Casey Bralla via plug on 16 Apr 2022 04:12:07 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Pi-Hole, BIND9, & Latency - Big Mistake


Hey kids, don't make the same stoopid mistake I made.  I really messed up when I combined PiHole and BIND9 on my home network.  I had DNS latencies of 500 milliseconds or more, with lots of timeouts.  Ugh!  [spoiler: I figured it out and it works great now]


For over a decade, I've been using BIND9 for my internal home network.   Yeah, I coulda just used a simple /etc/hosts file, but what fun is that?  Figuring out BIND9 and getting it running was a rewarding technical challenge.  Challenging, but with the plethora of documentation on the internet, it's a very doable task.

For the past year or so, I've been running PiHole to suppress ads.  I had shut down BIND and replaced it with PiHole running on an old Raspberry Pi I had lying around.  It worked great, and I eventually migrated it from the Raspberry Pi to a Debian VM on my main server.   This way I'd get the advantage of PiHole software, with the maintainability and speed of a Debian virtual machine. 

PiHole only has one deficiency that I don't like, and that's the way you have to configure it to be a true DNS server by using the /etc/custom.list file to specify host names and IP addresses, similarly to /etc/hosts.

So, brilliant me, I decided to use _BOTH_ PiHole and BIND9.  All the computers on my home network point their DNS to the PiHole running on it's own VM.  The PiHole blocks ads and then forwards to my BIND9 server, which then forwards to...  my wireless router (!!??!!).  This way, the PiHole blocks the advertising requests, the BIND9 server handles all the local machine look-ups and forwards anything it doesn't know (which is most stuff) to the...  wireless router (!!??!!).  The wireless router would then forward to Verizon DNS servers somewhere/somehow.  

It "worked", but it was hell.  Clicking on a link in Firefox would pause my browser for a second or two while it did multiple DNS look-ups through the PiHole, BIND9, my router, and whatever crap Verizon did.   It was frustrating and confusing because my plan had been so brilliant that it could NEVER fail.  Yet it was unworkable!


The solution, which is blindingly obvious, is to have BIND9 forward to a real DNS like cloudflare instead of the wireless router.  I made the forwarders section in /etc/bind/named.conf.options point to Cloudflare's server at 1.1.1.1.  Voila!  Now I get quick DNS look-ups.  Having both the PiHole and BIND9 running in series must slow things down a little, but it is imperceptible.  All is well now.

Isn't it amazing how relatively good engineering decisions can be completely overwhelmed by missing some obvious details?   Ugh!  (the story of my life)

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug