Quad9 vs Cloudflare Upstream for Recursive DNS

I am currently using Pihole + Unbound as recursive DNS, but I am using Cloudflare as the Upstream
forward-zone:
name: "."
forward-addr: 1.1.1.1
forward-addr: 1.0.0.1

Is there a benefit of using Quad9 as the Upstream dns server vs Cloudflare?
I started using Cloudflare as I read it's supposed to be a faster dns server.

Any advise on whether I should start using Quad9 instead?
or If I need make any changes to the config file.

EDIT..
Also, what is the difference between adding the Upstream dns server in the config file vs selecting it from the pihole GUI?

You aren't running unbound in recursive mode. You have told unbound to forward all queries to upstream DNS servers, and in this setup unbound is a forwarding resolver and not a recursive resolver.

If your intention is run unbound in recursive mode, remove this forwarding configuration and let it recurse.

If your intention is to use unbound as a forwarding resolver - why?

Each handles filtering and other details differently.

Pi-hole has an algorithm that will favor the fastest responding among your upstream DNS servers.

If you enter multiple upstream DNS servers in Pi-hole (for example Cloudflare and Quad 9), then Pi-hole will determine which are the best responders and use them.

When you insert unbound into the DNS path, and use unbound as your only upstream DNS server, then Pi-hole can no longer make this determination. It uses unbound exclusively, because that is the only option available.

Mainly privacy. If I decide to try Quad9, do I need to update the config file or just select it from the GUI?

There is no privacy gain when you have Pi-hole foward to unbound and unbound forward to Quad9.
In fact, if you do not use any unbound specific features, that setup is a waste of resources. It would be equivalent to have Pi-hole use Quad9 as upstream directly.

So If I only use Unbound with no upstream..does that mean I would have more privacy?

What about security?
Does Unbound check for malware and bad sites?
Sorry for the dumb question as I don’t really understand how Unbound really works.

In my opinion, yes. You remove a third party DNS server from your setup.

Instead of having to trust yourself, your ISP and your DNS service, you only have to trust yourself and your ISP.

Unbound by default uses DNSSEC to authenticate replies.

No, but your Pi-hole can do all this for you with the appropriate blocklists.

See https://firebog.net

Thanks for the info.
What about just using Quad9 by itself without using Unbound.
I read also that Quad9 is a recursive DNS and there's no need for Unbound as it's basically the same thing. Is that accurate?

And... if I want to stop using Unbound, do I have to uninstall it or can I just remove the info from here

image223×160 1.98 KB

and select Quad9 from here?

image402×105 1.69 KB

I ask because I just want to test things and not wanna have to reinstall Unbound if I don't have to.

The difference is that when you use Quad9 you are sending all of your domain queries to Quad9 for them to resolve. When Quad9 says that they don't log those queries, that is likely true but you have to trust that it is true, and it is goverened by Swiss law.

They do capture aggregate data, to which your queries will end up contributing. Compare that to, say, Google's DNS.

When you use Unbound in recursive mode, you are running your own DNS resolver and have no need for these external services. That means you are no longer sending all your domain queries to anyone external to be resolved. This is the more secure option.

The way a recursive resolver works is explained on the Pi-hole Unbound docs page.

This image explains it well – your home network is everything in the grey box on the left side. You also have Pi-hole in there in the Resolver part. Unbound is the Local Name Server part at the top, still in the grey box on your home network.

Follow the blue and green arrows and the numbered parts, starting with "1. Resolution Request" to see how the lookup is processed. Each one of those blue arrows leaving your home network is Unbound checking the next part of the domain name, building it up recursively, step by step, until the final "16. Requested IP address".

So instead of Quad9 or Google receiving all your domains to be resolved, logging whatever they log, and then doing all that to them, now you are doing all of that yourself using Unbound in recursive mode.

Thank you, I am beginning to understand more now.
So when using Unbound in recursive mode, does the ISP play any role?.. meaning, can they still see all my queries even though all the queries are being done by Unbound?

The ISP's role here is just to carry your traffic between your network and the Internet. So in this case, that traffic will include Unbound doing its recursive lookups. Technically they could see that, but it is different to if you were using your ISP's own DNS, where they are then acting like Quad9 or Google in the previous example.

However once Unbound has got the final answer and handed that back to Pi-hole, which hands it back to the computer on your network that asked for it, that computer will then use it to make a connection of some kind. Your ISP can also see that you made a connection to that location, even if it can't see the traffic on that connection.

So there is an implicit trust with your ISP anyway, and if you are using your own recursive resolver, that traffic is just more packets of data that they are carrying. The main thing is that by running your own recursive Unbound you are no longer handing anyone a 24/7 list of every single domain your network is using.

I was reading the Undound configuration page and one of the things to test is
dig fail01.dnssec.works @127.0.0.1 -p 5335

when I run that I get,
communications error to 127.0.0.1#5335: timed out

am I supposed to get something else?

Just in case, that command has to be run on the Pi-hole, not a client on the network. If it's all set up correctly then Unbound will running alongside Pi-hole on port 5335.

What do you get if you try fail02 instead of fail01? And if you try a known good domain, eg CNN?

dig fail02.dnssec.works @127.0.0.1 -p 5335

dig cnn.com @127.0.0.1 -p 5335

dig fail02.dnssec.works @127.0.0.1 -p 5335
;; communications error to 127.0.0.1#5335: timed out
;; communications error to 127.0.0.1#5335: timed out
;; communications error to 127.0.0.1#5335: timed out

; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> fail02.dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; no servers could be reached

dig cnn.com @127.0.0.1 -p 5335

; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> cnn.com @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31862
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;cnn.com. IN A

;; ANSWER SECTION:
cnn.com. 60 IN A 151.101.3.5
cnn.com. 60 IN A 151.101.195.5
cnn.com. 60 IN A 151.101.131.5
cnn.com. 60 IN A 151.101.67.5

;; Query time: 103 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1) (UDP)
;; WHEN: Tue Nov 14 18:38:56 EST 2023
;; MSG SIZE rcvd: 100

Im running this on the same Linux machine were Pihole is installed.

I'm also getting mixed results with those dnssec.works domains. They are supposed to trigger a SERVFAIL response:

$ dig fail02.dnssec.works @127.0.0.1 -p 5335
; <<>> DiG 9.16.44-Debian <<>> fail02.dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 59102

but I also get intermittent connectivity failures

$ dig fail02.dnssec.works @127.0.0.1 -p 5335
; <<>> DiG 9.16.44-Debian <<>> fail02.dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; connection timed out; no servers could be reached

however in your case it states that there was a communications error to Unbound itself (127.0.0.1#5335). But then the CNN one worked okay, suggesting it's okay.

What does this query give?

dig @127.0.0.1 -p 5335 www.isc.org. A +dnssec +multiline

dig @127.0.0.1 -p 5335 www.isc.org. A +dnssec +multiline

; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> @127.0.0.1 -p 5335 www.isc.org. A +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21187
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;www.isc.org. IN A

;; ANSWER SECTION:
www.isc.org. 300 IN CNAME isc.map.fastlydns.net.
www.isc.org. 300 IN RRSIG CNAME 13 3 300 (
20231125043331 20231026041333 27566 isc.org.
PKtsdQgKu7GfpSLRj+Q6HEK8GUxzpYsOlsoiwt1NC4hW
jOlh8je1DW5sx34bW8jmFUZgxi9ZBZHAPRy6e0aPUA== )
isc.map.fastlydns.net. 30 IN A 199.232.34.217

;; Query time: 411 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1) (UDP)
;; WHEN: Tue Nov 14 18:56:52 EST 2023
;; MSG SIZE rcvd: 194

That checks out perfectly. In Pi-hole go into Settings > DNS and clear all the Upstream Servers checkboxes and then put 127.0.0.1#5335 into Custom 1 and tick that box, so it is the only one ticked, and scroll down and hit Save.

Then in your terminal try

dig @127.0.0.1 foxnews.com

Note, there is no -p 5335 in that one. That will request that domain from Pi-hole instead, and then Pi-hole will request it from Unbound (the Custom upstream you just configured), and you should get a response.

Then take a look at Pi-hole's Query Log and refresh it and you will see the query in there. If so, then Unbound is working as a recursive resolver (from the previous tests) and Pi-hole is using it for DNS.

Oh you know what.. I just remembered that this Linux machine, I had to set it to NOT use Pihole because it was interfering and blocking Pihole updates, so they recommended to set this machine on a different dns server.

That's okay, the previous post and commands are all to take place on the Pi-hole and Pi-hole terminal.

When you say Pihole terminal.. are you saying Pihole has it's own terminal?
or is that the same terminal I am using on the linux machine?

I am a Windows user, so this is a bit foreign to me.