I’ve just finished deploying my Pi-Hole setup for my homelab, which replaced the recursive function of a PowerDNS authoritative server (as of Pi-Hole’s deployment I upgraded the authoritative server to a more recent version that did not have recursion built-in). Question: does anyone here have any thoughts or experience with using a DNS backend for pi-hole that was not dnsmasq? (I’m initially looking at the PowerDNS standalone recursor, but will look at other options) I already have an ISC DHCP server deployed elsewhere on the network with Glass Admin, so I don’t need the DHCP functionality.
One thing I noticed when connecting the pi-hole to my authoritative server is that it only supports one upstream per domain (at least as far as I could tell). Before pi-hole, I had 3 DNS servers: two authoritative (PowerDNS for the DNS/DHCP domain name and MS DNS Server for the Windows AD domain) and one secondary that cloned both the PowerDNS domain and the AD domain. The pdns auth also carried a secondary zone for the AD domain, and my DHCP server distributed the IPs of my pdns server and my secondary server as the nameservers. Both of these servers allowed recursion to 22.214.171.124, and the windows DNS did not allow recursion. Basically, no one except the DNS servers knew Windows DNS existed.
Ideally, I’d like my recursive server to do this:
int.example.com: pdns-auth, dns-secondary
win.example.com: win-auth, dns-secondary
0.0.10.in-addr.arpa: pdns-auth, dns-secondary
When I tried this with dnsmasq by using two server directives per domain, I noticed that all queries were getting routed to my secondary. Since the secondary has a copy of all the needed zones, resolution speed is not an issue, however the point of having a redundant authoritative server is lost if the recursive server will only query one of them. Separately, I will also be working on a synchronized second pi-hole node (because redundancy)
As a hobby programmer, I realize that this may not be a small feat as different recursors have very different control interfaces to dnsmasq. From my basic knowledge of the interaction between pi-hole and dnsmasq, the new interface would need to be able to change the config, acquire statistics for API, and trigger a restart. On the good news side of the spectrum, I think at least pdns_recursor can be convinced to read the host file format that pi-hole already uses for dnsmasq