Unbound vs. Pihole



  • Which offers better DNS resolving/caching performance for a network with ~500 devices, the built-in Unbound or a dedicated PiHole device/VM? I'm trying to determine how to implement my network.


  • LAYER 8 Global Moderator

    Pihole has nice interface to view amount and type of dns queries.. You do understand you can bring up a pihole and then just have it forward to unbound running on pfsense which then resolves.. It does not need to be an either or sort of setup..



  • pfBlockerNG-devel also has a nice interface. As for performance, this really depends on the hardware you run it on. If you run pfSense on dedicated and potent amd64 hardware with a good amount of RAM it will be able to handle much more than PiHole on a small RaspberryPi. If you run both on similar hardware I wouldn't expect any noticeable performance difference, though separating your DNS from your firewall might make a bit of sense in a security perspective.

    If you intend on virtualizing both anyway then there is no harm in trying both approaches and then choose the one that performs best for your specific environment.


  • LAYER 8 Global Moderator

    @grimson said in Unbound vs. Pihole:

    pfBlockerNG-devel also has a nice interface.

    Ok - sure... But sorry its not as eye candy pretty as piholes ;) Nor does it give really a nice overview of in graph over time.. Also unless I am missing something where can you click in and see actual queries per client?

    You can use both was my point.



  • @johnpoz said in Unbound vs. Pihole:

    Ok - sure... But sorry its not as eye candy pretty as piholes ;)

    Agreed, though I'm not the eye candy guy.

    Nor does it give really a nice overview of in graph over time.. Also unless I am missing something where can you click in and see actual queries per client?

    You can define filters on the reports tab, but you will only see blocked requests. Also the DNSBL stats tab has some graphs too.

    You can use both was my point.

    Which adds another point of failure and unneeded complexity, in my opinion.



  • @grimson said in Unbound vs. Pihole:

    pfBlockerNG-devel also has a nice interface. As for performance, this really depends on the hardware you run it on. If you run pfSense on dedicated and potent amd64 hardware with a good amount of RAM it will be able to handle much more than PiHole on a small RaspberryPi. If you run both on similar hardware I wouldn't expect any noticeable performance difference, though separating your DNS from your firewall might make a bit of sense in a security perspective.

    If you intend on virtualizing both anyway then there is no harm in trying both approaches and then choose the one that performs best for your specific environment.

    Thanks. I had planned to virtualize pfSense and PiHole. I'll do some lab testing first before I deploy.


  • LAYER 8 Global Moderator

    @grimson said in Unbound vs. Pihole:

    Which adds another point of failure and unneeded complexity, in my opinion.

    Yeah sure - you could say using pfblocker on top of unbound adds a level of complexity and for sure adds another point of failure as well ;) heheh

    How many posts here come down to pfblocker ;) Many of them are self inflicted sure - the complexity point for sure.. I can tell you for sure pihole is designed for your typical idiot user.. While pfblocker and all its features requires way more understanding then pihole..

    I like it because it gets me an easy way to get an overall quick picture of how many dns queries total block and allowed are going on.. And how the big hitters are - freaking roku sticks sure want to phone home to their log servers for example ;) And windows machines sure like to try and talk to those telemetry servers as well..

    The OP is the one that brought it up - My only point is your not limited to just using 1 or the other.. Your just suggesting complexity and points of failure via another software package on top of the unbound running on pfsense. pfblocker is way more complex than pihole, and even it running on pfsense doesn't mean its not another thing that could fail vs running something on another vm or pi for that matter..

    I think the OP has the right idea - play with it all and see what is best suited for his wants and needs.. Just don't think you need to limit yourself to just using 1 thing. You could use unbound with both pfblocker and a pihole instance, etc..



  • +1 for pihole. I've been using it for about a year now.



  • I'm using a pair of Pi-Holes for redundancy, very nice to have the list updates staggered a few hours on each so there is never any DNS downtime like there is on a single Pi-Hole setup.

    Client -> Pi-Hole -> pfSense -> OpenDNS (both ipv4 and 6 filtered servers)



  • pfBlocker was a PITA to try to get to install ... massive issues with the package installer ... had to install from the command line. Would enable DNSBL and nginx/php would crash... would then have to restore.

    Was probably due to my hardware....

    I didn't really like the idea of running DNS off a pi ... my own false beliefs I'm sure :)

    So next was cloud pihole... using google's free cloud micro.

    Piece of cake ... until you want to stop open resolving.

    PiVPN was an easy setup. Point its DNS to 10.8.0.1

    Install pihole on google cloud vm as well .. set its interface to tun0 ... and set its IP to 10.8.0.1 .. use default gateway

    Now .. the fun part ... configure pfsense openvpn CLIENT to connect to this VM, but only for DNS, not all traffic.

    This took some time .. but after trying enough combinations of compression ... got a connection.

    This is where things went south. Only because I have two WANs, really .. and wanted to use the same DNS server for both interfaces.

    I couldn't set DNS server in General tied to an interface .. because I only wanted to use one IP address for the pihole.

    The solution?

    Custom options... send all forward requests (that aren't cached to your pi-hole). This is what I missed. I needed to configure unbound using custom options, not a simple GUI checkbox/input field.

    Here's what I put in:

    forward-zone:
    name: "."
    forward-addr: 10.8.0.1@53

    10.8.0.1 being the ip of the tunnel interface to the cloud hole.

    Hope this helps someone!!



  • On PiVPN, looks unsupported now: https://github.com/pivpn/pivpn

    "This means that there are no longer any active maintainers for this project, and that issues and PR's will not get resolved. This will eventually result in pivpn not working anymore (as openvpn gets updates, config options might get added/removed/changed)."



  • I have been using Pihole inside a Debian Linux VM running on Proxmox for a few weeks now and have been very happy with the performance. As of right now I'm only using one Pihole, but could envision launching another VM running Pihole down the the the road (for redundancy, or maybe to have a different blocklist configuration if it becomes necessary to better control what is filtered for different network segments).

    In terms of caching, I use both the Pihole cache and the cache on Unbound (in my setup Pihole forwards DNS traffic to Unbound that is not cached). You'll have to do some testing, but I believe that the performance of dnsmasq on Pihole starts to become negatively affected if the cache is made too large (perhaps due to increased cache lookup time?). By default, the cache size in Pihole is 10000 entries, which works just fine on a smaller network like mine with less than 50 devices (and honestly, is likely still too big). It may/may not work well for a larger network with ~500 devices that you are describing. Having said that, a lot of DNS records these days have very short TTL, so that default cache size on Pihole may be ok (i.e. you wont' see any cache evictions). Finally, you can also disable the cache on Pihole altogether and just forward everything to Unbound - if done on a local network, it will probably add less than 1ms of latency for each DNS lookup, which is inconsequential.

    Hope this helps.



  • I'm setting all this up soon. Just want to be clear. So which IP address do I use to forward my Pihole to the Pfsense Unbound resolver?



  • @liquidsuspension I used the IP v4 and v6 addresses of Lan 1



  • @stan-qaz Thanks!


Log in to reply