Just added Unbound - a few questions

turop · February 15, 2025, 12:22pm

I have two instances of Pi-hole running on my home LAN: one on a Raspberry Pi 3B and another on my Ubuntu server (running on a NUC). I am a long-time user of Pi-hole, but I have only recently installed Unbound on both Pi-hole setups (I took backups first).

I believe it's running correctly; however, as a novice user, I am not entirely sure.

A brief overview of the rest of my system: I have Synology equipment around the house, specifically a Vigor 130 ADSL/VDSL modem connected to a Synology RT2600ac router. Additionally, I have another RT2600ac and a 2200 unit running a mesh Wi-Fi network. My network and Pi's are connected via Ethernet.

In the Synology 'Router Network Center', I ‘Manually Configure DNS Server’ and I set the 'Preferred DNS Server' to the IP of my RPI3b and for the 'Alternate DNS Server' I set to the IP of my Ubuntu server IP (I think this relates specifically to the router DNS, and I have previously had this set to cloudflare). Staying in the 'Network Center' and then 'Local Network', and then 'Primary LAN', I set the 'Primary DNS' to the IP of my RPI 3b and the 'Secondary DNS' to the Ubuntu server IP. I also set ‘Forward known DNS server’, as I think this allows me to identify various kit connected to the LAN.

After installing Unbound, I used the 'Test Validation' feature. The first test resulted in a 'Connection timed out; no servers could be reached' message. Although it did not specifically say 'SERVFAIL', I am unsure if this indicates an issue. The second test returned a 'NOERROR' status, which seems correct to me. I also updated the IP range to my own LAN in the pi-hole.conf file as part of the install.

Using www.dnsleaktest.com, I see a single server with an IP assigned to me by my ISP and a long hostname that I don't recognize. It also correctly identifies my location to the nearest town. I understand that my ISP can still see my traffic, similar to if I were using Cloudflare, but my traffic is more spread out rather than directed to a specific DNS provider. Is this result and my assumption correct?

Regarding the Pi-hole on the Raspberry Pi 3B, I initially saw a large increase in traffic from the router IP, which has now settled somewhat. The alternate Pi-hole install on my Ubuntu server has seen a massive increase in traffic, currently at 82k queries, while the Raspberry Pi 3B is at 38k. Does this sound correct?

In summary, does the installation sound correct? Why is there a large increase in traffic to the Pi-holes, especially to the alternate one?

chrislph · February 15, 2025, 1:40pm

These appear to be the "WAN DNS servers" which the router will send its queries to. Its queries will either be from the router OS itself or queries sent to the router by clients on the network which are using the router for their DNS.

The better approach is to leave these configured as external DNS servers, for example they were set to Cloudflare, and have clients use the Pi-holes for their DNS instead. You can use SRM's firewall to block DNS from everything except the Pi-holes, and it may be possible to have the firewall redirect such traffic to the Pi-holes.

It's considered a better approach because it avoids accidental blocking of SRM OS traffic, prevents Pi-holes from seeing streams of requests from the router which may be direct or via clients using the the router, and it avoids accidentally closing a DNS loop where have circular references. It also avoids the router sending too much DNS traffic and finding itself rate-limited by Pi-hole.

This looks like the correct place to do this, as part of the DHCP settings. This is the router's DHCP server telling clients to use the Pi-holes for DNS.

I think the guide is unclear on this setting. It says:

Forward known DNS server: Tick this option to send the information of a known DNS server to client devices. If you tick this option and specify servers in the Primary DNS or Secondary DNS fields, the client devices will choose one of the following to be its DNS server: the primary DNS, the secondary DNS, and the Synology Router's DNS server (WAN).

That sounds useful. But what happens if it's not ticked? Presumably it still gives clients the DNS servers you've configured in the DHCP section above? Ideally you want it to NOT give out the router's own WAN DNS server, so perhaps leaving it unticked prevents just that from happening. It doesn't say. If the WAN DNS server is always handed out, then perhaps setting Pi-hole as the WAN DNS is a better option after all, but you'd have to be careful to avoid the pitfalls, and you can expect a possible uptick in DNS traffic showing in Pi-hole, with no clear vision on where it's coming from (apart from the domains themselves possibly giving clues).

That sounds normal, I get mixed results using the tests mentioned, with that first test just mostly failing to respond.

Can you clarify exactly what you mean by this? Did you edit the IPs in this section?

# Ensure privacy of local IP ranges

If so, that is a mistake and that section should be returned to exactly as it's shown on the docs page, as they are already correct definitions of local ranges.

That's good, that means that only Unbound is making queries off your home network, which is what you want to see. It shows your ISP-assigned IP because that is how queries from your home network look to the outside world – they only see your single ISP-assigned "WAN IP".

Yes all that is correct. See the worked example on the docs page.

It certainly sounds explainable by the above settings. Now all DNS traffic leaving your network is going via the Pi-holes, either direct from clients or via the router. Traffic from clients using the router, plus the router's own DNS traffic, will all appear to come from the router, so you can expect that to appear busier than individual clients. And using that forwarding option means clients are being given one of the Pi-holes or the router to use for their DNS. This split could easily have ended up with the NUC being used more and so that's the busier device.

turop · February 15, 2025, 2:13pm

Firstly, thank you @chrislph for such a detailed reply.

As soon as I switch the IPs of the preferred DNS (from the pihole IP) to a DNS provider, I just used Quad 9 as a test, then the results from dnsleaktest.com now show 2-6 servers found with the ISP reported as WoodyNet.

As I say above, I lose this if I change the preferred DNS server.

I have unticked, and will report back.

chrislph:

Can you clarify exactly what you mean by this? Did you edit the IPs in this section?
# Ensure privacy of local IP ranges
If so, that is a mistake and that section should be returned to exactly as it's shown on the docs page, as they are already correct definitions of local ranges.

I have switched back to the default, thank you for letting me know.

turop · February 17, 2025, 12:24pm

I have continued to adjust my system and still have a few questions.

Installed second instance of Pihole. One of the first things I have done is to remove pihole from my Ubuntu Server, and I then installed it on a spare rpi4, I used the backup facility but I had to reinstall unbound. So, I now have two rpi’s running pihole and unbound, one acting as my ‘Primary DNS’ and one as my ‘Secondary DNS’, on my Synology router.

Remove resolvconf.conf. I also went back and checked if resolvconf.conf entry for unbound was active. The pihole on the rpi3b was active but on it was not on rpi4, anyway, its disabled on both now.

DNS over HTTPS via cloudflare. I am still confused by this setting on my router and whether to use it or not, overnight I left the option checked for DNS over HTTPS via cloudflare. I still had my pihole as my primary DNS, but I expected it not to be used. However, looking at the pihole this morning, it was still receiving traffic and the DNS over HTTPS was also working. Reading around, if I set my primary DNS to my Pi-hole, in my Primary Network and then enable DNS over HTTPS too, it appears that the pi-hole handles local requests and then forwards them using DNS over HTTPS, does that sound correct? When I check, browserleaks.com/dns show only entries from Cloudflare, 39 of them however on dnsleaktest.com Extended Test, I see six entries from Cloudflare and four from my local isp. Should the DNS over HTTPS via cloudflare be used or not?

Using Pihole across Local Networks. In my home network, I have a primary network, a guest network, and a IoT network, and I wanted all three to be able to access the piholes, where to date only the primary network has been able to do this. So, I have just added a new rule to my router firewall, allowing my guest network primary IP, to the pihole IP on my primary network. However, I have not managed to get this to work? Is this possible?

turop · February 22, 2025, 4:13pm

turop:

DNS over HTTPS via cloudflare. I am still confused by this setting on my router and whether to use it or not, overnight I left the option checked for DNS over HTTPS via cloudflare. I still had my pihole as my primary DNS, but I expected it not to be used. However, looking at the pihole this morning, it was still receiving traffic and the DNS over HTTPS was also working. Reading around, if I set my primary DNS to my Pi-hole, in my Primary Network and then enable DNS over HTTPS too, it appears that the pi-hole handles local requests and then forwards them using DNS over HTTPS, does that sound correct? When I check, browserleaks.com/dns show only entries from Cloudflare, 39 of them however on dnsleaktest.com Extended Test, I see six entries from Cloudflare and four from my local isp. Should the DNS over HTTPS via cloudflare be used or not?

Just coming back to this after a week or so. Both's pi's seem to be working well.

Do any Synology users have an idea whether to use the DNS over HTTPS via cloudflare on the router? I also see you can run DNS over HTTPS on Unbound, should this be considered?