Opnsense Unbound
this post was submitted on 29 Nov 2023
4 points (83.3% liked)
Self-Hosted Main
502 readers
1 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
For Example
- Service: Dropbox - Alternative: Nextcloud
- Service: Google Reader - Alternative: Tiny Tiny RSS
- Service: Blogger - Alternative: WordPress
We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.
Useful Lists
- Awesome-Selfhosted List of Software
- Awesome-Sysadmin List of Software
founded 1 year ago
MODERATORS
Me three.
2 instances of Adguard Home (VM and Raspberry PI with adguard sync) using DOH upstream servers (currently Cloudflare, Quad 9, and Mullvad). Works like a champ, have not touched it in over a year.
Came here to recommend AdGuard Sync. 👌
I use Unbound as a DNS resolver and pfBlockerNG for ad blocking. My firewall blocks external DNS, DoH, & DoT servers except for dns.adguard-dns.com, which I use on my phone.
I use NextDNS on occasion. I used to use pihole a while back during the “Covid years” but something it was blocking royally screwed up my kid’s Google Classroom submitted schoolwork, he was turning in empty assignments and we thought it was his fault but it wasn’t. Had to apologize to multiple schoolteachers and vowed never to use that piece of shit software again.
I use AGH on both of my servers at home and sync them with adguardhome-sync.
They are the DHCP assigned DNS servers for everyone who lives with us and all the services I run.
I use Adguard. I dumped pi-hole a long time ago and never looked back.
ugh. this is my sign, but I'm not happy about it
If one rando/shill says something sucks you bail out? Hmm.
What made you move away from Pi-Hole?
Also dumped Pi-hole & moved to AGH over a year now. It's easier to set up. Encrypted DNS (DoT, DoH, DoQ, etc.) supported with no added install. On Pi-hole I have to install Cloudflared for DoH. AGH also has a large number of blocklists to choose from on DNS blocklists setting. You don't have to Google search for it like that of Pi-hole. Adding a blocklist is as simple as clicking on the check box & checking for updates. On Pi-hole you have to go through a couple of steps (gui >tools>update gravity). AGH software update also is very simple. An update notice will show up on top if there's a new update & you just need to click it to update. On Pi-hole you have to login via SSH & issue a pihole -up command to update.
I moved away from pihole because every time I had a fiddle, I bought down the DNS of my whole house, resulting in lots of stressed children :) the solution I switched to is against the ethos of this sub, but it's good and worth the cost.
What was your reasoning for dumping pi-hole?
I get it...it's awesome. Just took a second to wrap my head around some of the nuances that I needed for my environment. But hellz yea, works great. I wish the dashboard had automatic ajax refreshing though.
I dumped Pi-hole for Adguard and two technitium dns servers. Personally, I found /r/pihole community toxic. Adguard is also way easier to back up and replicate since the config file is a single yaml file.
Straight into Pihole with Cloudflare upstream
Adguard Home with Unbound. And Unbound uses root.hints file to resolve
Edit: I use Hagezi Pro, Oisd.nl as blocklists as the are very well maintained
clients>pihole>unbound
This!
Same. Although I really wish Pihole supported wildcard domains in local DNS. I haven't quite figured out how to add wildcard domain with unbound.
It does, but you have to tinker a bit more than usual. Because pihole uses dnsmasq, you can modify the dnsmasq configuration file to allow for wildcard subdomains. Unfortunately, while this will be picked up by pihole, you can view or modify it through their Web interface, so it's much less convenient.
load more comments
(1 replies)
Wait, is your unbound querying the root servers directly? Aren't services that use cdn having their performance affected ?
Not that I've noticed
I have a rather complex setup. I have a PiHole that is accessible over a VPN, but I only route DNS traffic over the VPN.
I stopped using pihole years ago because it didn’t support wildcards. Technitium DNS server is fantastic. The dev is super responsive and keeps things updated.
I think that was the longest feature list I have ever seen! 😁This looks more complete then any of the other popular ones. Do you agree?
Another vote for Technitium DNS. I used PiHole then Adguard Home and Technitium is much better for me. I actually run two of them so I never have more than one down outside of power outages. One on my Pi and one on my server that runs my Docker containers for my other services.
Technitium
I do the same, just waiting for that cluster feature to come out!
Check this out. I’ve been using it with 3 nodes for years and it works perfectly.
https://github.com/TechnitiumSoftware/DnsServer/issues/231#issuecomment-783114395
load more comments
(1 replies)
My biggest issue with pihole is that you can’t really sync between multiple servers natively. Does technetium support this?
load more comments
(1 replies)
This guy DNSes.
Client >> Pinole >> unbound but gonna take a look at Adguard now reading this thread.
AGH with upstream lookups over DoH, and adblock list from oisd.nl.
Split-brain topology to give internal IP in preference to public IPs for my selfhosted services, and selective routing of a defined set of domains to a geo-unblocking service so I can access things like BBC iplayer etc. from my home network.
Clients>Bind>pihole>unbound
I use nextdns as I can use that when mobile but if you want a local solution adguard home has DOH/DOT built in and a nicer interface than pihole IMHO
CoreDNS as my central DNS manager in my home(lab).
Currently two nodes are running CoreDNS with the same config for resilence. I really hate long DNS chains, because if something breaks in between, DNS is out ... wife and children scream ... me unhappy.
Current setup with five zones:
- .fritz.box - resolved to the provider-supplied router which also manages my network printer
- .home - forwarded to my UDM which runs DHCP in my home
- .lab.home - zone file which define s a wildcard to resolve all requests to my Traefik reverse proxy
- .consul - forwarded to Consul service catalog for service discovery
- . - everything else (internet) is either forwarded to AdGuard Home (and then to Cloudflare DNS) if the AdGuard service is running. If not, forward directly to the UDM. Nomad + Consul are amazing for this kind of templating and dynamic re-configuration.
Works quite well for me :-)
I use two Technitium DNS servers, the primary server runs in a container under Proxmox and the secondary as a failover on a Pi4. I only use Pihole for a handful of clients (mobile phone, FireTV etc.) these are assigned the DNS address from PiHole via DHCP, all other devices use the Technitium DNS directly. As internal domains I use the scheme "host.in.lan" and all devices (except servers) get their IP via DHCP (the Technitium DNS server also has this built in) and a DNS entry is automatically created for them via DDNS
I was using two instances of Pihole, one on a Pi and one via WSL on my Win10 host. Unfortunately my Win10 host no longer works, it’s randomly stopped and I haven’t had the time to try and fix it. I’ve got backups of the config luckily, but to be honest if I can do a more friendly local install with Adguard I’m probably going to give that a go on windows instead. Never tried it but I’m willing to give it a shot if it means it’s not going to break. My Pi install has been bulletproof so far and kept my network running whilst my Windows install has been broken.
Clients --> Windows Server 2022 DNS --> Pihole --> Internet
Clients (LAN or VPN) -> PiHole -> DNScrypt-proxy. All hosted on a RPi3 B+. So all my DNS requests are passing through my ISP encrypted.
Dual unbound servers running unbound-adblock in recursive mode with DNSSEC on, with a stubzone for my internal domain (*.lan) pointed at the dnsmasq server that handles dhcp and local DNS.
I wanted dns redundancy so at least "the Internet" would work if I was rebooting something, which the sub zone handles very well.
Dnsmasq is set to no upstreams, and authoritative for the domain. This gives me ddns for clients as well.
I did look into kea for DHCP and nsd for local DNS, but kea wasn't really ready to handle dual stack clients with the ddns updates. It was neat that you can run kea in a proper redundant config. Not sure I'd have been able to get the ddns updates to dual nsd servers working without a hidden primary, leaving me with a single point failure.
I have two piholes setup as full recursive dns servers (unbound) DHCP is handled by TP link Omada and the piholes are the two dns servers. The top of the DNS chain is cloudflare 1.1.1.1
I use technitium as the primary server, with a pair of backup servers running bind9.
The backup servers do zone-transfers from the primary.
for my home network, i use adguard in combination with my opnsense for dns.upstreams, if it needs to leave my network, are the usual suspects: google, cloudflare, and quad9 - selected based on performance
for my servers/domains i used to just be a regular BIND user, editing the zonefiles manually when needed.... but i have since switched my dns over to cloudflare because "easy and no maintenance"
(i might be one of the weird ducks in this sub: i still do my mailserver myself, but outsourced my dns to cloudflare...)
though, to be honest, there are quite a few additional reasons i did the cloudflare move:
- the use of their cdn
- hiding the actual server IPs
- using their zero trust
Clients -> dnsmasq -> PiHole -> Unbound
If you have active directory why not just use it's DNS server?
I've been using PiHole for years but just switched to NextDNS. Mainly because I use DNS to filter adult sites for my kids. NextDNS works regardless of the network they are on. I used to block YouTube etc at night but if we're are on holiday they get no filter.
I switched to AD Guard (at home) now as I can configure DNS over TLS for devices that only support regular DNS. So for example my kids TV talks to AD Guard and then AD Guard looks at the MAC address and sends it down a specific DNS over TLS address. So that TV gets the filters of my kids NextDNS profile.
Adguardhome + Opnsense
I run 2 pihole containers on my k8s cluster. They serve up DNS to the rest of my network. This is extremely easy as I can just use helm to launch the pihole containers into two different namespaces using 2 different site specific files. Then I use teleport to keep them in sync when I change something, which is seldom. I run 2 because DNS is important and I like automated patching / reboots. This requires I have redundant services.
view more: next ›