Yes right dd-wrt offers a lot of built-in functionality.
But it should be obvious that if you outsource basic functions like DNS resolution and caching you have to outsource unbound as well.
The Raspberry Pi installation and configuration is quite simple.
There are actually also external sources for this.
# May be set to yes if you have IPv6 connectivity
do-ip6: no
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no
# Use this only when you downloaded the list of primary root servers!
# If you use the default dns-root-data package, unbound will find it automatically
#root-hints: "/var/lib/unbound/root.hints"
# Trust glue only if it is within the server's authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
Code:
raspberry4:/$ sudo service unbound restart
Configure Unbound in the Pi-Hole (see picture)
So for me unbound works with the mentioned dd-wrt settings
So I have tested a bit, theoretically it is also possible to use unbound on the router.
But this is quite complicated because the automatically generated configuration files do not fit.
So I will definitely not go into the variant and also advise against using such constructions.
Sense and purpose of the thread is also to keep everything as simple as possible
My Pi-Hole configuration option in the home network has been used for several months. The settings are shown below in the picture.
Comments:
Pi-Hole is installed on Orange PI PC+ on Armbian 21.05.6 Focal system with Linux 5.10.43-sunxi.
The only upstream DNS server for Pi-Hole is the router's SmartDNS - 192.168.1.1#6053.
The configuration file for SmartDNS is picked up when starting from an external HDD - /jffs/etc/smartd.conf
SmartDNS accesses the server exclusively via the TLS protocol.
Static DNS 1/2/3 is registered, but in fact - no-resolv (this is not visible in the picture).
Maybe something is wrong, but everything works. _________________ Linksys WRT1900ACSv2
Automatically adjustable temperature, always within the range of 59-68°С.
Joined: 16 Nov 2015 Posts: 6446 Location: UK, London, just across the river..
Posted: Thu Jul 08, 2021 20:13 Post subject:
as KP69 noted, you can run various extra DNS services (via Entware) like Unbound, SmartDNS, Stubby and DNScrypt on router side and keep it in one place...
The only advantages for PI DNS are, a better handling with more graph/menu's (GUI) and extra CPU power just for DNS..
Me, personally i prefer all in one place, as a better and easier control and handling....but will invest in PI soon just to scratch the surface...and try an idea that is in my mind...
Thanks for the guide..!! _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
as KP69 noted, you can run various extra DNS services (via Entware) like Unbound, SmartDNS, Stubby and DNScrypt on router side and keep it in one place...
The only advantages for PI DNS are, a better handling with more graph/menu's (GUI) and extra CPU power just for DNS..
Me, personally i prefer all in one place, as a better and easier control and handling....but will invest in PI soon just to scratch the surface...and try an idea that is in my mind...
Thanks for the guide..!!
You can also install everything from your list on the Raspberry then you have everything also on one host / in one place.
Is just the advantage of a complete Linux distribution, there you can install everything you want and if it is not in the package repositories available (or if you want to use a newer version) you can build it yourself
You can also do other nice things with the Raspberry.
For example you can use it as a NAS:
You can also use the Raspberry 4 as a complete router (supposedly capable of 800mbit via wireguard)
Either with the one network port and VLAN's or you add a USB-NIC or a card on the IO board.
There are thousands of other things you can do with the Raspberry e.g. use it as a desktop replacement.
I finally made it to my friend house with a RasPi-3 I prepared with Pihole and unbound. I used example #1 at my friends and rebooted his EA8500 with build r46885 and no Pihole DNS. I tried it a few times without success so I ended up just doing it the quick & easy way of just pointing their main computer’s network adapter DNS entry to Pihole’s IP which was not the goal
Well, if you look at the network information on the computers, you can see which DNS is being used.
Sometimes the clients have to be rebooted or at least disconnected from the network to renew their DHCP lease.
in the first example "dhcp-option=6,192.168.1.110" is added to the dnsmasq.conf of the router
Code:
root@DD-WRT:~# cat /tmp/dnsmasq.conf | grep n=6
dhcp-option=6,192.168.1.110
this means that the client sends all DNS requests directly to the Pi-Hole and has the same effect as a manual configuration of the DNS in the client.
Thanks, it didn't occur to me to reboot the client because in windows I could change the network adapter dns entry to pihole, google, quad 9 or even auto without a reboot. I'll try that next time, probably in a few days.
EDIT/Update:
I was able to test this again today and ho1Aetoo was 100% spot on, we did need to reboot the clients
Not sure if something has changed in DD-WRT, i have been running Raspberry Pi with Unbound and Pi-hole for a while, i had No DNS Rebind disabled in router because of endless logs with possible DNS bind attacks from x.x.x.x (what ever the correct wording was) last time i had it enabled.
Another thread got me thinking, i have had another attempt at it, added in to Additional Dnsmasq Options
rebind-domain-ok=/pi.hole/
enabled No DNS Rebind rebooted and it seems to have cured the endless logs, this maybe nothing new but last time i messed about what ever i changed always gave me endless logs.
But this seems to have done the trick so far at least.
It may help someone else _________________ Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.
No one can build you the bridge on which you, and only you, must cross the river of life!
doesn't work for me and I already wrote you via PM that "stop-dns-rebind" can be deactivated on the router as you can activate it on the pi-hole itself (on the pi-hole itself is running dnsmasq).
doesn't work for me and I already wrote you via PM that "stop-dns-rebind" can be deactivated on the router as you can activate it on the pi-hole itself (on the pi-hole itself is running dnsmasq).
Yes i have received the PM thanks, i popped this in on Friday and been fine all weekend hence the (not sure if something has changed in dd-wrt part of message)
now running r47695 previously not working on 44719 _________________ Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.
No one can build you the bridge on which you, and only you, must cross the river of life!
it is not clear to me how this should work because the option "rebind-domain-ok" excludes FQDN's from the rebind check.
So you would have to deposit all 1000 dubious domains individually.
Code:
--rebind-domain-ok=[<domain>]|[[/<domain>/[<domain>/]
Do not detect and block dns-rebind on queries to these domains. The argument may be either a single domain, or multiple domains
The second dnsmasq option "rebind-localhost-ok" ignores localhost addresses as answers (127.0.0.0 - 127.255.255.255)
Code:
--rebind-localhost-ok
Exempt 127.0.0.0/8 and ::1 from rebinding checks. This address range is returned by realtime black hole servers, so blocking it may disable these services.
The default blocking mode of the Pi-Holes is "unspecified" for years, that means all blocked requests are answered with 0.0.0.0 - so that doesn't work either.
In my network there is also no "pi.hole" and I do not know who should query it.
The DNS servers are queried by IP and then try to resolve the queried FQDN's -- only a "pi.hole" will not be there.
Besides, there are a lot of outdated bullshite how-to's on the internet (especially the dd-wrt FAQ's on the Pi-Hole pages - that's all I'll say about that).
The only thing the entry "rebind-domain-ok=/pi.hole/" does is that if you have "stop-dns-rebind" enabled on the router you can access your Pi-Hole via the domain name.
I see your examples are for a PPOE ISP connection. I have static connections so it's a little different but I have it working in a configuration similar to your 2nd example. In this configuration, the Pi Hole keeps rate limiting the router's DNS requests. I'm currently up to 200000 in 60 seconds in /etc/pihole/pihole-FTL.conf (default is 1000/60) and it's still hitting the limit.
So, do you see those types of errors? Or, how did you mitigate them? I see that it could be set to 0/0 and essentially disable that "feature" but not sure what the ramifications would be.
What are the Pros and Cons between the two examples you presented?
I like the added reporting feature that comes with the first example but worried about the rate limiting and no backup DNS if the Pi Hole goes down.
I like the simplicity and having a backup DNS option if the Pi hole goes down in example 2 but miss out on the individual client reporting. _________________ TP-Link TL-WDR4300 v1 (NAS) - r54682
Buffalo WZR-600DHP (Gateway, NAS, DDNS, DHCP) - r54682
Netgear R7800 (Gateway, DDNS, DHCP, DNSMASQ w/Pi Hole) - r54682
Netgear R7800 (AP) - r54682
Last edited by unlucky1 on Tue Jan 04, 2022 11:23; edited 1 time in total
and no i don't have 200.000 request in 60sec
so it should come to your mind that something is wrong configured and running in a loop
Yes, that's why I came here for advice. Seems I had to dig deeper into my overall network setup, too.
This is what works for Static WAN, from WAP to Pi Hole:
WAP:
Setup > Basic Setup
WAN Connection - Disabled
SFE and STP - Disabled
Local IP - 192.168.1.6/24 (your IP may vary)
Gateway - 192.168.1.1
Local DNS - 192.168.1.1
DHCP Type - DHCP Forwarder
DHCP Server - 192.168.1.1 (Gateway Router to ISP)
Gateway:
Setup > Basic Setup
Connection Type - Static IP
WAN IP Address - x.x.x.2/xx (provided by ISP)
Gateway - x.x.x.1 (provided by ISP)
Static DNS 1 - 192.168.1.x (Pi Hole address on LAN)
Static DNS 2 - Alternate DNS 1 (your choice may vary)
Static DNS 3 - Alternate DNS 2 (your choice may vary)
SFE and STP - Disabled
Local IP - 192.168.1.1/24 (This is the Gateway to the ISP)
Gateway - 0.0.0.0
Local DNS - 0.0.0.0
DHCP Type - DHCP Server
DHCP Server - Enable
Use DNSMasq for DNS - Check
DHCP-Authoritative - Check
Forced DNS Redirection - Uncheck
Setup > Advanced Routing
Operating Mode - Gateway
Services > Services
SmartDNS Resolver - Disable
Dnsmasq - Enable
Cache DNSSEC data - Disable
No DNS Rebind - Disable
Query DNS in Strict Order - Enable
Add Requestor MAC to DNS Query - Disable
RFC4039 Rapid Commit support - Disable
Pi Hole:
Settings > DNS > Upstream DNS Servers
Select Upstream DNS of your choice or select Custom DNS and add your DNS of choice
Advanced DNS settings
Never forward non-FQDN A and AAAA queries - Checked
Never forward reverse lookups for private IP ranges - Checked
Conditional forwarding - Unchecked _________________ TP-Link TL-WDR4300 v1 (NAS) - r54682
Buffalo WZR-600DHP (Gateway, NAS, DDNS, DHCP) - r54682
Netgear R7800 (Gateway, DDNS, DHCP, DNSMASQ w/Pi Hole) - r54682
Netgear R7800 (AP) - r54682
Last edited by unlucky1 on Sun Jan 09, 2022 21:08; edited 1 time in total