How to properly configure pihole server recursive dns for my lan.

Oldmanlight

New Around Here
Hey all,
Long time lurker first time poster. Running at ax-88u with 386.5 and i have a question about how to properly setup my pi hole server on my lan. I currently have its IP address set as the sole dns server under the wan tab but I’m wondering if I should have it set to be distributed to individual clients under the lan dhcp tab. I know the pi hole logs would be better as then it would show queries from dhcp client ips rather than just every query coming from the router but I’m wondering if I’d be giving up anything in terms of performance, features, or security at the router level by doing this and taking my router out of the dns query loop.

My end goal is to have the router logs for dhcp client traffic to monitor my kids devices, have the pi hole for dns and ad blocking, and have my gaming and streaming traffic performing optimally while doing so.

have also wondered about pi hole vs diversion for ad blocking but that might be a better question for the add on sub forum.

thanks!
 

Crimliar

Senior Member
Hey all,
Long time lurker first time poster. Running at ax-88u with 386.5 and i have a question about how to properly setup my pi hole server on my lan. I currently have its IP address set as the sole dns server under the wan tab but I’m wondering if I should have it set to be distributed to individual clients under the lan dhcp tab. I know the pi hole logs would be better as then it would show queries from dhcp client ips rather than just every query coming from the router but I’m wondering if I’d be giving up anything in terms of performance, features, or security at the router level by doing this and taking my router out of the dns query loop.

My end goal is to have the router logs for dhcp client traffic to monitor my kids devices, have the pi hole for dns and ad blocking, and have my gaming and streaming traffic performing optimally while doing so.

have also wondered about pi hole vs diversion for ad blocking but that might be a better question for the add on sub forum.

thanks!
There are a few issues with pointing the WAN page DNS at the pi-hole. The most relevant here since you want to see the logs, being that the router caches DNS and so you'll not see multiple instances of the same look up and the associated timestamps.

As for using Diversion, if you also install the uiDivStats, then you get pretty similar levels of casual log perusal ability. Diversion also wins on the ability to easily switch between different levels of ad blocking, with it's default being indistinguishable to most to that of Pi-Hole.

The third horse in the race is AdGuard, again the end result is pretty indistinguishable. AdGuard's biggest advantage is that it is a monolithic, do everything app, its biggest disadvantage is that it is a monolithic, do everything app!

*I don't think you need to worry about performance whichever option you take, DNS lookups are the kind of drip, drip, that the router can handle with ease. If you do have devices that you want to remove from the regular DNS flow, you always use the DNS Filter tab.

**For the record: Long time Pi-Hole (with Unbound) user who has recently migrated to Diversion (it used to be unstable on my RT-AC86U) (without Unbound). I've also tried AdGuard both on a Raspberry Pi and the router, with and without Unbound. Many swear by AdGuard, I just swore at it!
 

jsbeddow

Senior Member
There are a few issues with pointing the WAN page DNS at the pi-hole. The most relevant here since you want to see the logs, being that the router caches DNS and so you'll not see multiple instances of the same look up and the associated timestamps.

As for using Diversion, if you also install the uiDivStats, then you get pretty similar levels of casual log perusal ability. Diversion also wins on the ability to easily switch between different levels of ad blocking, with it's default being indistinguishable to most to that of Pi-Hole.

The third horse in the race is AdGuard, again the end result is pretty indistinguishable. AdGuard's biggest advantage is that it is a monolithic, do everything app, its biggest disadvantage is that it is a monolithic, do everything app!

*I don't think you need to worry about performance whichever option you take, DNS lookups are the kind of drip, drip, that the router can handle with ease. If you do have devices that you want to remove from the regular DNS flow, you always use the DNS Filter tab.

**For the record: Long time Pi-Hole (with Unbound) user who has recently migrated to Diversion (it used to be unstable on my RT-AC86U) (without Unbound). I've also tried AdGuard both on a Raspberry Pi and the router, with and without Unbound. Many swear by AdGuard, I just swore at it!
I am curious about your last line: I have personally been using Unbound (in recursive mode) and Diversion for quite some time successfully on my RT-AC86U, but have been intrigued by the AdGuard Home setup. What was going wrong in your setup? Curious about any perceptible differences in DNS resolution speed too, although I get the impression that should be very minimal, if noticeable at all.
 

Crimliar

Senior Member
Historically I've used unbound in recursive mode and just as an enlarged cache with my ISPs DNS servers. While I've had no problems, in terms of performance I've found little difference in using Pi-Hole with or without Unbound. Currently, I'm using my ISP DNS with malicious content blocking.
 

Oldmanlight

New Around Here
There are a few issues with pointing the WAN page DNS at the pi-hole. The most relevant here since you want to see the logs, being that the router caches DNS and so you'll not see multiple instances of the same look up and the associated timestamps.

As for using Diversion, if you also install the uiDivStats, then you get pretty similar levels of casual log perusal ability. Diversion also wins on the ability to easily switch between different levels of ad blocking, with it's default being indistinguishable to most to that of Pi-Hole.

The third horse in the race is AdGuard, again the end result is pretty indistinguishable. AdGuard's biggest advantage is that it is a monolithic, do everything app, its biggest disadvantage is that it is a monolithic, do everything app!

*I don't think you need to worry about performance whichever option you take, DNS lookups are the kind of drip, drip, that the router can handle with ease. If you do have devices that you want to remove from the regular DNS flow, you always use the DNS Filter tab.

**For the record: Long time Pi-Hole (with Unbound) user who has recently migrated to Diversion (it used to be unstable on my RT-AC86U) (without Unbound). I've also tried AdGuard both on a Raspberry Pi and the router, with and without Unbound. Many swear by AdGuard, I just swore at it!
With regard to adguard, is there any kind of interface to view logs or configure settings after installing it in amtm? I just loaded it up and I’m lost as to how to use it.
 

bennor

Senior Member
I currently have its IP address set as the sole dns server under the wan tab but I’m wondering if I should have it set to be distributed to individual clients under the lan dhcp tab.
Putting the Pi-Hole's IP address into WAN can setup a potential issue if one also has Use Conditional Forwarding enabled on the Pi-Hole. It can create a feedback loop of queries that can quickly flood the local network bringing traffic to its knees. Been there, done that, had it happen (twice). Normally one would put upstream public (or ISP provider's) DNS servers in the WAN DNS fields and put Pi-Hole's IP into the LAN DNS field(s). Then one would set Advertise router's IP in addition to user-specified DNS to No. One can also setup DNSFilter to force all DNS requests to the Pi-Hole to help redirect DNS requests from those devices that have hard coded DNS servers and would otherwise bypass Pi-Hole. Some past posts I've made explaining general setup directions for Pi-Hole:
https://www.snbforums.com/threads/pihole-dns.74646/#post-712118
https://www.snbforums.com/threads/pihole-dns.74646/post-712319

Been using Pi-Hole + Unbound on headless Raspberry Pi's for a number of years now. Works well. Some go hog wild with block lists, I don't. I just use Jacklul's update lists script that updates the Pi-Hole using the main ad block lists from Firebog.net.
 
Last edited:

dave14305

Part of the Furniture
Putting the Pi-Hole's IP address into WAN can setup a potential issue if one also has Use Conditional Forwarding enabled on the Pi-Hole. It can create a feedback loop of queries that can quickly flood the local network bringing traffic to its knees.
You can avoid that loop by telling dnsmasq to only answer reverse lookup queries locally. If your LAN is 192.168.1.0/24, add this to dnsmasq.conf.add:
Code:
local=/0.1.168.192.in-addr.arpa/
 

Crimliar

Senior Member
During the setup of AdGuard it will tell you the port for its WEB UI, through which you can perform a fair amount of configuration.

Regards Pi-Hole and other ad-blockers, it's easy to get carried away. Personally, its about blocking the malicious content before it has the ability to infect anything!
 

Oldmanlight

New Around Here
During the setup of AdGuard it will tell you the port for its WEB UI, through which you can perform a fair amount of configuration.

Regards Pi-Hole and other ad-blockers, it's easy to get carried away. Personally, its about blocking the malicious content before it has the ability to infect anything!
Omg, I can’t believe it missed that. Thanks a lot! I’m there now.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top