Setting up Pi-hole

alex24 · 8 Apr 2025 at 20:03

Rainmaker said:
I ran Blocky with Prometheus and Grafana for a while at the beginning of last year. I posted up my configs to run them under a single compose.yml if you're interested.

Fantastic. I built a config from the blocky reference one and also my own compose files (run all my other services this way) but this is really useful. I’m happy without the extra dashboard at this point but it would be useful I think to have a query log in place to support any bug reports and allow list requests (from the family).

It works so well I think I’ll make a secondary DNS server on a Pi when I get time as it currently runs on my home server/NAS which occasionally needs a reboot or two every few months, usually due to me messing with something.

Did you stop using it for any reason?

Rainmaker · 8 Apr 2025 at 20:06

alex24 said:
Did you stop using it for any reason?

Mostly because I dislike Docker anyway - I use Podman when I really have to, as it's lower overhead. Mostly though it was issues with the stats not always working properly, the overhead of running prometheus and grafana etc. I have run AdGuard Home for years so just stuck with that, but when I need a basic/quick DNS I just enable Unbound (with blocklists if needed) under FreeBSD.

Cromulent · 8 Apr 2025 at 20:09

Rainmaker said:
Mostly because I dislike Docker anyway - I use Podman when I really have to, as it's lower overhead. Mostly though it was issues with the stats not always working properly, the overhead of running prometheus and grafana etc. I have run AdGuard Home for years so just stuck with that, but when I need a basic/quick DNS I just enable Unbound (with blocklists if needed) under FreeBSD.

FreeBSD jails are a nice Docker alternative anyway.

alex24 · 8 Apr 2025 at 20:09

Rainmaker said:
Mostly because I dislike Docker anyway - I use Podman when I really have to, as it's lower overhead. Mostly though it was issues with the stats not always working properly, the overhead of running prometheus and grafana etc. I have run AdGuard Home for years so just stuck with that, but when I need a basic/quick DNS I just enable Unbound (with blocklists if needed) under FreeBSD.

Fair enough, nothing against the app itself then. At some point I’ll move my server from Ubuntu Server to a headless NixOS and that’s the only reason I could think of to abandon docker since blocky is supported by Nixpkgs and docker on top of NixOS feels a bit redundant. That said, portability to other machines is such an advantage through blocky plus docker. Spinning up another on my Pi should be simple.

What’s the deal with podman support? Without googling I assumed it can utilise docker images as well.

Rainmaker · 8 Apr 2025 at 21:31

alex24 said:
What’s the deal with podman support? Without googling I assumed it can utilise docker images as well.

They're both implementations of the Open Container Initiative (OCI) spec for running containers under Linux. Effectively a combination of chroot, cgroups and so on. Docker is a commercialised implementation but it's not the only one. Podman is a Red Hat developed alternative of the same thing. Basically OCI is an idea for a car, and Docker and Podman are Ford and Vauxhall - different people doing a variant of the same common spec (four wheels, windows, doors...). While there are a couple of caveats, generally you can just substitute 'docker' for 'podman', as in podman pull ghcr.io/etc/etc:latest or podman run -d.... You do also have podman compose as well.

You can switch from one to the other almost seamlessly, and it'd take you a very short time to learn the quirks. You use systemd to generate and install services to keep a container up and auto-(re)starting on Podman, for example. It sounds like effort but once you've started it's actually much more intuitive and nice. You can set up auto-update within the systemd unit files as well, so that everything 'just works' and keeps itself up to date - no watchtower needed. Because it's part of the OS, it's way lighter to run Podman on *EL or Fedora than it is to install Docker CE on top.

Edit: Obligatory getting started link.

jonneymendoza · 8 Apr 2025 at 22:37

Rainmaker said:
Mostly because I dislike Docker anyway - I use Podman when I really have to, as it's lower overhead. Mostly though it was issues with the stats not always working properly, the overhead of running prometheus and grafana etc. I have run AdGuard Home for years so just stuck with that, but when I need a basic/quick DNS I just enable Unbound (with blocklists if needed) under FreeBSD.

Why do you dislike docker?

Rainmaker · 9 Apr 2025 at 14:41

jonneymendoza said:
Why do you dislike docker?

It's not an active dislike so much as an aversion. I cut my teeth compiling kernels and running on real hardware, keeping things as lean and simple as possible. While these days things like LXC and jails make running multiple services on a single machine feasible (and nice), Docker was always just so 'extra' to me. You need to add a repo, install a bunch of extra stuff, and the memory and compute overhead is not inconsequential, especially on a low resource VPS or nested inside a virtual environment.

Generally, you can achieve much the same thing using jails or LXC with much lower overhead. Where OCI is needed (or wanted), Podman is generally the easier and leaner choice. It's already in the base packages for *EL, is designed by the same EL team from the ground up as part of the OS, and runs light compared to Docker. The systemd integration is simple and, again, already on-board so everything works nicely together for almost no extra overhead. Given a choice, I'd avoid systemd altogether (*BSD > musl + openrc/runit > glibc/systemd) but where the choice is Docker or Podman I reach for Podman first.

maj · 9 Apr 2025 at 19:24

How does everyone have their AGH setup? For Upstream DNS servers do you just have DNS-over-HTTPS servers? And DNSSEC enabled?

Load balancing or Parallel?

I'm finding conflicting info as to what's best.

Rainmaker · 9 Apr 2025 at 19:51

maj said:
How does everyone have their AGH setup? For Upstream DNS servers do you just have DNS-over-HTTPS servers? And DNSSEC enabled?

Load balancing or Parallel?

I'm finding conflicting info as to what's best.

I use TLS for upstream DNS (I find it quicker overall on my setup).
Parallel requests.
IPv6 bootstrap DNS (lower latency).
Upstream timeout 10.
Rate limit 0 (control access with the 'Allowed clients' box)
Blocked response TTL 10.
DNS cache set to 10000000 (100MB).
Optimistic caching enabled.

I have an average 24h response time of 1ms using this setup. Test out a fair number of upstream DNS, as the results in 'Average upstream response time' (bottom right of the home page) may surprise you. It's normal for the numbers to fluctuate day-to-day but you'll soon get a feel for which to bother leaving enabled. Some suggestions to test off the bat, of providers balancing speed v privacy. Where a provider offers blocking/filtering the non-blocking address is given):

Code:

# AdGuard public DNS
tls://unfiltered.adguard-dns.com
# ControlD
tls://p0.freedns.controld.com
# DNS.sb
tls://dns.sb
# Mullvad
tls://dns.mullvad.net
# NextDNS
quic://dns.nextdns.io
# OpenDNS
tls://dns.opendns.com
# Quad9
tls://dns.quad9.net

maj · 11 Apr 2025 at 13:11

Rainmaker said:
I use TLS for upstream DNS (I find it quicker overall on my setup).
Parallel requests.
IPv6 bootstrap DNS (lower latency).
Upstream timeout 10.
Rate limit 0 (control access with the 'Allowed clients' box)
Blocked response TTL 10.
DNS cache set to 10000000 (100MB).
Optimistic caching enabled.

I have an average 24h response time of 1ms using this setup. Test out a fair number of upstream DNS, as the results in 'Average upstream response time' (bottom right of the home page) may surprise you. It's normal for the numbers to fluctuate day-to-day but you'll soon get a feel for which to bother leaving enabled. Some suggestions to test off the bat, of providers balancing speed v privacy. Where a provider offers blocking/filtering the non-blocking address is given):

Code:

# AdGuard public DNS tls://unfiltered.adguard-dns.com # ControlD tls://p0.freedns.controld.com # DNS.sb tls://dns.sb # Mullvad tls://dns.mullvad.net # NextDNS quic://dns.nextdns.io # OpenDNS tls://dns.opendns.com # Quad9 tls://dns.quad9.net

Interesting thanks. The reason I asked is I came across a video by NetworkChuck on YouTube who suggested using DNS-over-HTTPS which I have been doing but may give TLS a go instead and see if there's any difference.

Rainmaker · 11 Apr 2025 at 13:18

maj said:
Interesting thanks. The reason I asked is I came across a video by NetworkChuck on YouTube who suggested using DNS-over-HTTPS which I have been doing but may give TLS a go instead and see if there's any difference.

DoH can be better for you as a client (i.e. on your mobile phone), as it will work on more networks when you're out and about. Where public WiFi locks down ports they will always at least leave 53 (probably hijacked), 80 and 443 available. This gives you an out to disable your private DNS profile long enough to register on the network, then re-enable it to push your queries over 443 to your own server. DoQ and DoT will be blocked outright (853/tcp). As a server though, there's no benefit in using DoH over DoT or DoQ. In fact the latter two fully encrypt the query where DoH only encrypts the payload. Swings and roundabouts. Assuming your server is Linux you can enable TLS connection reuse and fastopen, which will further improve connection speeds:

Code:

# /etc/sysctl.conf

net.ipv4.tcp_fastopen=3
net.ipv4.tcp_tw_reuse=1