I’m running 2 Pi-Holes (one in a VM on a pretty beefy box over gigabit Ethernet, the other on a Pi Zero W over wifi) on a home network that serves a variety of Windows 10, Windows 7, Ubuntu, Android, iOS, and Chromebook devices.They are configured similarly and use the same blocklists. [EDIT: To clarify, they are configured in parallel, not “stacked” - they are both configured to use the same two upstream servers (OpenDNS).]
The VM is obviously faster, and ends up carrying the bulk of the load; over a 24-hour period the VM serves about 3 times as many queries as the Pi does. That makes sense. The interesting thing is that the VM blocks queries at a rate about 10 times that of the Pi - right now, the VM is showing that it’s blocked 33% of the queries in the past 24 hours, whereas the Pi has blocked only 3%. This is true even if you look at only a single client - for example, if you look at the machine that typically gets the most use (a Windows 10 laptop) the VM is currently showing that over the past 24 hours it has blocked 3049 out of 14,204 requests for that client (a 21% block rate) whereas the Pi, looking at data from the same client, shows it has blocked only 66 of 6311 queries (a block rate of just over a 1%).
There’s no obvious indication that the Pi is letting through queries that it should be blocking, and in fact if I shut down the VM and let the Pi handle the whole load, the Pi’s block rate goes way up. Rather, it appears that the clients are making fundamentally different requests from the different DNS servers, when they have a choice.
I know it’s pretty much up to the OS to decide which DNS server to query when multiple ones are configured, but I’m at a loss to explain this dramatic difference. Any thoughts on what could be driving this behavior?