Unifi and Pihole - upstream DNS question

Hey, I just read ton of posts across reddit and forums for different tips at how to configure pihole with unifi properly. However there seems to be few different ways of achieving this and I am not sure which one is the best, or does it even matter, and if so, how? My main and most important goal is to see client's domain name, block ads and have the fastest DNS possible with my setup.

The different ways I am thinking about are:

  1. Set WAN + LAN DHCP DNS both to Pihole's static IP (Rpi) and set Pihole's upstream DNS to any Public DNS of my choosing

  2. Set WAN + LAN DHCP DNS both to Pihole's static IP (Rpi) and set Pihole's upstream DNS to Router's (gateway) IP

  3. Set WAN to any public DNS of my choosing + LAN DHCP DNSto Pihole's static IP (Rpi) and set Pihole's upstream DNS to any public DNS of my choosing

  4. Set WAN to any public DNS of my choosing + LAN DHCP DNS to Pihole's static IP (Rpi) and set Pihole's upstream DNS to Router's (gateway) IP

From what I can tell, the most logical way would be the 4. , since DNS requests are redirected to pihole for blocking, then to my router to do the actual DNS translation. Other ways seem to repeat themselves unnecessary creating loopbacks or slowdowns by duplicating the DNS job, if I understand this correctly. I am not entirely sure though, so I would love any feedback or tips regarding this, especially people with their unifi controllers.

Check the links in the official docs:


Answers would depend on your router's behaviour, your planned network usage and additional Pi-hole configuration options.

Resolution speed usually isn't an issue, but you'd want to avoid DNS loops, i.e. feeding some or all of Pi-hole's DNS requests to an upstream that in turn feeds them back to Pi-hole.

In that regard, you should be aware that some routers may forcefully redirect DNS requests, either to their own IP, to their configured upstream or to a public DNS server of their choice.
Some routers may expose respective configuration options to excercise some control over that behaviour (or they may not).

With regard to the router's upstream, you should note that setting that to Pi-hole will potentially close a partial DNS loop when Pi-hole's Conditional Forwarding is enabled.
On the other hand, if you set the router's upstream to a public DNS server, that would mean that your router's own DNS requests by-pass Pi-hole, and it could also mean that some of your network may by-pass Pi-hole (but depending on your personal preferences, that perhaps may be a desired behaviour), e.g. some routers may offer a guest network that strictly uses the router in combination with the router's upstream for DNS.

Provided your router does not apply forceful DNS redirection under the hood, only your 4.) would avoid DNS loops, with the potential drawback of not filtering any DNS requests accumulated by your router (e.g. your guest network).

If you'd be determined to filter your router's upstream as well, you should try to short-circuit potential loops by creating the corresponding router-specific blocking rules (see e.g. Dnsmasq[1035]: Maximum number of concurrent DNS queries reached (max: 150) - #2 by Bucking_Horn for a sample set of rules for a FritzBox model router).

Thank you for your insightful answer. I will probably want to let my Router itself to bypass pihole for now.

About avoiding DNS loop, wouldn't option 3 also achieve whole resolving process without the loop and if not, what would be the issue? I thought about this and I will want to offload as much as I can from the router to pihole (to save some resources, router's CPU isn't the best), so that DNS for clients will happen mostly on pihole server. Option 4 would mean Router would still need to resolve DNS for clients, but option 3 would mean that resolving would happen on the pihole's server itself, wouldn't that be more efficient?

Thank you.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.