this post was submitted on 13 Sep 2024
22 points (89.3% liked)

Selfhosted

40677 readers
393 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Howdy Everyone!

As I am setting up my infrastructure at home using docker I wanted to ask, is it better to have DNS, something like pi-hole, on my main docker swarm or would it be better to have it on a dedicated machine/docker host separate from the rest of my infrastructure?

Thanks for the input!

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 3 months ago* (last edited 3 months ago) (1 children)

I would say Pihole is a better choice than AdGuard home because PiHole just runs on top of dnsmasq. Throw Unbound on there too as your upstream recursive resolver and you’re set. You don’t even need to worry about an encrypted session to your upstream anymore because your upstream is now your loopback.

[–] [email protected] 2 points 3 months ago* (last edited 3 months ago) (1 children)

Throw Unbound on there too as your upstream recursive resolver

If you want to run your own recursive DNS server, why would you run two separate DNS servers?

You don’t even need to worry about an encrypted session to your upstream anymore because your upstream is now your loopback.

Your outbound queries will still be unencrypted, so your ISP can still log them and create an advertising profile based on them. One of the main points of DoH and DoT is to avoid that, so you'll want them to be encrypted at least until they leave your ISP's network.

[–] [email protected] 1 points 3 months ago* (last edited 3 months ago) (2 children)

If you want to run your own recursive DNS server, why would you run two separate DNS servers?

I’m not sure I understand your question. A recursive DNS server and a local DNS cache/forwarder/are two different things with two different purposes. You will always need both. You yourself are using AdguardHome and that is just connecting to recursive DNS server upstream. In my scenario you’re just running both yourself instead of you running one and then letting a 3rd party run the other for you.

Your outbound queries will still be unencrypted, so your ISP can still log them and create an advertising profile based on them.

You can encrypt the recursive queries through your ISP if you want to. Though the effectiveness of any profiling your ISP would do to you are minimized by Qname minimization that Unbound does by default.

If you’re just using DoH then you’re just shifting who’s making that advertising profile on you from your ISP to whoever is hosting your upstream recursive DNS server. It doesn’t matter how much encryption you do because on the other end of that encrypted connection is the entity who you’re giving all your queries to.

[–] [email protected] -1 points 3 months ago* (last edited 3 months ago) (1 children)

A recursive DNS server and a local DNS cache/forwarder/are two different things with two different purposes. You will always need both.

Why do you need two separate ones though? Recursive DNS servers also cache responses. Usually the only reason you'd run a local forwarder/cache is if you're not running a local recursive server.

[–] [email protected] 2 points 3 months ago

For the same reason you’re running AdGuard and not just pointing all your devices at the recursive upstream.

You’re using AdGuard / Pihole as an ad sinkhole, not just to cache and forward DNS requests. Like if you really wanted to you could hack together something in Unbound to do that, but why would you do that when Pihole already exists? You have two things built for purpose.

[–] [email protected] -2 points 3 months ago (1 children)

No you don't need two: in fact I have only unbound setup to do everything with one piece of software.

Better or worse? No idea, but it works and its one less piece that might fail.

[–] [email protected] 1 points 3 months ago* (last edited 3 months ago) (1 children)

I mean if you want to build something around Unbound to do ad blocking and set up a monitoring stack for metrics and all that jazz that’s great, more power to you. But you already have two things built for purpose, there’s no reason to go out of your way to do that. And I don’t think OP here is prepared to do all that.

[–] [email protected] 0 points 3 months ago (1 children)

All that? Well, I understand your point, but honestly I have more fun learning something new, and was really little work.

Anyway... Its an option too

[–] [email protected] 1 points 3 months ago* (last edited 3 months ago)

Getting all the functionality of Pihole into Unbound would be a good deal more than “a little work” lol. And for no real practical reason when all you’re trying to do is set up secure DNS with some ad blocking on your network. And this is coming from a professional who wouldn’t have to “learn” anything to do it. If it was really that little work, Pihole + Unbound wouldn’t be the go-to solutions for so many people.