Unbound vs. Pihole

Grimson

pfBlockerNG-devel also has a nice interface. As for performance, this really depends on the hardware you run it on. If you run pfSense on dedicated and potent amd64 hardware with a good amount of RAM it will be able to handle much more than PiHole on a small RaspberryPi. If you run both on similar hardware I wouldn't expect any noticeable performance difference, though separating your DNS from your firewall might make a bit of sense in a security perspective.

If you intend on virtualizing both anyway then there is no harm in trying both approaches and then choose the one that performs best for your specific environment.

johnpoz

@grimson said in Unbound vs. Pihole:

pfBlockerNG-devel also has a nice interface.

Ok - sure... But sorry its not as eye candy pretty as piholes ;) Nor does it give really a nice overview of in graph over time.. Also unless I am missing something where can you click in and see actual queries per client?

You can use both was my point.

Grimson

@johnpoz said in Unbound vs. Pihole:

Ok - sure... But sorry its not as eye candy pretty as piholes ;)

Agreed, though I'm not the eye candy guy.

Nor does it give really a nice overview of in graph over time.. Also unless I am missing something where can you click in and see actual queries per client?

You can define filters on the reports tab, but you will only see blocked requests. Also the DNSBL stats tab has some graphs too.

You can use both was my point.

Which adds another point of failure and unneeded complexity, in my opinion.

tibere86

@grimson said in Unbound vs. Pihole:

pfBlockerNG-devel also has a nice interface. As for performance, this really depends on the hardware you run it on. If you run pfSense on dedicated and potent amd64 hardware with a good amount of RAM it will be able to handle much more than PiHole on a small RaspberryPi. If you run both on similar hardware I wouldn't expect any noticeable performance difference, though separating your DNS from your firewall might make a bit of sense in a security perspective.

If you intend on virtualizing both anyway then there is no harm in trying both approaches and then choose the one that performs best for your specific environment.

Thanks. I had planned to virtualize pfSense and PiHole. I'll do some lab testing first before I deploy.

johnpoz

@grimson said in Unbound vs. Pihole:

Which adds another point of failure and unneeded complexity, in my opinion.

Yeah sure - you could say using pfblocker on top of unbound adds a level of complexity and for sure adds another point of failure as well ;) heheh

How many posts here come down to pfblocker ;) Many of them are self inflicted sure - the complexity point for sure.. I can tell you for sure pihole is designed for your typical idiot user.. While pfblocker and all its features requires way more understanding then pihole..

I like it because it gets me an easy way to get an overall quick picture of how many dns queries total block and allowed are going on.. And how the big hitters are - freaking roku sticks sure want to phone home to their log servers for example ;) And windows machines sure like to try and talk to those telemetry servers as well..

The OP is the one that brought it up - My only point is your not limited to just using 1 or the other.. Your just suggesting complexity and points of failure via another software package on top of the unbound running on pfsense. pfblocker is way more complex than pihole, and even it running on pfsense doesn't mean its not another thing that could fail vs running something on another vm or pi for that matter..

I think the OP has the right idea - play with it all and see what is best suited for his wants and needs.. Just don't think you need to limit yourself to just using 1 thing. You could use unbound with both pfblocker and a pihole instance, etc..

KOM

+1 for pihole. I've been using it for about a year now.

stan-qaz

I'm using a pair of Pi-Holes for redundancy, very nice to have the list updates staggered a few hours on each so there is never any DNS downtime like there is on a single Pi-Hole setup.

Client -> Pi-Hole -> pfSense -> OpenDNS (both ipv4 and 6 filtered servers)

nekrozon

pfBlocker was a PITA to try to get to install ... massive issues with the package installer ... had to install from the command line. Would enable DNSBL and nginx/php would crash... would then have to restore.

Was probably due to my hardware....

I didn't really like the idea of running DNS off a pi ... my own false beliefs I'm sure :)

So next was cloud pihole... using google's free cloud micro.

Piece of cake ... until you want to stop open resolving.

PiVPN was an easy setup. Point its DNS to 10.8.0.1

Install pihole on google cloud vm as well .. set its interface to tun0 ... and set its IP to 10.8.0.1 .. use default gateway

Now .. the fun part ... configure pfsense openvpn CLIENT to connect to this VM, but only for DNS, not all traffic.

This took some time .. but after trying enough combinations of compression ... got a connection.

This is where things went south. Only because I have two WANs, really .. and wanted to use the same DNS server for both interfaces.

I couldn't set DNS server in General tied to an interface .. because I only wanted to use one IP address for the pihole.

The solution?

Custom options... send all forward requests (that aren't cached to your pi-hole). This is what I missed. I needed to configure unbound using custom options, not a simple GUI checkbox/input field.

Here's what I put in:

forward-zone:
name: "."
forward-addr: 10.8.0.1@53

10.8.0.1 being the ip of the tunnel interface to the cloud hole.

Hope this helps someone!!

stan-qaz

On PiVPN, looks unsupported now: https://github.com/pivpn/pivpn

"This means that there are no longer any active maintainers for this project, and that issues and PR's will not get resolved. This will eventually result in pivpn not working anymore (as openvpn gets updates, config options might get added/removed/changed)."

tman222

I have been using Pihole inside a Debian Linux VM running on Proxmox for a few weeks now and have been very happy with the performance. As of right now I'm only using one Pihole, but could envision launching another VM running Pihole down the the the road (for redundancy, or maybe to have a different blocklist configuration if it becomes necessary to better control what is filtered for different network segments).

In terms of caching, I use both the Pihole cache and the cache on Unbound (in my setup Pihole forwards DNS traffic to Unbound that is not cached). You'll have to do some testing, but I believe that the performance of dnsmasq on Pihole starts to become negatively affected if the cache is made too large (perhaps due to increased cache lookup time?). By default, the cache size in Pihole is 10000 entries, which works just fine on a smaller network like mine with less than 50 devices (and honestly, is likely still too big). It may/may not work well for a larger network with ~500 devices that you are describing. Having said that, a lot of DNS records these days have very short TTL, so that default cache size on Pihole may be ok (i.e. you wont' see any cache evictions). Finally, you can also disable the cache on Pihole altogether and just forward everything to Unbound - if done on a local network, it will probably add less than 1ms of latency for each DNS lookup, which is inconsequential.

Hope this helps.

liquidsuspension

I'm setting all this up soon. Just want to be clear. So which IP address do I use to forward my Pihole to the Pfsense Unbound resolver?

stan-qaz

@liquidsuspension I used the IP v4 and v6 addresses of Lan 1

liquidsuspension

@stan-qaz Thanks!

occamsrazor

Hi,

I currently use pfSense with Unbound as resolver and pfblockerng-devel. It works fine but I'd like to have a play with piHole and think of buying a Raspberry Pi 4 for this. If it turns out it's not for me I can easily find another use for the hardware.

But I have a question regarding fallback. What I would like to do is have my devices DNS pointed to the RPI and piHole, which is then pointed for DNS queries to Unbound on pfsense. All that should be easy I believe.

But I also would like some kind of automatic fallback so that if the RPI is not available for any reason, that my devices can temporarily and automatically fall back to sending requests directly to pfSense for uninterrupted operation (even if that means no piHole/pfblocker protection, I'm fine with that).

Is there an easy way to accomplish that? Thanks...

stan-qaz

@occamsrazor There is no simple way as DNS doesn't offer a primary/secondary server option. When you supply more than one resolver address the client makes a choice between the ones based on their responses.

You could write a script that monitored the pi-hole and if it went down change the pfSense DHCP DNS settings but that wouldn't help the clients until they renewed their leases and updated from the new server settings.

You might also build a proxy to manage the fail-over and have it monitor the pi-hole and decide where to send the DNS queries it gets.

I took an alternate route and use two piholes for redundancy. That isn't really necessary as the pi-holes have proven very reliable but it is handy when I do something to break one when tweaking things.

There are scripts on the pi-hole reddit that support syncing two or more pi-holes if you want to go that route.

The only tweak I'd suggest is checking the cron settings to insure that both don't update the internal blacklists at the same time.

stan-qaz

@occamsrazor I missed a comment I intended to make, a Pi 4 is overkill for a pihole, a Zero or Zero W is plenty of power. I use Pi 3s as they are much lower power and run cooler. An original Pi (square card) is barely enough to work well, the first revision with round corners and double the RAM works fine as do Pi 2s.

Many folks are happy with the Zero but I didn't want to fuss with adding Ethernet to it and I prefer wired connections for essential servers/services due to my network configuration.

occamsrazor

@stan-qaz Thanks for the useful info.... I guess I had thought that I could push the two DNS servers in order to clients from pfSense DHCP.... but you are right the clients wouldn't query in strict order, so even if piHole was availabel there's probability that many requests would get answered by pfsense directly instead....
I guess perhaps I'll just have to live with manually changing the DNS server addresses if needed when the piHole is down. 2 x Pi for redundancy is smart, but more than I want to do. It'll run in a server rack on UPS, so should be reasonably reliable.
As for the models, I realise Pi4 is overkill... but with the various power supplies, case etc the price isn't all that more expensive and would rather future-proof in case I choose to use it for a different purpose later. Any idea roughly how many watts it would consume if just used for Pihole?
Another totally linux-newb question... if running pihole on it can I also easily and simultaneously run other server type services on it (cpu-permitting of course)?
Thanks :-)

stan-qaz

@occamsrazor Runing on a UPS fixes one of the major Pi failure modes, a corrupted SD from improper shutdown. Using one of the pi-hole recommended SD cards with good write endurance avoids many other SD issues from poor quality cards. I haven't moved my logs off the SD but for really busy systems that is also an option.

Price wasn't part of my Pi 3 consideration, stability, power use and being well understood were. The 4 will work but keep up with the firmware and software updates as they work to solve the issues with the 4, also be cautious in power supply selection with the Rev 1 board, hopefully the USB power configuration will be fixed when they go to Rev 2 but I have heard no dates on when to expect that.

CPU use and power on the Pi-hole is usually just about at idle levels, DNS lookups are not much of a load. Some of the web based queries and list updates can use about a full core but are both short duration events. Normal load looks to be about 0.25, memory use with 700K list entries is under 30% with the GUI and VNC running.

Running other stuff is not an issue as long as you can de-conflict any requirements for the same ports/services.

Probably best to take the pi-hole details discussion to the pi-hole reddit to keep from cluttering up this place with non pfSense info.

https://www.reddit.com/r/pihole/

occamsrazor

@stan-qaz - Thanks a lot for the detailed information. Am still tempted by the Pi4 for it's beefier CPU in case I want to run multiple services. Will take further questions to the pihole reddit.... Thanks :-)

kiokoman

when i have to go to the supermarket to buy the toilet paper i always go with a ferrari
for the same reason even if the pi3 is more than enought for pihole i personally will buy the pi4,
the USB-C is not really a big problem, just don't buy any e-marked USB-C chargers, the official one or any chargers coming from a smartphone/tablet that can do 5v / 3a work without problem.
i didn't have any stability problem on my 3 raspberry pi 4, with kodi /ntp server/wireshark and other services i'm running, personally the only downside i see here is power consumption