Currently have nice long docker compose file that hosts my PiHole V6 container (along with a bunch of other containers) however, reason i ask this question is because whenever I go to pull an updated image and recreate the container I experience about 20 minutes of no DNS resolution which to my knowledge is due to the NTP clock being out of sync.
What’s the best way to host a DNS sinkhole/resolver that can mitigate this issue?
Was thinking of utilizing Proxmox & LXC but I suspect I’ll get the same experience.
Update: Turns out PiHole doesn’t support two instances, I got both of them on separate devices also set the 2nd DNS server in my routers WAN & LAN DNS settings which did in fact split DNS between both instances however, I lost access to my routers web-ui, my Traefik instance & reverse proxies died and I lost all internet access.
So, don’t do what I did.
Update 2: So everything I said in my first update let’s disregard that, turns out I had my router forcing all DNS to PiHole server 1 which caused my issues mentioned above.
Two servers appears to work!
You must log in or # to comment.
spin up a second pihole docker and upgrade them separately so they can failover to the other one while upgrading. I do not have an issue with 20min lose of DNS after updating my pi.hole docker, but I did spin up a second one when I wanted to try unbound+pi.hole and just kept them both up/running.
spin up a second pihole docker and upgrade them separately so they can failover to the other one while upgrading.
Think I’m going to take this advice and put it in action! Thank you!
2 pihole instances 1 pi5 1 pi4 Keepalived provides vrrp at a set address.
Instances kept in sync via orbital
1 goes down the other takes over.
Quite elegantly.
Where do you do DHCP? I had a primary pihole with DHCP enabled and a secondary with a cron job that enabled DHCP if the primary was down or disabled it if the primary was working. The cron job did sync DHCP leases from one to the other but it was a bit janky. I tried to update the secondary to pihole v6 and hosed it so I have no backup for now. I’d like to re-image the secondary and get a better setup - when I have time.
Edit to say I really wanted to try keepalived - that’s really cool to fail over without clients noticing.
Debian & ubuntu sudo apt install keepalived
sudo apt install libipset13
Configuration
Find your IP
ip a
edit your config
sudo nano /etc/keepalived/keepalived.conf
First node
vrrp_instance VI_1 {
state MASTER
interface ens18
virtual_router_id 55
priority 150
advert_int 1
unicast_src_ip 192.168.30.31
unicast_peer {
192.168.30.32
}
authentication {
auth_type PASS
auth_pass C3P9K9gc
}
virtual_ipaddress {
192.168.30.100/24
}
}
Second node
vrrp_instance VI_1 {
state BACKUP
interface ens18
virtual_router_id 55
priority 100
advert_int 1
unicast_src_ip 192.168.30.32
unicast_peer {
192.168.30.31
}
authentication {
auth_type PASS
auth_pass C3P9K9gc
}
virtual_ipaddress {
192.168.30.100/24
}
}
Start and enable the service
sudo systemctl enable --now keepalived.service
stopping the service
sudo systemctl stop keepalived.service
get the status
sudo systemctl status keepalived.service
Make sure to change ip and auth pass.
Enjoy
On the router.
My router is locked down so i assign the vrrp address to wach client (pain in the ass) but it works.
Pivpn takes care or wireguard too.
I run my pi-hole on a dedicated Pi, and I pull the updated image first without any trouble. Then after the updated image is pulled, recreating the container only takes a few seconds.
Dunno what’s broken about your setup, but it definitely sounds like something unusual to me.
I don’t rely on it, but for guests etc I use adblock on OpenWrt with https://oisd.nl/. It’s supposed to have no false positives
How do you host your DNS sinkhole/resolver?
Like this, baby:
services.adguardhome = { enable = true; mutableSettings = false; openFirewall = true; settings = { dns = { # Web Interface bootstrap_dns = ["9.9.9.9" "149.112.112.112"]; upstream_dns = ["https://dns.quad9.net/dns-query"]; fallback_dns = ["tls://dns.quad9.net"]; }; filters = [ { name = "AdGuard DNS filter"; url = "https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt"; enabled = true; } ]; filtering = { blocked_services = { ids = [ ]; }; protection_enabled = true; filtering_enabled = true; rewrites = [ ]; };Deploy to the main home server, and the backup instance. NixOS is fucking awesome. No sync tool needed.
How do I use nixos for docker? I’ve tried before but what I want is to be able to pull docker compose from a git and deploy it. I haven’t been able to find an easy way to do that on docker
If you have the
docker-compose.ymllocally, you cannix run github:aksiksi/compose2nixto translate it into a nix file for inclusion in your nixos system config. I think that could be done in the config itself with a git url but I’m not that great at nix. You will surely still need some manual config to e.g. set environment variables for paths and secrets.Most of the time you don’t need docker. NixOS isolates runtimes.
That being said, you could use nix to build the docker container, and then run it using the built-in oci-container options.
I run 2 separate adguard home containers on separate hosts and set DNS for both IPs. If I take one down, requests just get sent to the other.
I would do a single instance of Pihole. If you need HA there are ways to do that. If you need something more switch to a proper DNS service.
I’m looking into Technitium, which doesn’t get a ton of attention here. It looks to be much more feature packed than PiHole (DNS over HTTPS, for example), and similar to AdGuard Home.
Man, I was excited about Technitium, but I’ve had a hell of a time trying to get it to work. I’m not sure if it’s intended to be on a DMZ in order to get TLS working or something, but I’ve not been able to get it to acknowledge a single DNS request, even when I think I’ve shut down DNSSec entirely.
This is overkill.
I have a dedicated raspberry pi for pihole, then two VMs running PowerDNS in Master/Slave mode. The PDNS servers use the Pihole as their primary recursive lookup, followed by some other Internet privacy DNS server that I can’t recall right now.
If I need to do maintenance on the pihole, power DNS can fall back to the internet DNS server. If I need to do updates on the PowerDNS cluster, I can do it one at a time to reduce the outage window.
EDIT: I should have phrased the first sentence: “My setup is overkill” rather than “This is overkill” - the Op is asking a very valid question and the passive phrasing of my post’s first sentence could be taken multiple ways.
The **ONLY** DNS server you should have set on your network is a/the PiHole(s).
Sorry, I wasn’t clear - I use PowerDNS so that I can more easily deploy services that can be resolved by my internal networks (deployed via Kubernetes or Terraform). In my case, the secondary PowerDNS server does regular zone transfers from the primary in order to ensure it has a copy of all A, PTR, CNAME, etc records.
But PowerDNS (and all DNS servers really), can either be authoritative resolvers or recursors. In my case, the PDNS servers are authoritative for my homelab zone/domain and they perform recursive lookups (with caching) for non-authoritative domains like google.com, infosec.pub, etc. By pointing my PDNS servers to PiHole for recursive lookups, I ensure that I have ad blocking while still allowing for my automation to handle the homelab records.
