Question about two pihole in lxc for redundancy

luru_money · July 12, 2022, 2:15am

for now just use one vm with pihole,unbound,wireguard work perfect. in mikrotik create script for auto enable/disable rule for NAT if vm down. block port 53 from outside

plan
proxmox:
vm install unbound and wireguard
two pihole installed in lxc different ip address

what is disadvantage if I use topologi like this(pict)?
does the unbound still work if forward address in unbound.conf point to pihole ip address?
2nd pihole is for like redudancy, if first pihole down(maintenance or update or down for some reason) then VM-unbound still cant resolve dns thus all user still connect to the internet.

thank you

jfb · July 12, 2022, 2:36am

Not according to your two boxes on the bottom left. Each lxc and Pi-hole has the same IP.

Edit:

Potential drawback to your routing scheme. The only client for the two Pi-holes will be the unbound instance. You won't be able to identify individual requesting clients in either Pi-hole.

If you reverse that and have the two parallel Pi-holes forward their upstream DNS queries to unbound, then the Pi-holes will have the opportunity to identify individual clients.

Even better, put a separate instance of unbound with each Pi-hole, and then the two Pi-holes are completely independent and parallel. You eliminate the single unbound instance as a failure point. Plus, you can run unbound as a recursive resolver, and cut out the third party DNS service (in your case Google).

In you existing scheme, I don't see much benefit to running unbound. Why not just send the DNS queries directly to the Pi-holes?

luru_money · July 12, 2022, 2:47am

my mistake it should be

pihole-01 172.10.1.10
pihole-02 172.10.1.20

jfb · July 12, 2022, 2:49am

See my edits.

luru_money · July 12, 2022, 3:37am

you are right and yes I know that and it doesn't matter, from first deploy pihole in my network it just see mikrotik ip because NAT. all user ip dstnat to ip pihole.

if create two lxc pihole+unbound, if pihole-01 down then pihole-02 unbound cache still empty and need time to fill the unbound cache,
i'm confident with my ups and rarely change the unbound config even it just update os, so it minimalize failure the unbound vm.
until now I still play with pihole config or debian config and sometimes break evething and need to restart often.
dns 8.8.8.8 it just example

from my point of views, unbound just use for caching dns. so all user still keep using unbound cache even though some pihole is down for some reason.

luru_money · July 22, 2022, 4:38am

so no one use topology like that?

mybe you all confuse with my english because I use google translate.

deHakkelaar · July 22, 2022, 6:19am

Warning, those are public IP addresses and not private ones:

pi@ph5b:~ $ dig +short -x 172.10.1.1
adsl-172-10-1-1.dsl.sndg02.sbcglobal.net.

luru_money · July 22, 2022, 2:57pm

it just example ip address, my actual ip address is 192.168.xx.xx for router and client, proxmox vm,lxc use 10.1.xx.xx

system · August 12, 2022, 2:58pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.