Running another instance of Pihole on the same machine without any Virtualization

Hi. i am using Pihole for quite a while now. it works great. but due to some reasons, i cannot set my VPN to use the Pihole as the dns because that would make a massive DNS leak. the pihole is NOT using the mainstream DNS addresses (e.g 8.8.8.8 1.1.1.1) because these do not have a server in my country and therefore i get high pings while using these servers. i was wondering if its possible to run another Pihole on the same machine just for VPN?(High pings are not an issue when im using VPN) virtualization would not work because the netbook is just too weak to run a VM. ---Specs---
1 GB of ddr2 ram
intel atom N450 cpu
this netbook also runs Open Media Vault. and memory usage is usually around 30 percent.

I assume that others have access to view the DNS queries and that is what you want to avoid? and you are hoping to do this by running two instances and binding one of the servers to 10.8.0.1 (or whatever your OpenVPN gateway is). I don't think the pihole is configurable to that degree, you would see file conflict and port in use conflicts. Have you considered running your VPN and pihole for that on the host and running a VM or Docker container which contains only the pihole for the rest of the users, using bridged networking? You would be able to firewall access to the non-VPN pihole so only 10.8.0.* can access it and if using bridged network you would have a unique IP to provide as DNS server to your other users. If you are also using unbound you should be able to use a single instance of unbound outside the vm/container. That should keep your VM footprint to a minimum. As far as resources go, using docker should be very similar to running a second instance - which was your request for that reason.

Just to clear things up a bit. I live in a strict country. a VPN is almost always required the get stuff done. and well, Ad-blocking doesn't work when im on VPN. now, you may say, Oh thats an easy fix. just configure your VPN to use the pihole!. nope. the pihole uses 77.77.77.77 (my ISP's dns) because its a lot faster. (7 ms ping) and 8.8.8.8 is at least 130 ms. why? because google or 1.1.1.1 don't have servers here. none. thats why im trying to set up another pihole just for Vpn. and i use L2TP for vpn across all of my devices (reliable , stable). i hope this clears the confusion.

Hi again. Thanks for the explanation. I do not think you can run two instances of pihole on the same machine 'out of the box'. The problem is that pihole is going to bind ports on that machine and requires things like port 80 to be available and those ports will not be available once the second instance starts up, pihole will not be able to bind them to a specific address.

If you wanted to speed up your DNS queries you could look at unbound and run your own local dns resolver (computer queries pihole, pihole queries unbound instead of 77.77.77.77, unbound queries the root DNS server for the TLD, etc.). It would run slowly when first querying for an entry (likely no less than you get from 8.8.8.8) but any requests after would be cached locally and would not need to leave your local network - the result is going to be <1ms responses to the pihole when it queries dns. There is a good explanation of unbound here:
https://docs.pi-hole.net/guides/unbound/

I would say that if you are seeing extremely slow responses to 8.8.8.8 it is because your ISP is filtering/monitoring/modifying that traffic. If your DNS server is actually 77.77.77.77 then I do not doubt this is the case for the slow speed. Using unbound, using it with DNS over TLS or DNSSEC should give you more privacy than you currently have.

Sorry I could not give you an answer that allows multiple pihole instances but the above should help your situation.

1 Like

Oh i have heard about this unbound thing. does it mean that the owner of 77.77.77.77(my isp) will never figure out that i visited youtube.com for example?

No. Unbound sends your DNS request in pieces to the various levels of nameservers, then provides you the IP. All of this traffic between your local instance of unbound and the nameservers is clear text (but authenticated). Your ISP can see all this but can't tamper with the results without being detected. Eventually you will ask the ISP for the IP address that was returned by unbound (corresponding to the YouTube domain).

However, even if you encrypt the traffic between your network and an upstream DNS server, this only prevents the ISP from seeing the DNS transactions. You will still end up sending the ISP the exact same IP as you would have sent had the DNS traffic not been encrypted. The ISP can fairly easily determine where you are browsing, even with encrypted DNS traffic.

As for privacy, if you use unbound as a local recursive resolver, no upstream DNS service has your DNS history (you are your own DNS provider). If you use unbound or another software package to encrypt DNS traffic, that traffic now has to go to an upstream DNS service, since the nameservers do not support encryption. In exchange for encrypted DNS traffic, you now need to trust this upstream DNS provider with your entire DNS history. In my opinion, that is not a privacy gain, it's a loss of privacy.

So what course of action do you recommend? should i go ahead and setup this unbound or not

You can install unbound, but it won't fix the DNS leak problem. If you use a DNS other than the VPN provider, you will have a DNS leak.

oh then im kinda stuck with seeing ads on VPN i guess. but thank you all.:smiley:

They wanted to use a VPN for their traffic which would resolve the problem of their ISP seeing youtube.com. Combining unbound with an 'all traffic VPN' should shield them from their ISP's eyes, should it not if the unbound traffic is also going over the vpn? The issue here before was only that DNS queries were being leaked.

Would using a DoH resolver through the VPN be maybe an easier solution for them? I haven't worked with cloudflared but from what I've seen it is a way to resolve queries via DoH and is therefore easily VPN-able traffic.

hi all. i recently bought a new chromecast. which means i was able to retire the old media PC. now that media PC runs pihole! one problem. i have set my computer to use that pihole as the dns server. the pihole uses 8.8.8.8. problem is that i cant access sites like youtube...even tho the vpn is connected. but using the 8.8.8.8 dns directly works. (computer bypasses this new pihole) i have tried other DNS servers too. same problem. any ideas? t

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.