Why not use the root servers directly for Pi-hole?

Here is a screenshot from a working Windows DNS server. Not for local use, and not advised, but can be. (Ldap compatible) Even with the DNS of your inrenet supplier if you may register a host. There are other recods in place.

And I can remove the domain first site record and still go to the internet. (big problem for my local users cause they canot logon, just local. But the internet-gateway is stil reachable). Ofcourse there is always the DNS of your intenet supplier. No problem. Bin there done that. And no problem with arbitrary domains.

And the only forwarding server i use at the moment is the Pi-hole. Works like a charm, normaly Dyndns free for more than 15 years now and DNSExit Both for Mx records and multiple websites (hostheaders are so easy on windows)

Just as Pi-Hole is the other way around Just for internet (blocking ads). The blocklist are just textfiles, so google avoid using those for ads.

BTW still no youtube ad blocks. Look at the boys of ublock origin, also freeware.

Those are root hints, they are not resolvers. You can not get an autoritative answer from a root server for a FQDN because they do not have the records.

Root Server holds the records for the TLD servers. . knows only who is in charge of .net .org .com etc. Any query for a domain name from a root will fail. Try it, we have and we know. (Hint, look at the servers that are involved with https://simpledns.com/lookup-dg for any domain you choose, the root does not resolve FQDNs. It can't.)

If i can use Pi-hole as an authorative DNS server witch can work together with DHCP, So DHCP can fill all the necessary record it needs for the clients, like router, DNS Domain names, gateway etcetera etcetera… Aboput 80 records if needed, i will think about that. So for the moment just as an internet forwarder.

And al the blocklist are freely readable, just for the first time in one place. And if I was Google or some other Add servercompany i should try to avoid those. “If Pi-Hole has any impact” on the Add server market.

If i read you correct then the root is non and void.

DNS Server service does not use root hints to resolve external names in Windows Server 2008 R2. Windows Server 2008 R2 does not allow CNAME records and NS records to coexist. The key word is here External.

For that matter you are correct. But now it’s not a problem anymore. Hence you can even be your own resolver. Takes a few days to fill up but it can. Also in Windows. Not quick or fast, but it works. And I never spoke on ‘autoritative answers’ just to get me where I want be on web.

  1. what is authoritative dns serve?

An authoritative name server is a name server that gives answers that have been configured by an original source, for example, the domain administrator or by dynamic DNS methods, in contrast to answers that were obtained via a regular DNS query to another name server. An authoritative-only name server only returns answers to queries about domain names that have been specifically configured by the administrator.An authoritative name server can either be a master server or a slave server. A master server is a server that stores the original (master) copies of all zone records. A slave server uses an automatic updating mechanism of the DNS protocol in communication with its master to maintain an identical copy of the master records.

2.what is non-authoritative dns serve?

Non authoritative name servers do not contain copies of any domains. Instead they have a cache file that is constructed from all the DNS lookups it has performed in the past for which it has gotten an authoritative response. When a non-authoritative server queries an authoritative server and receives an authoritative answer, it passes that answer along to the querier as an authoritative answer. Thus, non-authoritative servers can answer authoritatively for a given resolution request. However, non-authoritative servers are not authoritative for any domain they do not contain specific zone files for. Most often, a non-authoritative server answers with a previous lookup from its lookup cache. Any answer retrieved from the cache of any server is deemed non-authoritative because it did not come from an authoritative server.

So i get a "Non-authoritative answer" on my DNS requests but it does the job. And I like that. Just as I like Pi-Hole for that matter.

If my internal DNS gives me "authoritative answers" for my internal users / clients, I am satisfiedJ Hence all nslookups outside my domain are non authoratieve, even google, cause there is only on that’s autorative and thats my domain controller for my domain. But other than that every DNS cache, list or hostfile can server an answer. Its just ip to name conversion

So far, I haven't been able to understand or make sense of your arguments. Help me clarify:

  1. Do you use Pi Hole (yes/no)?

  2. If you use PiHole, what are you using for DNS resolution (third party DNS and if so, which one, or your own recursive resolver, and if so, which one).

  3. If you are not using PiHole, what do you use for DNS resolution (third party or your own).

  4. From the answers above, why did you choose your solution? Was it DNS privacy only, DNS speed only, ad-blocking only, ad-blocking plus DNS speed, ad-blocking plus DNS privacy?

[https://discourse-cdn.pi-hole.net/letter_avatar_proxy/v2/letter/j/bc8723/45.png]

jfbhttps://discourse.pi-hole.net/u/jfb
June 1

So far, I haven’t been able to understand or make sense of your arguments. Help me clarify:

  1.  Do you use Pi Hole (yes/no)?
    

[BvV] Yes

  1.  If you use PiHole, what are you using for DNS resolution (third party DNS and if so, which one, or your own recursive resolver, and if so, which one).
    

[BvV] Integated windows DNS required for AD in SRV 2012R2

  1.  If you are not using PiHole, what do you use for DNS resolution (third party or your own).
    

[BvV] Use Pi-hole as forwarder

  1.  From the answers above, why did you choose your solution? Was it DNS privacy only, DNS speed only, ad-blocking only, ad-blocking plus DNS speed, ad-blocking plus DNS privacy?
    

[BvV] Integrated DNS is by design and private, AD cannot without. You can, but not required, to use the integrated DNS for your internet. I can use Windows DNS also to block Advertising sites and use the lists from Pi-hole but that’s painstaking to do.

So if the DNS in Pi-hole does not respond it automaticly falls back to my internal DNS and use al the root hints. And if its not difficult enough, i have a changing external ip address for my servers (hyper-v) and use Directupdate (French programmer) for that. And its runs already from the first Windows NT (1993) with a phone line in reverse (phreaking)

And who are you? “So far, I haven’t been able to understand or make sense of your arguments.”

I hope you are not one of the Pi-Hole programmers. Than I don’t have much confidence in your skills and the future of Pi-Hole. I heard the code is somewhat, let me put it softly in Dutch: rommelig. Not my words, but i read things on the net.

I am not one of the Pi-Hole programmers. I am a user. I have found the software to be lightweight, reliable and meets all my needs. In my opinion, the developers know what they are doing and are doing good work. I am guessing they know orders of magnitude more about DNS and such topics than either of us.

Reading your thread of posts on this topic (above) I note that technicalpyro provided the link to the setup for unbound which can be the recursive DNS resolver for your PiHole. The instructions on that link work and if you set that up as described, you have a fully functioning recursive caching DNS resolver running locally. That resolver directly queries all the correct levels of authoritative DNS entities (starting at the root as needed), and completely bypasses third party DNS services. This appears to be the solution you are looking for. Have you installed this? If so, have you found the performance to be acceptable (delays times in particular)?

It appears you are running a DNS resolver on a Windows server. Is that resolver doing what you need? If so, just point your PiHole to that DNS server and let PiHole provide the ad-block filtering.

The PiHole itself is a DNS forwarder, not a resolver. It gets between you and the DNS resolvers and applies ad-blocking filters. Without an available local recursive DNS resolver for PiHole to talk to, PiHole needs to talk to a third party resolver to get the addresses. PiHole has included some of the more popular servers in their setup menu, but anybody is free to plug in the address of their favorite DNS provider.

The other members of this group would certainly like to help you get a setup that works for you, but it's not clear what you are looking for. Please help us help you. What is it you want your PiHole setup to do for you that it isn't currently achieving.

7 Likes

[https://discourse-cdn.pi-hole.net/letter_avatar_proxy/v2/letter/j/bc8723/45.png]

jfbhttps://discourse.pi-hole.net/u/jfb
June 1

I am not one of the Pi-Hole programmers. I am a user. I have found the software to be lightweight, reliable and meets all my needs. In my opinion, the developers know what they are doing and are doing good work. I am guessing they know orders of magnitude more about DNS and such topics than either of us.

[BvV] You said i right Guessing., and please speak for yourself.

Reading your thread of posts on this topic (above) I note that technicalpyro provided the link to the setup for unbound which can be the recursive DNS resolver for your PiHole. The instructions on that link work and if you set that up as described, you have a fully functioning recursive DNS resolver running locally. That resolver directly queries all the correct levels of authoritative DNS entities, and completely bypasses third party DNS services. This appears to be the solution you are looking for. Have you installed this? If so, have you found the performance to be acceptable (delays times in particular)?

[BvV] Never said anywhere Pi-Hole is not working. And I have the solution I was looking for. I think Pi-Hole is a big, very big thing. You know how big the advertising worldwide is? And I don’t think they let it happen to diminish their market. And the only way is to be open source.

It appears you are running a DNS resolver on a Windows server. Is that resolver doing what you need? If so, just point your PiHole to that DNS server and let PiHole provide the ad-block filtering.

[BvV] I told you. And yes My DNS server does what i want it to do including Pi-hole. Nice Pi-Hole screen if ik reach a blocked site.

The PiHole itself is a DNS forwarder, not a resolver. It gets between you and the DNS resolvers and applies ad-blocking filters. Without an available local recursive DNS resolver for PiHole to talk to, PiHole needs to talk to a third party resolver to get the addresses. PiHole has included some of the more popular servers in their setup menu, but anybody is free to plug in the address of their favorite DNS provider.

[BvV] That did you tell me before, and I did explain how DNS works according to the RFC’s. So what’s the extra explaining?

The other members of this group would certainly like to help you get a setup that works for you, but it’s not clear what you are looking for. Please help us help you. What is it you want your PiHole setup to do for you that it isn’t currently achieving.

[BvV] So you didn’t understand. To bad, from my side: WOMBAThttps://www.acronymfinder.com/Waste-Of-Money%2C-Brains-And-Time-(WOMBAT).html one of my definitions

So, I assume your original question has been answered ("Why not use root servers directly for PiHole") and there is no point in further discussion.

The developers have explained why they have the installation set up as they have. There is an option to use a recursive DNS server with PiHole (with crystal clear instructions), or you can go to a third party DNS provider of your choice. They have explained why the third party DNS option at setup is the default. Users have the option to pick the configuration that best meets their needs.

Your setup works for you, and you like it. That's all that matters.

Personal note. As we say in my neck of the woods, you catch more flies with honey than vinegar.

3 Likes

Okay, this has run it's course. Closing.

3 Likes