BTW If a root server does need to change addresses – something that has happened twice in the last ten years.
So the argument of changing ip addresses of the root server, and therefore use those commercial companies for pi-hole, Is to me non and void.
I'm not following your logic - perhaps I'm slow. "Pi_hole is now telling google, OpenDNS....which DNS and ip addresses not to use." Please clarify.
Users of PiHole are free to type in any upstream DNS provider IP they choose. They aren't limited to the pre-loaded IP addresses, and even if they use only those how does this indicate to the upstream DNS providers that you are running a PiHole and should change an IP address?
I've been running unbound as my local recursive resolver for privacy reasons, but I have several friends who use third party DNS servers with good results. I don't trust Google not to mine my DNS queries (all from my IP address) to sell more of my data; that's what led me first to Cloudflare and then to my own resolver.
Well, use those then:
http://www.root-servers.org/index.html
It might be difficult, since most the core central ones only accept connections from other DNS servers.
Hence the need for using the commercial ones.
You can't use the root servers as recursive DNS servers:
;; WARNING: recursion requested but not available
The root servers, like most authoritative servers, are configured to not do recursive resolution, which is what your ISP’s DNS servers (and other public ones) are set up for.
If you run unbound (or similar software) as your local DNS recursive resolver, you can use those and avoid the commercial third party third party DNS servers. But you can't just point to these from your PiHole.
(Oops, didn't refresh my page and didn't see RamSet's similar reply).
https://discourse.pi-hole.net/t/howto-using-pi-hole-as-lan-dns-server/533
And thats why big companies as MS only use the rootserver in their DNS and internet connections ?
So that it does not work…. No need for commercial DNS server, even not their own strange enough.
BTW, take google 23 nodes for DNS, rootserver 300 to 900 nodes
Reverse engineering, if you have 100 users registered and want them to do something, and 99 does, then what do you know about the one who does not and told you nothing..?
Just 1 very easy example
That’s thru you can type any upstream DNS, 2 ip4 and 2 ip6 And there are 13 (12) Rootservers. And as far as I know there no
Preloaded DNS server, just proposals. If there are preloaded DNS in Pi-hole and not changeable, I was not using Pi-hole and not having this discussion. I never have used the thing, maybe waited for some good things. But I think I ditched the whole thing and forget it.
Your information is very incorrect and I don't think it's a language barrier that is causing the confusion. If you do not use the Pi-hole as your DNS server, please do not come to our house and speak conjecture and false statements.
Here comes the point where I would like to see a proof for this statement from you. The root servers cannot be used to query arbitrary domains as they prohibit recursive resolution as already mentioned by @RamSet here:
https://discourse.pi-hole.net/t/add-the-ability-to-let-pi-hole-resolve-dns/2368/43?u=dl6er
I move this discussion to a new thread so we can continue discussing this matter without spaming this feature request. This thread will still be visible for everyone, we're not trying to hide anything.
If anyone is scared of being "harvested" by the commercial DNS resolver, they should use their ISP DNS.
Your ISP "knows" anyway all the activity you do, because your packets go trough it's server, but they don't rely on advertising to exist, they rely on you paying the bill.
Set your router to "Auto" acquire the DNS server, and type those numbers down. Then transplant those into the PiHole.
Example: I have Verizon FIOS, in my area the DNS IP's are 71.252.0.12 / 68.238.122.12 (they use Verizon Assist) or with .14 at the end without using Verizon Assist function.
Just don't try to use DNSSEC with them...
Here is a screenshot from a working Windows DNS server. Not for local use, and not advised, but can be. (Ldap compatible) Even with the DNS of your inrenet supplier if you may register a host. There are other recods in place.
And I can remove the domain first site record and still go to the internet. (big problem for my local users cause they canot logon, just local. But the internet-gateway is stil reachable). Ofcourse there is always the DNS of your intenet supplier. No problem. Bin there done that. And no problem with arbitrary domains.
And the only forwarding server i use at the moment is the Pi-hole. Works like a charm, normaly Dyndns free for more than 15 years now and DNSExit Both for Mx records and multiple websites (hostheaders are so easy on windows)
Just as Pi-Hole is the other way around Just for internet (blocking ads). The blocklist are just textfiles, so google avoid using those for ads.
BTW still no youtube ad blocks. Look at the boys of ublock origin, also freeware.
Those are root hints, they are not resolvers. You can not get an autoritative answer from a root server for a FQDN because they do not have the records.
Root Server holds the records for the TLD servers. . knows only who is in charge of .net .org .com etc. Any query for a domain name from a root will fail. Try it, we have and we know. (Hint, look at the servers that are involved with https://simpledns.com/lookup-dg for any domain you choose, the root does not resolve FQDNs. It can't.)
If i can use Pi-hole as an authorative DNS server witch can work together with DHCP, So DHCP can fill all the necessary record it needs for the clients, like router, DNS Domain names, gateway etcetera etcetera… Aboput 80 records if needed, i will think about that. So for the moment just as an internet forwarder.
And al the blocklist are freely readable, just for the first time in one place. And if I was Google or some other Add servercompany i should try to avoid those. “If Pi-Hole has any impact” on the Add server market.
If i read you correct then the root is non and void.
DNS Server service does not use root hints to resolve external names in Windows Server 2008 R2. Windows Server 2008 R2 does not allow CNAME records and NS records to coexist. The key word is here External.
For that matter you are correct. But now it’s not a problem anymore. Hence you can even be your own resolver. Takes a few days to fill up but it can. Also in Windows. Not quick or fast, but it works. And I never spoke on ‘autoritative answers’ just to get me where I want be on web.
An authoritative name server is a name server that gives answers that have been configured by an original source, for example, the domain administrator or by dynamic DNS methods, in contrast to answers that were obtained via a regular DNS query to another name server. An authoritative-only name server only returns answers to queries about domain names that have been specifically configured by the administrator.An authoritative name server can either be a master server or a slave server. A master server is a server that stores the original (master) copies of all zone records. A slave server uses an automatic updating mechanism of the DNS protocol in communication with its master to maintain an identical copy of the master records.
2.what is non-authoritative dns serve?
Non authoritative name servers do not contain copies of any domains. Instead they have a cache file that is constructed from all the DNS lookups it has performed in the past for which it has gotten an authoritative response. When a non-authoritative server queries an authoritative server and receives an authoritative answer, it passes that answer along to the querier as an authoritative answer. Thus, non-authoritative servers can answer authoritatively for a given resolution request. However, non-authoritative servers are not authoritative for any domain they do not contain specific zone files for. Most often, a non-authoritative server answers with a previous lookup from its lookup cache. Any answer retrieved from the cache of any server is deemed non-authoritative because it did not come from an authoritative server.
So i get a "Non-authoritative answer" on my DNS requests but it does the job. And I like that. Just as I like Pi-Hole for that matter.
If my internal DNS gives me "authoritative answers" for my internal users / clients, I am satisfiedJ Hence all nslookups outside my domain are non authoratieve, even google, cause there is only on that’s autorative and thats my domain controller for my domain. But other than that every DNS cache, list or hostfile can server an answer. Its just ip to name conversion
So far, I haven't been able to understand or make sense of your arguments. Help me clarify:
Do you use Pi Hole (yes/no)?
If you use PiHole, what are you using for DNS resolution (third party DNS and if so, which one, or your own recursive resolver, and if so, which one).
If you are not using PiHole, what do you use for DNS resolution (third party or your own).
From the answers above, why did you choose your solution? Was it DNS privacy only, DNS speed only, ad-blocking only, ad-blocking plus DNS speed, ad-blocking plus DNS privacy?
[https://discourse-cdn.pi-hole.net/letter_avatar_proxy/v2/letter/j/bc8723/45.png]
jfbhttps://discourse.pi-hole.net/u/jfb
June 1
So far, I haven’t been able to understand or make sense of your arguments. Help me clarify:
Do you use Pi Hole (yes/no)?
[BvV] Yes
If you use PiHole, what are you using for DNS resolution (third party DNS and if so, which one, or your own recursive resolver, and if so, which one).
[BvV] Integated windows DNS required for AD in SRV 2012R2
If you are not using PiHole, what do you use for DNS resolution (third party or your own).
[BvV] Use Pi-hole as forwarder
From the answers above, why did you choose your solution? Was it DNS privacy only, DNS speed only, ad-blocking only, ad-blocking plus DNS speed, ad-blocking plus DNS privacy?
[BvV] Integrated DNS is by design and private, AD cannot without. You can, but not required, to use the integrated DNS for your internet. I can use Windows DNS also to block Advertising sites and use the lists from Pi-hole but that’s painstaking to do.
So if the DNS in Pi-hole does not respond it automaticly falls back to my internal DNS and use al the root hints. And if its not difficult enough, i have a changing external ip address for my servers (hyper-v) and use Directupdate (French programmer) for that. And its runs already from the first Windows NT (1993) with a phone line in reverse (phreaking)
And who are you? “So far, I haven’t been able to understand or make sense of your arguments.”
I hope you are not one of the Pi-Hole programmers. Than I don’t have much confidence in your skills and the future of Pi-Hole. I heard the code is somewhat, let me put it softly in Dutch: rommelig. Not my words, but i read things on the net.
I am not one of the Pi-Hole programmers. I am a user. I have found the software to be lightweight, reliable and meets all my needs. In my opinion, the developers know what they are doing and are doing good work. I am guessing they know orders of magnitude more about DNS and such topics than either of us.
Reading your thread of posts on this topic (above) I note that technicalpyro provided the link to the setup for unbound which can be the recursive DNS resolver for your PiHole. The instructions on that link work and if you set that up as described, you have a fully functioning recursive caching DNS resolver running locally. That resolver directly queries all the correct levels of authoritative DNS entities (starting at the root as needed), and completely bypasses third party DNS services. This appears to be the solution you are looking for. Have you installed this? If so, have you found the performance to be acceptable (delays times in particular)?
It appears you are running a DNS resolver on a Windows server. Is that resolver doing what you need? If so, just point your PiHole to that DNS server and let PiHole provide the ad-block filtering.
The PiHole itself is a DNS forwarder, not a resolver. It gets between you and the DNS resolvers and applies ad-blocking filters. Without an available local recursive DNS resolver for PiHole to talk to, PiHole needs to talk to a third party resolver to get the addresses. PiHole has included some of the more popular servers in their setup menu, but anybody is free to plug in the address of their favorite DNS provider.
The other members of this group would certainly like to help you get a setup that works for you, but it's not clear what you are looking for. Please help us help you. What is it you want your PiHole setup to do for you that it isn't currently achieving.
[https://discourse-cdn.pi-hole.net/letter_avatar_proxy/v2/letter/j/bc8723/45.png]
jfbhttps://discourse.pi-hole.net/u/jfb
June 1
I am not one of the Pi-Hole programmers. I am a user. I have found the software to be lightweight, reliable and meets all my needs. In my opinion, the developers know what they are doing and are doing good work. I am guessing they know orders of magnitude more about DNS and such topics than either of us.
[BvV] You said i right Guessing., and please speak for yourself.
Reading your thread of posts on this topic (above) I note that technicalpyro provided the link to the setup for unbound which can be the recursive DNS resolver for your PiHole. The instructions on that link work and if you set that up as described, you have a fully functioning recursive DNS resolver running locally. That resolver directly queries all the correct levels of authoritative DNS entities, and completely bypasses third party DNS services. This appears to be the solution you are looking for. Have you installed this? If so, have you found the performance to be acceptable (delays times in particular)?
[BvV] Never said anywhere Pi-Hole is not working. And I have the solution I was looking for. I think Pi-Hole is a big, very big thing. You know how big the advertising worldwide is? And I don’t think they let it happen to diminish their market. And the only way is to be open source.
It appears you are running a DNS resolver on a Windows server. Is that resolver doing what you need? If so, just point your PiHole to that DNS server and let PiHole provide the ad-block filtering.
[BvV] I told you. And yes My DNS server does what i want it to do including Pi-hole. Nice Pi-Hole screen if ik reach a blocked site.
The PiHole itself is a DNS forwarder, not a resolver. It gets between you and the DNS resolvers and applies ad-blocking filters. Without an available local recursive DNS resolver for PiHole to talk to, PiHole needs to talk to a third party resolver to get the addresses. PiHole has included some of the more popular servers in their setup menu, but anybody is free to plug in the address of their favorite DNS provider.
[BvV] That did you tell me before, and I did explain how DNS works according to the RFC’s. So what’s the extra explaining?
The other members of this group would certainly like to help you get a setup that works for you, but it’s not clear what you are looking for. Please help us help you. What is it you want your PiHole setup to do for you that it isn’t currently achieving.
[BvV] So you didn’t understand. To bad, from my side: WOMBAThttps://www.acronymfinder.com/Waste-Of-Money%2C-Brains-And-Time-(WOMBAT).html one of my definitions
So, I assume your original question has been answered ("Why not use root servers directly for PiHole") and there is no point in further discussion.
The developers have explained why they have the installation set up as they have. There is an option to use a recursive DNS server with PiHole (with crystal clear instructions), or you can go to a third party DNS provider of your choice. They have explained why the third party DNS option at setup is the default. Users have the option to pick the configuration that best meets their needs.
Your setup works for you, and you like it. That's all that matters.
Personal note. As we say in my neck of the woods, you catch more flies with honey than vinegar.
Okay, this has run it's course. Closing.