Pi-Hole & Personal rDNS Server Appliance Setup Guide¶
Part 3: Installing the recursive DNS Server¶
Overview¶
This guide will walk you through the steps necessary to install and configure a Pi-Hole on your Raspberry Pi, along with a personal recursive DNS server that will keep your DNS queries out of your ISP's immediate view.
The core sections of this guide are broken down into 4 parts:
- Installing the Raspberry Pi OS
- Installing the Pi-Hole Application
- Installing the recursive DNS Server (you are here)
- Make Pi-Hole work for you!
Your very own recursive DNS server¶
During Checkpoint 4 of the Pi projects, we set up ISC BIND as a recursive DNS server. We will be doing something very similar for the Pi-Hole project, except we will use NLnet Labs' Unbound, another popular DNS server software. The reason for selecting Unbound (a word play on BIND) is that it is the recommended companion to Pi-Hole, and the two play well together.
Installing Unbound¶
Connect to your Pi using SSH. You should now be able to use ssh pi@<ip_address>instead of having to use pihole.local Since your Pi should be connected to your WiFi router over Ethernet, you can do this using the WiFi connection of your laptop, and you don't have to be in close proximity of your Pi. Ance logged in, run these commands:
sudo apt update
sudo apt install unboundWarning
You will likely see a scary-looking error message during the installation process, warning you that something failed to start. You can safely ignore that at this stage of the installation.
Next, let's configure Unbound! The configuration example that follows has been customized for use with a Pi-Hole:
server:
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound/unbound.log"
verbosity: 0
interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: no
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no
# Use this only when you downloaded the list of primary root servers!
# If you use the default dns-root-data package, unbound will find it automatically
#root-hints: "/var/lib/unbound/root.hints"
# Trust glue only if it is within the server's authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent,
# the zone becomes BOGUS
harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378
# for further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy machines. In reality
# for most users running on small networks or on a single machine, it should be
# unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
so-rcvbuf: 1m
# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10Copy the contents and paste them into the file opened by this command:
sudo nano /etc/unbound/unbound.conf.d/pi-hole.confSave the file and exit the editor. Next we restart Unbound and test to make sure it's working:
sudo service unbound restart
dig pi-hole.net @127.0.0.1 -p 5335That second command should be familiar from Checkpoint 4. Note the -p 5335 at the end. This means query the DNS server listening on localhost (127.0.0.1), but do so on port 5335 instead of the standard DNS port 53.
The reason we configured Unbound to listen on a different port than standard DNS port 53 is that the Pi-Hole DNS server is already using port 53, and you cannot have two services listen on the same port. But since Unbound will only be used internally by the Pi-Hole DNS Server as its "Upstream" DNS provider (instead of Google or your ISP's DNS Server), the non-standard port will not be exposed to clients and therefore won't create issues.
While we are still logged into the Pi via SSH, now would be a good time to change the randomly generated Web Admin password. This can only be done via SSH, using the pihole command:
sudo pihole -a -pYou will be prompted to type a new password, and after pressing Enter, type it again for confirmation.
Next, we will finish configuring the Pi-Hole via the Web Admin interface. Open a browser and type the static IP address of the Pi-Hole into the address bar, followed by /admin - for example http://10.10.10.10/admin
The Pi-Hole Dashboard page should appear in your browser.
Click on "Login" in the left sidebar menu.
Enter either the new password you set earlier via SSH, or if you did not change it, use the randomly generated password you captured during the setup process.
Click "Log in"
You should now see a more detailed version of the dashboard. In the now expanded left sidebar menu, click on "Settings."
On the page that loads, select "DNS" from the top menu.
Uncheck any checkboxes from the left "Upstream DNS Servers" column. Most likely, only Google (ECS) is selected.
In the right "Upstream DNS Servers" column, click the square under "Custom 1 (IPv4)" to place a checkmark into it. In the text field below the checkmark, type 127.0.0.1#5335 - be sure to include the hashmark / pound sign, and no spaces.
Make sure you scroll down and click the "Save" button on the very bottom right of the page!
This instructs Pi-Hole to forward any upstream DNS queries to Unbound listening on localhost (127.0.0.1), using port 5335. Unbound will then retrieve the information from the Root, TLD, and Authoritative name servers, and will cache the information until the TTL expires. This will speed up subsequent queries for the same domain.
Did you remember to click Save?
Your Pi-Hole is now ready for use. Be sure to check out all of the other settings and configuration options!