Although this is possible if you manually edit /etc/pihole/setupVars.conf, it would be nice if the web interface and/or the install script allowed you to specify more than 2 custom DNS servers.
Suggested by /u/deathbybandaid on reddit
Not a bad idea, but what is the benefit in practice to have more than 2?
(saw screenshots with 4 DNS Servers here in forum)
I implemented the possibility to have more than two DNS servers at the same time (currently, you can go as high as 18 suggested ones (IP addresses are known by Pi-hole) + 2 custom IPv4 + 2 custom IPv6. I cannot see the need to add more custom servers on the dashboard.
In contrast, I think we are happy to add other DNS servers as suggested options when we are sure that they work nicely.
Essentially what I said on Reddit:
- allow more than 2 addresses from the initial install or running pihole -r
And/or an option labled
- "None, I will add them later"
This was mainly in reference to the installation of dnscrypt, but I can see how these options would be beneficial.
I'm spending alot of time reading through dnsmasq options,, so that I can get on everyone else's level,,
I have no experience with dnscrypt, so I'll ask you: Is is required/benefitial to have more than two upstream server when running dnscrypt? Especially when they are on the same machine, I cannot see how one could benefit from that.
I'm not currently using dnscrypt, as I've been working on some other projects.
From what I have seen in multiple "install guides" is that it most likely needs multiple dnscrypt open resolvers.
My suggestion was primarily a solution to a problem I saw on reddit.
However, I feel like since the custom option in the install let's you do comma separated addresses, I don't see why it should only allow two.
I also think it would be nice for "advanced users" to have an option titled "none" and that the user intends to set them later. I'm tinkering with dnsmasq and dhcp zones, and I can see this potentially being beneficial.
In regards to the issue on reddit, it would simplify the dnscrypt install if there was a way to not have server= settings permanently in the 01-pihole.conf,,,
Let's ask @DanSchaper. However, I have doubts that people will have installed and configured dnscrypt before they have installed Pi-hole.
My situation is really atypical for this kind of installation. Pi-hole was installed first, then dnscrypt, but I run my own nameservers and thus only use two upstreams, both controlled by myself.
The problem that I ran into, and the reason I decided to create my own top down fully encrypted DNSSEC enforcing structure is that the main list of open dnscrypt resolver is rather unreliable. You can't always expect the upstream to be online, or to have their certificates set up properly and rotating on schedule. Leads to a lot of time where you're chasing a new open dnscrypt resolver, or going with Cisco and you're back to giving them your data. I know I don't log any queries in unbound and I know that I have full DNSSEC chained queries. I'm paranoid, but then I also like to do this for fun and it's really cheap to get a couple of VPS's set up and know that no one else sees my traffic.
Maybe one day I'll write up a HOW-TO but it's a rather involved process and not something that I would ever do scripted. Anything involving certificates, encryption or security should not be run as a script. (My fallback case example is leaving the CA on the router, which pretty much every scripted solution does. Well, that's a horrible idea.)
So, I can see the situation where you need multiple dnscrypt upstreams, to counter the lack of reliability, and also if you need to access non-public TLD's that are only exposed via certain open resolvers.
Multiple upstream DNS servers interest me. I just bought a router (ubiquiti er-x) to segregate my devices into separate Home, Guest, IOT and DMZ networks. I want my main Home network to be able to access all the devices on the other networks, but not the the other way around. Each network will need to be served by their own DHCP\DNS, and the Home Pi-hole DNS will need to use each of the other DNSs for accessing devices by name.
Adding custom DNS servers could be added similar to the way addresses are added to the "Static DHCP leases configuration" option under "DHCP leases" now.
I understand that I am in the minority of users here, and I may simplify the above (possibly over engineered) network(s), but I would still need one "upstream" DNS to the other internal networks in addition to some for the internet (OpenDNS FamilyShield 208.67.222.123 and 208.67.220.123).
In regards to dnscrypt, I finally realized why I had trouble with it. I've got a pretty solid firewall on my pi, and I wasn't allowing traffic to the needed ports.
A working install of dnscrypt, and an amazing firewall can be found as part of my piadvanced script.
Back to topic, now that I can see this automated script does indeed work, I think it would be easiest to have the option to not have servers listed in 01-pihole.conf. Then all the dnscrypt servers would be in their own config.
One of the problems I would think we'd see with installing without an upstream server is that when we do the initial gravity update and try to pull down the lists, that would fail and the install would be only halfway done.
One thing that could correct that, is to allow resolv.conf during that first gravity.
Then add no-resolv back in.
On a side note, at one point in time I broke dnsmasq really bad and doing a pihole -r was failing halfway, because it couldn't resolve anything.
It's only mildly irritating when you are trying to fix the only DNS on a network,,, but that's my fault for breaking things.
As soon as you install dnsmasq as a package, resolv.conf populates with 127.0.0.1 though.
I was just about to edit my comment,,, I just double checked that.
echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf
Then sed /d that line from resolv.conf when done with it.
Edit: I also just realized that the webui does NOT like having no DNS servers selected.