Pi-hole+unbound Set DNS

How do I set the DNS server address that unbound will use? I’ve successfully set up pihole to use unbound, and in the dietpi-config tool I set a static ip with the family safe opendns ip address, but no filtering is happening.

I figured it out. I needed to set a forward-zone in /etc/unbound/unbound.conf.d/dietpi.conf

I had thought it there was no forward zone set it would use my host’s dns name servers. I’m just glad it’s working!

At the end of my dietpi.conf file I put the following:

        forward-zone:
          name: "."
          foward-addr: 208.67.222.123
          foward-addr: 208.67.220.123

This has no effect to PiHole and Unbound, nor will it impact how your local network clients resolve their DNS request. This is a setting for the operating system only.

Unbound by default will use the global root DNS server and there is no need to change anything.

The real web site filtering will be done by PiHole and there you would need to set which filter list to use. There are a hell of list available that could be added to PiHole. An example collection would be Fireborg

To be able to use PiHole, your local network clients would need to use PiHole as their DNS server. Did you already configured your network clients this way? Depending on your router, you could destribute PiHole DNS server using DHCP.

something not needed. If you like to use OpenDNS, set it as upstream DNS in PiHole. The benefit of Unbound is the be able to use the global root DNS server and not a public upstream provider.

1 Like

ooooooohhhhh, I’ve been reading the references to “gloabl root dns” and I thought that was talking about the dns I had configured in diet-pi! This makes so much more sense now!

Yes, PiHole is the one doing the filtering. Unbound will just resolve what has been passed PiHole ad blocking. Means, do your blocking configuration in PiHole. And if you like to use OpenDNS, it’s fine to set it on PiHole. But in this case, you don’t need Unbound. :wink:

I do like openDNS, but I wanted the benefits that you get with unbound. I’ll try things out with the filter list you mentioned, thanks!

Don’t forget to remove that configuration if you like to use Unbound (root DNS server)

You could use one of the following 3 URL-only text list options offered by Fireborg. List Generator ¦ Firebog Be careful with the All lists option as it will block quite a lot of stuff. Probably thinks you maybe need. Definitely some whitelisting to be done at the end. Usually the txt list could be simply added to PiHole via copy/past.

Personally these are my PiHole stats

Using Unbound, the benefit is that you do not share your DNS traffic with any upstream DNS provider. Setting a forward zone basically destroys this benefit :wink:. Another option that makes sense is to enable DoT (explained in our docs) with Unbound. That way you again use a DNS provider, but traffic to it is done encrypted. Encrypted DNS requests to root servers are not possible, so it’s privacy against DNS providers against privacy against your ISP and anyone else between you and the DNS provider.

In the end the ISP sees at least the IPs you are connecting to, no matter which way the domains are resolved, or am I wrong?

True, but theoretically there could be more than a single service behind a single IP.

if compare pihole and adguard home (both dietpi default software). which one is recommended for best result with combination of unbound, in both pihole & adguardhome upstream dns unbound.

Depends on personal preferences. There is no black and white answer. Both do AdBlocking. :wink:

PiHole has some more dependency like SQLite + Web Server stack. While AGH is a small executable. However PiHole is build on dnsmasq. Means it could be used to do quite some more stuff with it. Some people feels the UI of AGH is more modern. However PiHole as a star trek option :smiley:

Personally I like PiHole as it has way more options and could be adjusted on my personal needs much better compare to AGH. As I do some other stuff with dnsmasq Like to distribute PiHole as IPv6 DNS using RA. As well I imported quite some blocking list in addition. On PiHole this is a one click actition to copy multiple list at once. In AGH you would need to add them line by line.

A little late in my response here, but one of the reasons I went with Adguard home over pi hole is it allows me to do more individualized filtering for each device in my home. So I can set a kid’s device to use safe mode on search engines and youtube, but leave it more open for adults.

I never could get that level of granular control with Pihole. Maybe it existed and I was too much of a noob to figure it out, but any time I’d ask about it I was always told that kind of control couldn’t be accomplished with Pi-Hole.

SInce a while you have a group management within PiHole. You can create own groups, assign ad list to specific groups and assign devices to groups. This way you can create individual assignments per client.

image

1 Like

Yeah, I’ve looked into groups, but I haven’t found a list that forces safe search that I could use to assign to a specific group. In AdGuard I can just click on “use safe searched” and then set up a rule to only apply the to a specific device group.

In Pihole I have to download a script to set up cname redirects along with some other things that will effect all users.

But do you have control on what safe searched is and which Adblock it contains?

I don’t believe this is needed. Yes, you need to invest some time to get it working but you have way more control on what is blocked. You could add a hell of block liste to Pihole. Some are listed on https://firebog.net/ Once all your favorite ad list has been added, you could assignt them one by one, depending on your needs, to a group.

But do you have control on what safe searched is and which Adblock it contains?

Yes, in Adguard you can use the same block lists that pi-hole uses and assign them to device groups. The “Use safe search” checkbox was an additional option that forced any search on a search engine to use the safe search option. It also made any youtube search use the safe search option. I’m not certain how they accomplished that, but it’s a feature that pi-hole lacks.

I don’t believe this is needed. Yes, you need to invest some time to get it working but you have way more control on what is blocked. You could add a hell of block liste to Pihole. Some are listed on https://firebog.net/ Once all your favorite ad list has been added, you could assignt them one by one, depending on your needs, to a group.

I’ve done a fair bit of looking into things and the closest I’ve found to an automated process is a script that sets up a restricted.conf list for dnsmasq for you and does all the cname redirects for you. Or at least it used to, a couple year ago there was a change done in pi-hole that may have broken that. I’ve got a docker container set up that I’m using as a test bed, but so far I have not been able to find any sort of streamlined process like adguard offers.

I certainly use the lists from firebog, but none of them provide a safe search feature,

Ah I misunderstood what this safe search feature is. This is not an Adblocker using firebog’s block list. It’s redirecting search engine request for example from www.goolge.com to forcesafesearch.google.com by manipulating the CNAME. Indeed, something not available by default on PiHole and require some workarounds by manually setting the CNAME.

My query is probably tangential to the topic in discussion.

I use AdGuard Home + Unbound and have activated DoT for Unbound as per instructions in the docs

As Joulinar endorsed, “ISP will only be able to see the IPs I’m connecting to.” Now, my ISP does DPI and resets connections on the fly for those “toxic” domains. Is there any way to prevent this at all? Will the upcoming DNS over QUIC to Unbound solve this issue once and for all?