for now just use one vm with pihole,unbound,wireguard work perfect. in mikrotik create script for auto enable/disable rule for NAT if vm down. block port 53 from outside
plan
proxmox:
vm install unbound and wireguard
two pihole installed in lxc different ip address
what is disadvantage if I use topologi like this(pict)?
does the unbound still work if forward address in unbound.conf point to pihole ip address?
2nd pihole is for like redudancy, if first pihole down(maintenance or update or down for some reason) then VM-unbound still cant resolve dns thus all user still connect to the internet.
Not according to your two boxes on the bottom left. Each lxc and Pi-hole has the same IP.
Edit:
Potential drawback to your routing scheme. The only client for the two Pi-holes will be the unbound instance. You won't be able to identify individual requesting clients in either Pi-hole.
If you reverse that and have the two parallel Pi-holes forward their upstream DNS queries to unbound, then the Pi-holes will have the opportunity to identify individual clients.
Even better, put a separate instance of unbound with each Pi-hole, and then the two Pi-holes are completely independent and parallel. You eliminate the single unbound instance as a failure point. Plus, you can run unbound as a recursive resolver, and cut out the third party DNS service (in your case Google).
In you existing scheme, I don't see much benefit to running unbound. Why not just send the DNS queries directly to the Pi-holes?
you are right and yes I know that and it doesn't matter, from first deploy pihole in my network it just see mikrotik ip because NAT. all user ip dstnat to ip pihole.
if create two lxc pihole+unbound, if pihole-01 down then pihole-02 unbound cache still empty and need time to fill the unbound cache,
i'm confident with my ups and rarely change the unbound config even it just update os, so it minimalize failure the unbound vm.
until now I still play with pihole config or debian config and sometimes break evething and need to restart often.
dns 8.8.8.8 it just example
from my point of views, unbound just use for caching dns. so all user still keep using unbound cache even though some pihole is down for some reason.