Howdy Everyone!
As I am setting up my infrastructure at home using docker I wanted to ask, is it better to have DNS, something like pi-hole, on my main docker swarm or would it be better to have it on a dedicated machine/docker host separate from the rest of my infrastructure?
Thanks for the input!
AdGuard Home is a better choice than PiHole since it uses DNS-over-HTTPS by default. There’s also an app called AdGuardHome-Sync to sync settings between multiple instances.
I’d recommend running two DNS servers, and at least one of those separately from the rest of your infrastructure like on a Pi. That way, if you need to pull one of them offline, the internet still works.
I would say Pihole is a better choice than AdGuard home because PiHole just runs on top of dnsmasq. Throw Unbound on there too as your upstream recursive resolver and you’re set. You don’t even need to worry about an encrypted session to your upstream anymore because your upstream is now your loopback.
If you want to run your own recursive DNS server, why would you run two separate DNS servers?
Your outbound queries will still be unencrypted, so your ISP can still log them and create an advertising profile based on them. One of the main points of DoH and DoT is to avoid that, so you’ll want them to be encrypted at least until they leave your ISP’s network.
I’m not sure I understand your question. A recursive DNS server and a local DNS cache/forwarder/are two different things with two different purposes. You will always need both. You yourself are using AdguardHome and that is just connecting to recursive DNS server upstream. In my scenario you’re just running both yourself instead of you running one and then letting a 3rd party run the other for you.
You can encrypt the recursive queries through your ISP if you want to. Though the effectiveness of any profiling your ISP would do to you are minimized by Qname minimization that Unbound does by default.
If you’re just using DoH then you’re just shifting who’s making that advertising profile on you from your ISP to whoever is hosting your upstream recursive DNS server. It doesn’t matter how much encryption you do because on the other end of that encrypted connection is the entity who you’re giving all your queries to.
Why do you need two separate ones though? Recursive DNS servers also cache responses. Usually the only reason you’d run a local forwarder/cache is if you’re not running a local recursive server.
For the same reason you’re running AdGuard and not just pointing all your devices at the recursive upstream.
You’re using AdGuard / Pihole as an ad sinkhole, not just to cache and forward DNS requests. Like if you really wanted to you could hack together something in Unbound to do that, but why would you do that when Pihole already exists? You have two things built for purpose.
No you don’t need two: in fact I have only unbound setup to do everything with one piece of software.
Better or worse? No idea, but it works and its one less piece that might fail.
I mean if you want to build something around Unbound to do ad blocking and set up a monitoring stack for metrics and all that jazz that’s great, more power to you. But you already have two things built for purpose, there’s no reason to go out of your way to do that. And I don’t think OP here is prepared to do all that.
All that? Well, I understand your point, but honestly I have more fun learning something new, and was really little work.
Anyway… Its an option too
Getting all the functionality of Pihole into Unbound would be a good deal more than “a little work” lol. And for no real practical reason when all you’re trying to do is set up secure DNS with some ad blocking on your network. And this is coming from a professional who wouldn’t have to “learn” anything to do it. If it was really that little work, Pihole + Unbound wouldn’t be the go-to solutions for so many people.
You can accomplish the same with dnscrypt-proxy and Orbital Sync for Pi-Hole. You can also run a recursive DNS server using Unbound.
But why deal with separate software like dnscrypt-proxy when AdGuard Home has it built-in?
Why should I use a piece of software that’s controlled by a corporate entity in Russia?
Not sure what you mean by “controlled” given it’s open-source?
Open source projects still need a maintainer/owner. For example, Facebook “controls” react, Microsoft “controls” Visual Studio Code, and AdguardTeam “controls” AdGuardHome. There are several reasons to not trust a maintainer (eg, license changes, prioritizing or implementing undesired functionality and anti-features, converting to “open core”, abandoning the project, selling out to less trust worthy entities, etc.).
Per Adguard’s website, the legal entity behind the various AdGuard products is
ADGUARD SOFTWARE LIMITED
. A quick search on that company shows that there are 3 founders and they seem to have some ties to Russia. There is more information online about this, but whether this means they can be trusted or not is up to each potential user of one of the AdGuard products.