Best DNS Server for Home lab - Pihole Unbound configuration!
ฝัง
- เผยแพร่เมื่อ 28 มิ.ย. 2024
- If you want to have the ulimate control over name resolution in your home lab environment and home network in general and , I want to show you guys an awesome DNS solution called Unbound you can use along with Pi-hole in your environment. With these you can to block ads, malicious traffic, and control DNS lookups. Let's look at Pi-hole unbound blackhole DNS configuration and see how you can easily configure unbound along with Pihole.
Subscribe to the channel: / @virtualizationhowto
My blog:
www.virtualizationhowto.com
_____________________________________________________
Social Media:
/ vspinmaster
LinkedIn:
/ brandon-lee-vht
Github:
github.com/brandonleegit
Introduction to DNS and Unbound DNS - 0:00
Overview of Unbound DNS and why you want to use it - 1:00
New security features with DNS resolution - 1:29
You no longer need to forward your DNS to a middle tier DNS layer - 1:50
With Unbound, you can speak directly to Internet root DNS servers - 2:30
Beginning the installatio of Unbound DNS - 3:15
Pulling down the list of root DNS servers - 3:43
Creating the configuration file for Unbound - 4:12
Looking through the Unbound configuration file - 4:57
Changing the interface where Unbound is running - 5:40
Creating the clients.conf file for access control to Unbound - 6:00
Restarting the Unbound DNS service - 7:05
Using Dig to test the Unbound DNS server - 7:20
Looking at the cache functionality of Unbound DNS - 7:33
Making use of Unbound DNS with Pihole - 7:55
Looking at the Docker Compose file to spin up Traefik and Pi-hole - 8:17
Overview of the DNS communication flow between Pi-hole and Unbound - 9:08
Overview of testing - 9:30
Using a Windows 11 test machine and the DNS properties - 9:43
Running recursive DNS lookups with Unbound DNS - 10:15
Describing the cach building on Unbound DNS - 10:45
Looking at the unbound-control command line commands - 11:05
Running unbound-control status - 11:50
Running unbound-control stats_noreset - 11:57
Wrapping up thoughts on Unbound DNS and taking control over DNS queries - 12:25
About Unbound DNS server:
nlnetlabs.nl/projects/unbound...
Pi-hole DNS Network-wide Ad Blocking:
pi-hole.net/ - แนวปฏิบัติและการใช้ชีวิต
Networking tutorials on YT in a nutshell:
- This is a computer! We must first switch on the computer! Then reach over and touch the mouse!
- I'm going to change the attributes on this API here, then update the libraries for the database, which will allow more data visualization to take place on the next step, where we'll be able add identifiers and self closing tags to optimize the backend of the framework for the web server. This only works for version 1.6.344 of course!
Here, I'll teach you how to build a custom emulator for the PS5. First, you'll want to own a copy of an original PS5 game.. Now, I'm just going to assume you're already familiar with all the steps required to rip the files, choose an IDE, write the emulator, compile your code and start your custom application on compatible hardware. Then just hit "Enter" on the main screen and you're all set to play copies of your games on your PC! Please subscribe for more tutorials.
Awesome tutorial. Im using Pi-Hole with Unbound in a Proxmox container and this works perfectly for me.
Are they pihole and unbound running in the same container (lxc), or do you have two lxc's
Showing this I have been looking at different ways to re-organizing our infrastructure as well as my home lab I have actually have pi installed in the cloud on our own servers as well as smaller versions of it on smaller devices, service quality commercial, but allowing us of the number of traffic that we have on it, I have found a pie is very easy to use and for those who are used to working with Cisco and all the flavors in betweenRoehling recommend putting pie hole on base if you have a lot of endpoint but a small thin server will work just as well and easily handles 200+ devices as well as in points and additional layers of that you can have one device and by pairing with Docker. Again thank
PiHole + UnBound + LAN-Cache = Dream setup.
I was trying I way I would like setting this up. I don’t have unbound on the quality server running pole and running it that way within itself and then as far as the other systems, I have it pointing internally within our data center, and then also a MPLS between my home and the outside world which works for us again I think of it with, also using something similar to DNS filters product and some other solutions is the best way to secure your information seeing what’s on your information network also like that I can also pair this and docking thing as well
Great !. The only thing missing for everyone to get into it is the cron suggested for the reload of the root servers. Thanks
Hi Brandon, thanks for your inspiration 🙂A video about Technitium DNS (like your article) would be nice.
Would be nice to be able to copy and paste the commands from your description .-.
I'm watching this again after half year and I wonder if it's possible to completely migrate Unbound (config+caches) to new/different host/VM/CT?
I'm getting about 11 000 cache hits, so it's working pretty well :D
10:24 I hate to be that guy, but the quick response there is because the DNS lookup is first hitting the local DNS client cache on Windows 11.
Fantastic video, Brandon! Thank you for sharing your experience. May I ask you questions in the future?
I have been trying to run pihole and unbound as docker containers with traefik. So far I was not successful. Could you show how to integrate unbound as a docker container in your setup of traefik and pihole?
Good guide.
Nice video Brandon, can you share you docker-compose file?!
Hello there
Would you consider to make a tutorial for a newbies on rpi - docker pihole + unbound?
Have a nice day
Excellent video on unbound. Could you do the same video for Adguard Home. That would be a great addition I think.
Sounds good Vincent, will keep that in mind for sure.
I was going to switch from adgaurd to pie hole to do this, is adgaurd better, have you tried both?
@@Lee-wh3ht I tried Adguard but I just didn't care for it, mainly based on the interface. I went with Pi-hole and unbound. Been very happy with it.
Good video.
hi sir tell me how i can enable safesearch through unbound and please share ith us the configuration
Hi
My DNS server is a HA MaaS region I still can use Pihole just as a filter if needed
How can i use both Pi-hole and nginx-proxy-manager together as one DNS?
Now do it using containers ! Please
There is a docker-compose file to install both in one run.. everything is setup and you simply log into the web admin interfacr..
I got it running for my ansible docker play..
i can never figure out how to follow this guide. Seem to be missing steps or other prerequisite i'm not aware of. intriguing
@badpickle2347, create a topic on the VHT forums here: www.virtualizationhowto.com/community and I can give you more personalized help. Thank you for your comment!
Thanks.
Welcome!
I have found Technitium is much more robust and has DOH and AD blocking and custom blocking built in. The entire thing is administrated in a web page an runs on raspberry pi too.
@tossacointoyourwitcher, thank you for your comment. Look for an upcoming post covering Technitium...definitely a great solution!
Technitium (on HomeLab as recursive DNS w/ DoT, DoH and Sinkhole for advertisement) + FQDN on Cloudflare + Ngnix PM (For handling wildcard SSL Certificates)? If you make that video, it'll be mind blowing
It's always DNS.
Jeremy, yes it is :)
Omg I can't count the sys admin call ins for that at a uni campus. Huge.
Are you running pihole container on the unbound server?
cant find any hint in pihole docs about cron for unbound. is it not needed anymore ?
why you put sudo when root??
great video!
for some reason when i check unbound as Upstream DNS Servers it cant no longer resolve local network DNS with SSL certificate (Nginx Proxy Manager/Let's Encrypt).
any ideas on why?
Did you figure this out? I’m interested in a similar setup.
@@duduoson1306 gave up. I'm currently using pfsense HAproxy as my DNS resolver. Works perfectly. Pfsense has built-in Unbound support
DOT and DOH are available for client devices which connects to Unbound.
But how exactly unbound improves privacy?
All requests to root servers are not encrypted, it still will use DNSSEC to ensure that response was not modified, but your ISP (and anyone who can read your traffic) will see what requests Unbound is making.
And yes, each recurse DNS request takes more time (30 times more in comparison with Cloudflare DNS), unbound will cache response, but for short time (15 min?).
So - it is slow and does not add privacy. But in Forwarding Mode to Cloudflare or quad9 (for example) using DOT, you will get really fast DNS and much more privacy.
MacGyver, good points here all the way around, privacy is only as good as the weakest link. I think the sweet spot for unbound for sure is as a caching server and as you mention forwarding to another upstream DNS. It is cool that you can bypass and send to any servers you want, including root DNS though which I find interesting.
Yeah, i think still having quad9 upstream is best practice
+1... I was going to post the same thing
Why would we not want to use IP6 for this?
Will this work for my local and lab name resolution also or will I have to run this and point my windows DNS server to this and itself to resolve both internal and external device?
You can always configure your local DHCP server to send the address of your Pi-Hole as the DNS server at time of connection to the local network.
I use unbound on pfsense, I will need to do more research on how to use what you are teaching on pfsense. One thing I find strange is often when I point my desktop dns to my DNS server, TH-cam will be in restricted mode. All comments will be unavailable.
Rico, thanks for the comment! That is interesting on the restricted mode.
hi sir but you didn't explain the point of exposing port 53 and how to prevent people from using our dns : i am running ubuntu on oracle cloud and i want to allow just people i know to use my dns but if i open port 53 i will end with unknown people using my dns and i don't want to use vpn as solution or tailscale i want to allow just a specefic devices to use it based on mac address not on ip
Younes, I have seen some solutions to use MAC addresses for filtering, but keep in mind this is not a very secure way of restricting traffic. there are some easy tools out there to change a MAC to anything you want it to be. so wouldn't take a lot to bypass this type fo security. I would recommend not trying to expose a DNS server to the public honestly as the big vendors out there have better means for securing public DNS than we do. However, can I ask what your use case is? Is there a reason you wouldn't want to use a VPN or site-to-site VPN for securing this type of connection?
@@VirtualizationHowto thanks for answering me my first issue is that i don't have a router support vpn and i don't want to configure each device one by one to use my dns i am just searching for the best solution for security i can expose the port 53 and i will not ending with unknown people using my dns and me and my family we don't have a static ip so for this reason i want just secure my instance and use the ip address as dns
NextDNS every day!
I try, pihole, but the phones at home not resolve local like, home.pc.local
@yosoyestoyarto, thank you for the comment. Sign up on the VHT forums and we can discuss it further there: www.virtualizationhowto.com/community
Seems to be working, but if I type "unbound-control status" I get "Error setting up SSL_CTX client cert". How do I fix that? Thanks for the great video.
Robert, this usually means you are not running it with sudo. Give that a try and see if it helps. Thanks Robert!
I am totally going to give this a try. I am currently using Adguard Home and have a second instance running on a backup server as setup by mostlychris th-cam.com/video/KABWpAfyqss/w-d-xo.html
I was wondering if you could do a video on how to make unbound highly available (if possible)? Assuming I can get this working with Adguard, this would create a single point of failure for my DNS. I'd like to have a backup instance of unbound running on the backup server with automatic failover in the event the primary goes down.
I disagree!!! Best DNS Server for Home Lab is Technitium ))))))
Why are you using docker containers for everything? It's an extra point of failure, it's less secure, it's out of your control, it's a huge inefficient resources hog compared to just plain Debian minimal server use. All this even on VM, wow, your electricity bill or energy footprint seem to not matter to you do they?
vm and docker do not really add up that much cpu overhead.
vm has direct access to CPU cores, and docker is simply isolation of processes inside the linux OS.
RAM on the other hand is a different issue.
I want easy and simple explanations, not these convoluted ultra complex explanations.
Why don't you run a DNS proxy on your Palo Alto?
@epictetus8028 great question....the main reason is I like to play around with lots of different solutions so I find myself configuring, and reconfiguring...I love PA and definitely one of my favorite security solutions, especially their DNS filtering