this post was submitted on 13 Sep 2024
23 points (89.7% liked)

Selfhosted

40149 readers
755 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Howdy Everyone!

As I am setting up my infrastructure at home using docker I wanted to ask, is it better to have DNS, something like pi-hole, on my main docker swarm or would it be better to have it on a dedicated machine/docker host separate from the rest of my infrastructure?

Thanks for the input!

you are viewing a single comment's thread
view the rest of the comments
[–] dan@upvote.au 2 points 2 months ago* (last edited 2 months ago) (2 children)

AdGuard Home is a better choice than PiHole since it uses DNS-over-HTTPS by default. There's also an app called AdGuardHome-Sync to sync settings between multiple instances.

I'd recommend running two DNS servers, and at least one of those separately from the rest of your infrastructure like on a Pi. That way, if you need to pull one of them offline, the internet still works.

[–] EncryptKeeper@lemmy.world 2 points 2 months ago* (last edited 2 months ago) (1 children)

I would say Pihole is a better choice than AdGuard home because PiHole just runs on top of dnsmasq. Throw Unbound on there too as your upstream recursive resolver and you’re set. You don’t even need to worry about an encrypted session to your upstream anymore because your upstream is now your loopback.

[–] dan@upvote.au 2 points 2 months ago* (last edited 2 months ago) (1 children)

Throw Unbound on there too as your upstream recursive resolver

If you want to run your own recursive DNS server, why would you run two separate DNS servers?

You don’t even need to worry about an encrypted session to your upstream anymore because your upstream is now your loopback.

Your outbound queries will still be unencrypted, so your ISP can still log them and create an advertising profile based on them. One of the main points of DoH and DoT is to avoid that, so you'll want them to be encrypted at least until they leave your ISP's network.

[–] EncryptKeeper@lemmy.world 1 points 2 months ago* (last edited 2 months ago) (2 children)

If you want to run your own recursive DNS server, why would you run two separate DNS servers?

I’m not sure I understand your question. A recursive DNS server and a local DNS cache/forwarder/are two different things with two different purposes. You will always need both. You yourself are using AdguardHome and that is just connecting to recursive DNS server upstream. In my scenario you’re just running both yourself instead of you running one and then letting a 3rd party run the other for you.

Your outbound queries will still be unencrypted, so your ISP can still log them and create an advertising profile based on them.

You can encrypt the recursive queries through your ISP if you want to. Though the effectiveness of any profiling your ISP would do to you are minimized by Qname minimization that Unbound does by default.

If you’re just using DoH then you’re just shifting who’s making that advertising profile on you from your ISP to whoever is hosting your upstream recursive DNS server. It doesn’t matter how much encryption you do because on the other end of that encrypted connection is the entity who you’re giving all your queries to.

[–] dan@upvote.au -1 points 2 months ago* (last edited 2 months ago) (1 children)

A recursive DNS server and a local DNS cache/forwarder/are two different things with two different purposes. You will always need both.

Why do you need two separate ones though? Recursive DNS servers also cache responses. Usually the only reason you'd run a local forwarder/cache is if you're not running a local recursive server.

[–] EncryptKeeper@lemmy.world 2 points 2 months ago

For the same reason you’re running AdGuard and not just pointing all your devices at the recursive upstream.

You’re using AdGuard / Pihole as an ad sinkhole, not just to cache and forward DNS requests. Like if you really wanted to you could hack together something in Unbound to do that, but why would you do that when Pihole already exists? You have two things built for purpose.

[–] Shimitar@feddit.it -2 points 2 months ago (1 children)

No you don't need two: in fact I have only unbound setup to do everything with one piece of software.

Better or worse? No idea, but it works and its one less piece that might fail.

[–] EncryptKeeper@lemmy.world 1 points 2 months ago* (last edited 2 months ago) (1 children)

I mean if you want to build something around Unbound to do ad blocking and set up a monitoring stack for metrics and all that jazz that’s great, more power to you. But you already have two things built for purpose, there’s no reason to go out of your way to do that. And I don’t think OP here is prepared to do all that.

[–] Shimitar@feddit.it 0 points 1 month ago (1 children)

All that? Well, I understand your point, but honestly I have more fun learning something new, and was really little work.

Anyway... Its an option too

[–] EncryptKeeper@lemmy.world 1 points 1 month ago* (last edited 1 month ago)

Getting all the functionality of Pihole into Unbound would be a good deal more than “a little work” lol. And for no real practical reason when all you’re trying to do is set up secure DNS with some ad blocking on your network. And this is coming from a professional who wouldn’t have to “learn” anything to do it. If it was really that little work, Pihole + Unbound wouldn’t be the go-to solutions for so many people.

[–] Andromxda@lemmy.dbzer0.com 0 points 2 months ago* (last edited 2 months ago) (1 children)

You can accomplish the same with dnscrypt-proxy and Orbital Sync for Pi-Hole. You can also run a recursive DNS server using Unbound.

[–] dan@upvote.au 1 points 1 month ago (1 children)

But why deal with separate software like dnscrypt-proxy when AdGuard Home has it built-in?

[–] Andromxda@lemmy.dbzer0.com 1 points 1 month ago (1 children)

Why should I use a piece of software that's controlled by a corporate entity in Russia?

[–] dan@upvote.au 1 points 1 month ago (1 children)

Not sure what you mean by "controlled" given it's open-source?

Open source projects still need a maintainer/owner. For example, Facebook "controls" react, Microsoft "controls" Visual Studio Code, and AdguardTeam "controls" AdGuardHome. There are several reasons to not trust a maintainer (eg, license changes, prioritizing or implementing undesired functionality and anti-features, converting to "open core", abandoning the project, selling out to less trust worthy entities, etc.).

Per Adguard's website, the legal entity behind the various AdGuard products is ADGUARD SOFTWARE LIMITED. A quick search on that company shows that there are 3 founders and they seem to have some ties to Russia. There is more information online about this, but whether this means they can be trusted or not is up to each potential user of one of the AdGuard products.