS server I might be able to try?
Thanks!
In my experience with unbound, it tends to return expired records in the hope that they are still valid, causing issues with services hosted in the cloud, where IP addresses rotate regularly. What I did was update the
serve-expired-ttlsetting in unbound’s configuration to 3 hours (down from the default 24h)Thanks. I think I might rebuild the pihole-unbound server and try again with this setting.
My 2c.
Changing “DNS” won’t fix it. There are two DNS: dnsmasq and unbound (and bind, ok). What else you use doesn’t matter (pihole, adguard, opnSense) at the end of the day it’s always them inside.
In my experience ISPs will block your direct DNS queries overtime, so it might be that. I set up my unbound as caching and forwarding, not as a pure resolver. This fixed all my issues with DNS self hosted. You can forward to 9.9.9.9 if you like it.
Another issue might be with your blocklists of course, your azure might have been temporary listed maybe.
Over time I ended up choosing a very lax blocklist setup due to this reason
In my experience ISPs will block your direct DNS queries overtime,
I have no idea what ISP you’re using, but that’s probably not true. Lots of devices have hard-coded DNS servers and nothing would work if ISPs stated blocking dns upstream queries.
Above some threshold, the one you will cross when filtering port 53 in your network and setup a custom full resolver, it can happen.
I experienced it, it seems they filter excess dns traffic from inside. Probably more a malware/anti spam measure than an actually DNS blocking.
Even if your ISP did have something in place to try and prevent abuse I find it unlikely it would trigger over normal traffic. Do you have a huge network/many hosts/exposed services?
Just a normal 4 people home, two teenagers tough. Enabling a DNS resolver indeed stop working after a few days while setting it up as forwarder to 1.1.1.1 or 8.8.8.8 or pick yours works just fine.
Maybe it’s something else, but when it happens, that’s the feel
Not trying to go down a rabbit hole, nor invade your teen’s privacy, but have you done any kind of packet inspection on what’s going out/in? Teens can surprise you with the kind of stuff they’re up to sometimes.
I’m not sure why your resolver started acting up but what you’re describing doesn’t sound like normal cause/effect. Four people on a residential connection, even if you throw in a ton of electronic devices and iot/crap that calls home constantly shouldn’t cause any kind of ISP engagement.
Not like it really matters, for 99.9% of people having a forwarder is easy and just fine and there isn’t good reason to troubleshoot it if there’s a working solution. I’m pretty privacy conscious and I don’t even think having my own forwarder is worth the hassle, I am just choosy about my upstream.
I use pihole with DNS over https (my ISP intercepts my non encrypted DNS queries) works great for me. Both in LXC and Raspberry pi.
What issue are you trying to solve?
Any other DNS server I might be able to try?
I use and warmly recommend Technitium DNS. Unlike most other solutions, it uses the root servers by default while still providing an ad blocker, DoH, DoQ etc. - and it does not even require any command-line kung-fu for that (except for the installation, which is one command).
I absolutely second Technitium as well. That thing is rock solid, can be used for basically everything, has blocking with a multitude of options and does provide a nice graphical GUI.
I have it running in a dual DNS setup (main server+a Zimablade nowadays) and that shit just works - it’s the container that has caused the least amount of problems in the last 3 years.
The API is fairly handy and quite easy - I have it integrated into HomeAssistant so I have a “Disable DNS Blocking” button in my “Network control” tab in the app.
The only downside is the fact that initially it can be quite overwhelming, especially if you are not an DNS guru and just did the step from AdGuard/PiHole - but soon you realise that you actually only need a few fields for basic operations.
I have it integrated into HomeAssistant so I have a “Disable DNS Blocking” button
I need that. I already have a bunch of physical buttons on my desk, which do things via Home Assistant, so that’d be an obvious one for me to add next.
Just saw that my way of doing this isn’t actually needed anymore, there is an integration now:
When I set up opnsense with unbound I switched on detailed logs, just for checking what’s going on and if course I forgot to turn it off, which resulted in horrible overall performance, in particular when the drive filled up and everything broke.
Just normal dnsmasq without fancy web-ui.
I use pfsense as my router os and run pfblockerng for my filter. Anytime I have some problem I can log in to the router and look at what is being blocked and if necessary whitelist the entry that is being blocked.
I also redirect all dns to my router at the firewall and block dns over https. This means that all dns no matter the settings on the client machine are redirected to the router. Its not fool proof but so far so good.
What’s the use-case for pihole and unbound together?
Aren’t they both DNS servers?
Pi-hole forwards the requests to another DNS server. Unbound can ask the root servers and go down the DNS chain.
Guess I’m not following, both still have to request from other (upstream) DNS servers, so what does unbound add?
Thanks!
Forwarding: just passes the DNS query to another DNS server (e.g. your ISP’s). Home routers use forwarding to pass DNS queries from your home network’s clients to your ISP’s DNS servers. For example, for foo.example.com, a forwarding DNS server would first check its cache (did it already ask this question before), and if the answer is not in its cache, it would ask its forwarder (your ISP’s DNS server) for the answer, which would respond with either a cached response, or would perform recursion until it figured out the answer.
Recursion: the DNS server receiving the query takes it upon itself to figure out the answer to that query by recursively querying authoritative DNS servers for that domain. For example, for foo.example.com, a recursor would first query the root servers for what DNS servers are responsible for the .com TLD, then it would ask those servers for example.com, then it would query the servers for example.com for foo.example.com, finally getting the answer to the original query.
Copy-pate from here.
Basically, it remove one middle man from the DNS resolving.
