Primary vs. Secondary DNS

Hi,

small question:

I have set OpenDNS as primary DNS and Google (8.8.4.4.) as the secondary one in PiHole. I always thought that the secondary DNS is a fall-back solution; only used in case the primary DNS fails. However, looking at the admin page it seems that the Pi is simply using both at the same time. The primary DNS gets about 60% of the queries and the other 40% go to the secondary one. Why is this?

Now I'm wondering if my Router, which has a secondary DNS set in case my Pi goes down, will also send a portion of the queries directly to OpenDNS in stead of the Pi. This wouldn't be good since I'd get ads and tracking but I also don't want to cripple my home network whenever the Pi is offline.

2 Likes

Following the regulations, there is nothing like a primary and secondary DNS server. These indications are quite misleading but many systems adopted it this way. We only list the DNS servers as primary and secondary, because this is what the providers write on their pages. The bad phrasing is supported especially by how Windows handles it. If you look at any Linux distribution, there is usually no separation between primary and secondary, but you can only provide a comma-separated list of DNS servers on a par.

Indeed, you can not trust that a primary server will be the only one being used even if it is available all the time. It depends on the implementation in the system you use.

2 Likes

Thanks for the fast reply. I always thought wrongly about primary and secondary DNS servers I guess.

I can't seem to find this specific information for my router (Nighthawk R7000, if anyone knows). Since I run the PiHole on a RPi1 and the MicroUSB and SDCard reader sometimes have problems staying in touch (someone might hit them with a vacuum, idk) I do want to set a secondary DNS set in my routers' config page.

It seems the only way to find out if it uses both servers at the same time, like the Pi, is to wait and see if ads appear.

You can also specifically blacklist some domain and try to access it several times a day from different client devices.

1 Like

I had a look at its manual. There seems to be no info about that.

1 Like

Good idea! Thanks for the help.

Still a bit dazzled that there are no 'real' primary and secondary DNS servers and that they simply co-exist.

Would it also be possible to use more than 2 DNS servers? And how does PiHole decide what query to send where? Random?

instant edit: yes, I checked their online documentation (kb.netgear.com) as well as the user forums but so far haven't been able to find anything about it. In the future I might flash DD-WRT on it, but I don't like flashing away my warranty since I just bought it.

Yes. With the current version of Pi-hole you can use any number of servers (one or more). Pi-hole will query all of them from time to time and look for which server responds fastest. This one is favored. However, the time frame within which the favor property stays active is quite narrow so (except in high-density environment) you will most likely often see a fairly equally split amount of queries to a specific server.

Very low density environment (one client, large delay between queries):

High density environment (> 20 clients, up to dozens of queries per second):

You can see that in the latter case there is a clear preference for two upstream DNS servers (which are, in fact turn out to be OpenDNS primary and secondary).

3 Likes

OpenDNS is faster than Google? Or do you not have that one activated, because that'd be a surprise!

Danke schön for the perfect explanation.

Yes, OpenDNS seems to be faster than Google using Telekom DSL in between Cologne and Eifel.
NB: Level3 is also better than Google but slightly worse than OpenDNS.

Just for anyway wondering:

I've tested in and blacklisted a website in PiHole while also having a secondary DNS in my router. So far I only get the PiHole block page. Which, by the way, doesn't scale well on mobile resolutions, it seems. (click).

I have tried on phone and laptop, and flushed DNS and emptied cache. So seems to be good.

I found this very interesting, as i was also under the assumption the primary DNS server would always be used, unless unavailable. I stand corrected. Given this new knowledge, I updated my DNScrypt setup (no longer using dns-crypt-loader) to use four resolvers. When I check te pi-hole log, dnsmasq seems to forward every request to all of the resolvers:

Jan 31 12:33:42 dnsmasq[619]: query[A] www.vroom.be from 192.168.2.125
Jan 31 12:33:42 dnsmasq[619]: forwarded www.vroom.be to 127.10.10.1
Jan 31 12:33:42 dnsmasq[619]: query[A] www.vroom.be from 192.168.2.125
Jan 31 12:33:42 dnsmasq[619]: forwarded www.vroom.be to 127.10.10.4
Jan 31 12:33:42 dnsmasq[619]: forwarded www.vroom.be to 127.10.10.3
Jan 31 12:33:42 dnsmasq[619]: forwarded www.vroom.be to 127.10.10.2
Jan 31 12:33:42 dnsmasq[619]: forwarded www.vroom.be to 127.10.10.1
Jan 31 12:33:42 dnsmasq[619]: validation result is INSECURE
Jan 31 12:33:42 dnsmasq[619]: reply www.vroom.bE is 185.43.124.160
Jan 31 12:33:45 dnsmasq[619]: query[A] files.vroom.be from 192.168.2.125
Jan 31 12:33:45 dnsmasq[619]: forwarded files.vroom.be to 127.10.10.1
Jan 31 12:33:45 dnsmasq[619]: query[A] staticv6.vroom.be from 192.168.2.125
Jan 31 12:33:45 dnsmasq[619]: forwarded staticv6.vroom.be to 127.10.10.1
Jan 31 12:33:45 dnsmasq[619]: query[A] files.vroom.be from 192.168.2.125
Jan 31 12:33:45 dnsmasq[619]: forwarded files.vroom.be to 127.10.10.4
Jan 31 12:33:45 dnsmasq[619]: forwarded files.vroom.be to 127.10.10.3
Jan 31 12:33:45 dnsmasq[619]: forwarded files.vroom.be to 127.10.10.2
Jan 31 12:33:45 dnsmasq[619]: forwarded files.vroom.be to 127.10.10.1
Jan 31 12:33:45 dnsmasq[619]: query[A] staticv6.vroom.be from 192.168.2.125
Jan 31 12:33:45 dnsmasq[619]: forwarded staticv6.vroom.be to 127.10.10.4
Jan 31 12:33:45 dnsmasq[619]: forwarded staticv6.vroom.be to 127.10.10.3
Jan 31 12:33:45 dnsmasq[619]: forwarded staticv6.vroom.be to 127.10.10.2
Jan 31 12:33:45 dnsmasq[619]: forwarded staticv6.vroom.be to 127.10.10.1
Jan 31 12:33:45 dnsmasq[619]: validation result is INSECURE
Jan 31 12:33:45 dnsmasq[619]: reply staticv6.vroom.bE is
Jan 31 12:33:45 dnsmasq[619]: reply vroom.bE is 185.43.124.160
Jan 31 12:33:46 dnsmasq[619]: validation result is INSECURE
Jan 31 12:33:46 dnsmasq[619]: reply files.vroom.bE is
Jan 31 12:33:46 dnsmasq[619]: reply vroom.bE is 185.43.124.160

As you can see, I'm also using DNSSEC, all resolvers are DNSSEC enabled and aren't logging.
Why (and what) is this happening here?

Looking at you log I disagree.

First lookup:

Jan 31 12:33:42 dnsmasq[619]: forwarded www.vroom.be to 127.10.10.4
Jan 31 12:33:42 dnsmasq[619]: forwarded www.vroom.be to 127.10.10.3
Jan 31 12:33:42 dnsmasq[619]: forwarded www.vroom.be to 127.10.10.2
Jan 31 12:33:42 dnsmasq[619]: forwarded www.vroom.be to 127.10.10.1

Second lookup:

Jan 31 12:33:45 dnsmasq[619]: forwarded files.vroom.be to 127.10.10.1

Third lookup:

Jan 31 12:33:45 dnsmasq[619]: forwarded staticv6.vroom.be to 127.10.10.1

Fourth lookup (second lookup hasn't replied yet):

Jan 31 12:33:45 dnsmasq[619]: forwarded files.vroom.be to 127.10.10.4
Jan 31 12:33:45 dnsmasq[619]: forwarded files.vroom.be to 127.10.10.3
Jan 31 12:33:45 dnsmasq[619]: forwarded files.vroom.be to 127.10.10.2
Jan 31 12:33:45 dnsmasq[619]: forwarded files.vroom.be to 127.10.10.1

Fifth lookup (third lookup hasn't replied yet):

Jan 31 12:33:45 dnsmasq[619]: forwarded staticv6.vroom.be to 127.10.10.4
Jan 31 12:33:45 dnsmasq[619]: forwarded staticv6.vroom.be to 127.10.10.3
Jan 31 12:33:45 dnsmasq[619]: forwarded staticv6.vroom.be to 127.10.10.2
Jan 31 12:33:45 dnsmasq[619]: forwarded staticv6.vroom.be to 127.10.10.1

and so on.

A post was split to a new topic: Redundancy question

Reading man resolved.conf, this is not the way it was intended to work:
... (The algorithm used is to try a name server, and if the query times out, try the next, until out of name servers, then repeat trying all the name servers until a maximum number of retries are made.) ...