Please follow the below template, it will help us to help you!
Expected Behaviour:
Old setup : Pi-Hole on Rpi with Quad9 as upstream provider | Everything working fine
New setup : Pi-Hole on Rpi with NextDNS as upstream provider (using Stubby)
Pi-hole v5.7 FTL v5.12.1 Web Interface v5.9
Actual Behaviour:
Earlier with Quad9 pihole used to show me all DNS query logs, but with nextDNS as upstream and DNS over TLS enabled - pihole is showing only one queries all over logs - something like this 100s of times
AAAA xbdbq829cvj-CONFIG_ID.test.nextdns.io
I wanted to achieve something like this :
Pihole should show me logs of queries received from local clients in the network and block ads / malware. The unblocked clients should get passed over to NextDNS and show in its logs.
Currently with this setup, pihole makes a DNS over TLS connection to NextDNS and is passing all queries in it hence not blocking anything.
Tried IPv4 linked IP option of NextDNS (worked - but was prone to stop when my ISP changes IP)
Activated Stubby again to replicate the steps that you send me for logs (this time it magically worked).
I guess all that was needed was a service restart of Pi + Stubby (not sure though).
How the traffic flows now :
my device > Router > Pihole (dnsmasq) > local forward to Stubby port > Sent over to NextDNS over DTL port 853
Just to mention how effective Pihole is -
With 6 different adlists added, Pihole is blocking 48% of all domains that are being browsed on my small network of 10 clients
NextDNS blocks 4% of total queries which get forwarded from pihole (some advanced lists added there for vendor specific analytics / parked domains / domains registered less than a month ago etc)
PiHole is giving 0.2 ms latency for cached queries / gravity list / denylist
NextDNS resolves domains between 200 ms to 900 ms (because sometimes the closest DNS server is not picked - this is a known nuisance and NextDNS offers diagnostic support to get this resolved)
Apart from the Pi purchase and minimal cost of electricity, Pihole works like a charm and is sufficient for normal to above average requirements, the cost of using NextDNS is also low. Both are neck to neck here.
I am pleasantly surprised with the kind of quick technical support offered by PiHole community and moderators. I am considering supporting the project now after months of usage.
I understand that PiHole can't offer DTL support without a good rewrite of code so this is not being considered as of now (would have been excellent to have). Although I am happy with how scalable and feature rich the product is in its current state.
You could write a script to take NextDNS blocklist’s + individual additions and then put them in Pihole.
This would mean you have a local recursive DNS resolver instead of having to go out to NextDNS (you would only go out to root servers if it’s not stored)
My understanding is you would have your Pi-hole cache and unbound cache. I’m sure mired advanced users could advise on whether the cache size needs changing for larger networks
It goes to whichever name servers are needed to resolve the domain name to an IP. Or do I not understand your question? What is it you want to change about how unbound does recursion?
Not yet, wanted a DNS over TLS solution that can be plugged in easily. NextDNS also serves my purpose in the sense that I can use it later on my devices individually when I am away from Pihole network.
If I use PiVPN for outside needs, I would lose the VPN slot on my phone, hence opted for NextDNS.
