Actually you are correct, when i switch in Pi-hole to Quad9 upstream for example i get no DNS. Only the Custom from my router works!
Don’t need unbound if you are forwarding your PiHole requests to your router for upstream DoH
Point your PiHole to your OpenWRT router’s DoH internal looking bind port, it will then bounce all internal #53 requests to be filtered by PiHole, then PiHole will forward thru the DoH service to the upstream DNS hosting site…there it’s secure and you don’t need the authoritative requests, the DoH upstream does all that…and PiHole will cache the requests from the DoH upstream service.
If you are using Cloudflare DoH…then go to
1.1.1.1/help
I started a cloudflare DoH service on the same machine as my PiHole, but I had to use a different port from #5335…so mine is setup to point to 127.0.0.1#5336
For some reason…I couldn’t get it to go from PiHole ↔ unbound ↔ cloudflared …so I went straight from PiHole ↔ cloudflared and it works a dream
I did have to modify the /etc/systemd/system/cloudflared-proxy-dns.service to ensure the cloudflared service started on port 5336 and not 53 which borked out other services
[Unit]
Description=DNS over HTTPS (DoH) proxy client
Wants=network-online.target nss-lookup.target
Before=nss-lookup.target
[Service]
Type=simple
User=cloudflared
#AmbientCapabilities=CAP_NET_BIND_SERVICE
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
DynamicUser=yes
Restart=on-failure
ExecStart=/usr/local/bin/cloudflared proxy-dns --port 5336
RestartSec=10
KillMode=process
[Install]
WantedBy=multi-user.target
And I can check any/all requests out from my network with that 1.1.1.1/help to ensure all upstream DNS requests are masked
1 Like
quite useless combination as you will lose whole benefit of Unbound to communicate directly with root DNS servers. Using thinks like cloudflared or DOT/DOH will remove this feature and you are back to a dedicate DNS provider.
Remove these two entries from wan and wan6
Then it is evident that OpenWrt is advertising itself as the DNS server to the dhcp clients. We can also see that you are using a separate forwarder on OpenWrt, which is most likely hijacking the DNS queries.
You also force dnssec validation, which requires dnsmasq-full packet to be installed.
What is running on 5453? netstat -lnp | grep 5453
Advertise Pihole as the DNS server to all dhcp clients:
uci add_list dhcp.lan.dhcp_option="6,192.168.1.2" <-change with Pihole IP
uci commit dhcp
service dnsmasq restart
Also stop advertising IPv6 DNS with DHCPv6 and RA.
uci set dhcp.lan.dns_service="0"
uci set dhcp.lan.ra_dns="0"
uci commit dhcp
service odhcpd restart
All these commands in OpenWrt.
Then renew DHCP on some client and try again.
This
Yeah looks like stubby’s settings are kinda locking the dns advertising on my home setup.
Wished to easy being able to switch between both and yes i have dnsmasq-full package for the dnssec validation.
Will try trendy’s config when i get home, ty both @Joulinar and @trendy
keep in mind, this might going to remove functionality of Stubby.
It depends on what do you want to achieve. You can always forward Pihole to Stubby if needed.
Yeah i understand, want to try Unbound cause i like the idea of no upstream server dependencies and i kinda find encrypted dns pointless anyway.
If Unbound performance is good, or gets good through caching, it will be a keep.
personally I’m using PiHole + Unbound since long without issues. But I never did a measurement on performance. 
This topic was automatically closed 178 days after the last reply. New replies are no longer allowed.