I’m a big fan of Pi-hole, a network-level ad and tracker blocking application that makes browsing the web a pleasure. The ‘standard’ setup has Pi-hole simply acting as an intermediate DNS server that either blocks requests (e.g. when a website tries to load an ad domain) or forwards them on to a DNS server of your choice (e.g. Quad9, Google, etc.). But Pi-hole actually gives you more power and control than that and even lets you bypass the major DNS providers by making requests directly.
For the full details on this and why you might want to do it please check out the excellent post on the Pi-hole site here. What follows are just the minimal steps needed to setup your Pi-hole as a recursive DNS server.
Start by installing unbound recursive DNS server.
sudo apt install unboundConfigure your pi-hole configuration file at /etc/unbound/unbound.conf.d/pi-hole.conf
server:
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
verbosity: 0
interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: no
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no
# Use this only when you downloaded the list of primary root servers!
# If you use the default dns-root-data package, unbound will find it automatically
#root-hints: "/var/lib/unbound/root.hints"
# Trust glue only if it is within the server's authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10Next restart the server and use dig to validate that it works:
sudo service unbound restart
dig pi-hole.net @127.0.0.1 -p 5335Finally we just need to configure this new DNS server in Pi-hole by adding 127.0.0.1#5335 as the Custom 1 (IPv4) provider. The other DNS servers can now be removed as well.
And that’s it! New unblocked DNS requests will be made directly to the authoritative servers instead of routing through a third party like Quad9 or Google, etc.
But how does the pi-hole know where to get the DNS information? I Installed as instructed, but now it is not worlking anymore.,
The pi-hole looks up DNS-request at 17.0.0.1#5335. But where to tell to find the info, if its not in cache?
Thank you
Looks like you have a typo there. Should be 127.0.0.1#5335.
Idk man. I set this up but when I check my dns on one of those dns checking sites, it still returns google servers
I followed this and mine is up and working well. I cant say I really see a huge difference but I like that google is tracking me so easy now