Casey Bralla via plug on 16 Apr 2022 04:12:07 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
[PLUG] Pi-Hole, BIND9, & Latency - Big Mistake |
Hey kids, don't make the same stoopid mistake I made. I really
messed up when I combined PiHole and BIND9 on my home network. I
had DNS latencies of 500 milliseconds or more, with lots of
timeouts. Ugh! [spoiler: I figured it out and it works great
now]
For over a decade, I've been using BIND9 for my internal home network. Yeah, I coulda just used a simple /etc/hosts file, but what fun is that? Figuring out BIND9 and getting it running was a rewarding technical challenge. Challenging, but with the plethora of documentation on the internet, it's a very doable task.
For the past year or so, I've been running PiHole to suppress
ads. I had shut down BIND and replaced it with PiHole running on
an old Raspberry Pi I had lying around. It worked great, and I
eventually migrated it from the Raspberry Pi to a Debian VM on my
main server. This way I'd get the advantage of PiHole software,
with the maintainability and speed of a Debian virtual machine.
PiHole only has one deficiency that I don't like, and that's the way you have to configure it to be a true DNS server by using the /etc/custom.list file to specify host names and IP addresses, similarly to /etc/hosts.
So, brilliant me, I decided to use _BOTH_ PiHole and BIND9. All
the computers on my home network point their DNS to the PiHole
running on it's own VM. The PiHole blocks ads and then forwards
to my BIND9 server, which then forwards to... my wireless router
(!!??!!). This way, the PiHole blocks the advertising requests,
the BIND9 server handles all the local machine look-ups and
forwards anything it doesn't know (which is most stuff) to the...
wireless router (!!??!!). The wireless router would then forward
to Verizon DNS servers somewhere/somehow.
It "worked", but it was hell. Clicking on a link in Firefox would pause my browser for a second or two while it did multiple DNS look-ups through the PiHole, BIND9, my router, and whatever crap Verizon did. It was frustrating and confusing because my plan had been so brilliant that it could NEVER fail. Yet it was unworkable!
The solution, which is blindingly obvious, is to have BIND9
forward to a real DNS like cloudflare instead of the wireless
router. I made the forwarders section in /etc/bind/named.conf.options
point to Cloudflare's server at 1.1.1.1. Voila! Now I get quick
DNS look-ups. Having both the PiHole and BIND9 running in series
must slow things down a little, but it is imperceptible. All is
well now.
Isn't it amazing how relatively good engineering decisions can be
completely overwhelmed by missing some obvious details? Ugh!
(the story of my life)
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug