Hi guys! So…I have a self-hosted DNS server. Initially I’d use pihole, with unbound, and the more or less basic blocklists. But from time to time things would start acting wonky. Sometimes a reboot would fix it. Sometimes…not really and I was really not sure what was going wrong, but it was clearly DNS. Changing the clients settings from my own server to something like 9.9.9.9 would immediately get it sorted out.
So I went with an adguard server. In the last few days I’ve started to notice weird behaviors. Today I’ve lost the Azure desktop I was connected, and it was very clearly looking like DNS. So I checked…and yup, 9.9.9.9 again would sort it all out. So…I’m not sure what’s going wrong. I’m selfhosting these on an LXC container in proxmox. Nothing else seems to have issues connecting, and I see almost no resources being used. Any ideas? Any other DNS server I might be able to try?
Thanks!
Cool, thanks for the clarification. This is good info to have in here in general.
So unbound by default discovers other DNS servers, if I’m understanding that correctly. I’ve never used it, does it not use your ISP’s DNS by default, or does that depend on user config?
What if your PiHole is configured to use other than your ISP’s DNS?
If pi hole is configured to use another DNS it will still forward your request, just not to your ISP DNS server. Essentially you’re providing your DNS requests to a 3rd party, for a slight boost to performance (because they’ll have tons of stuff cached and can do recursive queries faster if you’re requesting a site not in their cache.) Your web pages will load faster because you don’t have an SBC trying to manually figure out what’s the IP for bigfuckdaddyhairbrushemporium.net
The downside is you’re exposing your DNS queries to a 3rd party and it’s a bit of a privacy hit, as the upstream DNS server you select has your public IP correlated with your DNS requests. Doesn’t really matter to most, but it does for some.
Thanks for the clarification.
How is that different than unbound? Isn’t it also forwarding requests?
There are 13 root name servers, they container info about which DNS is authorative (can tell you about) a given TLD (like .com or .de) then that repeats for every part of your query with that given server.
Something
^ most of the time the same as.
Foo.
^ DNS for baz or bar dns again.
Bar.
^ DNS for Bar.
Com.
^ DNS server for the .com tld
<root name server>
^ the one unbound asks first, not part of the domain
Giving us the IP of something.foo.bar.com
Though the DNS name would be something.foo.bar.com.
The root server ips are known to unbound and static.
Then it will ask that server? Like I said unbound remove the middle man and somewhat increases privacy (debatable if only you use it but anyway)
Ah, unbound has the root DNS servers hard coded. That’s a significant point.
Any reason you couldn’t do the same with any other DNS server such as PiHole?
I’m really trying to understand why I’d run two DNS servers in serial, instead of one. All this sounds like it’s just a different config that (in the case of unbound) has been built in - is there something else I’m missing that unbound does differently?
Why couldn’t you just config the TLD’s as your upstream DNS in whatever local DNS server? Isn’t that what enterprises do?
Because pi-hole asks the configured DNS the whole domain, the root server will promptly <access denied> because that’s not how DNS is supposed to work.
There’s a difference between asking about the individual domain parts of the domain to the corresponding authorative DNS server and just sending the whole thing to a root server. If you did that then the root server would get ddosed to death.
Pi-hole can’t ask the root servers, it can only forward. Unbound can forward or be authorative or ask using the root servers and go down the chain or do all of those at once.