Should my Unifi Network DNS Server also be set to my Pihole?

I have followed this guide - Ubiquiti USG - Pi-hole documentation

I have a couple questions.

I used method 1: "Distribute Pi-hole as DNS server via DHCP.
In my LAN DHCP settings, I have supplied my Pi-hole IP address. This will be handed out to all devices now on my LAN and they will send DNS requests to Pi-hole which will then reach out to an upstream DNS server. Then the correct IP address is returned back the same way to the client.

Client -> Pi-Hole -> Upstream DNS server -> Pi-Hole -> Client

Questions:

  1. What happens next? How does my client get to WAN? Is it:

Client -> Default Gateway -> Internet

So no DNS request is made to my default gateway at any point?

  1. What is the recommended setting for my WAN DNS servers? These are the DNS server fields listed in method 2 of that tutorial. Should they just be left blank? Should I set them to my Pi-hole IP address?

I assume that if I did not specify a DNS server to hand out via DHCP, my default gateway would act as my DNS server and so my DNS requests would look like:

Client -> Default Gateway -> Upstream DNS server -> Default Gateway -> Client -> Default Gateway -> Internet

So is setting my WAN DNS server fields to the IP address of my Pi-hole just an extra layer of any redundancy in case somehow and DNS requests from a client go to my default gateway first instead of my Pi-hole?

I wouldn't call it redundancy, it's just a different function.

In your example of setting the LAN DHCP and providing Pihole as the DNS server, your process flow is correct. The client asks its DNS server (Pihole) "what is the IP of the domain I want to visit?" Pihole gets than answer (an IP address) from the Upstream DNS server and returns it to the client. The client then connects to the provided IP address, and goes through the Default Gateway to get there. That's because your "route" to the Internet has to go through the Gateway.

That hopefully clears up the question of "...no DNS request is made to my default gateway...". The gateway function of whatever device is configured as your Default Gateway doesn't perform DNS lookups. It just routes traffic around (using IP addresses). DNS requests are only made to the configured DNS server.

It is certainly possible for the device that happens to be your Gateway to also be able to function as and resolve DNS requests, in which case it can also be configured as your DNS Server. And in most out-of-the-box router setups, that's exactly what happens -- the default DNS and default Gateway are the same device. If you have Gateway, DNS, or other functions configured to "Auto", then almost certainly that's what's going on.

In my personal use experience, I have found it better to allow the WAN DNS to be whatever the ISP says it should be (often "Auto," blank or the IP of the router). I use the Pihole IP for LAN DHCP settings.

In this way, the network hardware is making requests via whatever avenue it needs to with no filtering. This is fine with me because a router is only going to do things like check Internet time, talk to the ISP hardware that's not at my location, maybe a couple of other things that won't involve needing ad blocking. All the clients on my LAN (or other VLANs) get the benefit of Pihole.

2 Likes

Thank you for the reply! This helps clear it up for me.