My Updated Pi-Hole Setup

Published by Christian Mohn · Read in about 2 min (374 words)
Pi-Hole DNS

Back in 2018 I outlined My Pi-Hole Setup and while the setup is still mostly the same some things have naturally evolved from there. That being said, Pi-Hole has been rock solid for all these years, and is still my main go-to for blocking ads and trackers from my home network devices.

Since that post from 2018, I have done a few changes.

1. Multi-Instance Pi-Hole #

I now run a multi-instance Pi-Hole setup, based on Gravity Sync. Basically Gravity Sync ensures that my two instances block lists are synced. This has worked very well for quite a long time, but Gravity Sync has now been retired by the author.

It should continue to work until Pi-Hole v6 is released. I will have to cross that bridge when I get to it, I guess. Perhaps that will be a good time to move over to running Pi-Hole in containers, istead of VMs.

2. Auto-updating Pi-Hole #

My Pi-Hole instances auto-update via a simple cron job. Once every 24h it runs pihole -up. This has worked flawlessly for a couple of years now, but I anticipate that there might very well be issues when Pi-Hole v6 is released.

0 6 * * * pihole -up

3. Use Unbound as recursive DNS for DNSSEC and DNS over TLS (DoT) support #

My Pi-Hole instances now forward requests to Unbound. The setup I use is documented in Setting up Pi-hole as a recursive DNS server solution, and works well out of the box. The setup ensures DNSSEC support, for greater security.

Info

If you want to test your DNSSEC status, check DNSSEC Resolver Test or dnscheck.tools/.

I have also added DNS over TLS (DoT) configuration to Unbound, by adding the following to /etc/unbound/unbound.conf.d/pi-hole.conf:

    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt

forward-zone:
    name: "."
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com
    forward-ssl-upstream: yes

Info

Cloudflare has a good test for DNS over TLS (DoT) and DNS over HTTPS (DoH) available on 1.1.1.1/help

Of course, I still run Conditional Forwarding in Pi-Hole for local DNS lookups, which happens before Pi-Hole sends queries to Unbound and out of my network.

All in all, it still works mostly the same as it did when I initially set it up, but now it has some added security which I am very happy with.

Post last updated on August 11, 2024: Update my-updated-pi-hole-setup.md

About

vNinja.net is the digital home of Christian Mohn and Stine Elise Larsen.

The primary focus is on IT architecture and data center technologies like virtualization and related topics, but other content also pops up from time to time.

Sponsors