Re: [PLUG] Pi-Hole, BIND9, & Latency

JP Vossen via plug on 16 Apr 2022 12:25:21 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Pi-Hole, BIND9, & Latency - Big Mistake

From: JP Vossen via plug <plug@lists.phillylinux.org>
To: Philadelphia Linux User's Group Discussion List <PLUG@Lists.PhillyLinux.org>
Subject: Re: [PLUG] Pi-Hole, BIND9, & Latency - Big Mistake
Date: Sat, 16 Apr 2022 15:25:15 -0400
Reply-to: JP Vossen <jp@jpsdomain.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0

I that case, I've lived...well. :-)

But maybe better: if you're not failing you're not working/learning.

I do a lot of the same things that Casey does, for the same reasons. But for this one I just added the Pi-hole as a VM from the start, and made it the upstream of BIND9 (only thing in "forwarders"), that way I only had to change 1 thing (BIND) and not all the clients. Then the Pi-hole goes to...<goes and looks>..."OpenDNS (ECS)" and Cloudflare.

That works great...except.
1. I have egress rules so clients HAVE to use my DNS and thus the pi-hole...unless they configure DNS-over-HTTPS in, say, Firefox. Which is how my wife is configured because:
2. Pi-hole blocks the hell out of a lot of coupon and related (tracking) sites...because that's its job. but that makes my wife sad because she likes deals. So...
2.1 DNS-over-HTTPS
2.2 She has the pi-hole password and can turn it off on a timeout (timein?)
2.3 Sometimes we cut off wifi and go on data for things on phones

The other semi-related and really annoying thing is that the kid's school Chromebooks do all kinds of crazy crap, so I finally had to totally bypass my firewall egress rules and allow them any/any/any. That makes ME sad. To make matters worse, those Chromebooks are configured to randomly change MACs, which means that my DHCP server periodically seems them as "new" so they get a new IPA and it all breaks until I go update the FW rules. I get why they do that, and in theory it's good, but it makes me sad that that feature breaks the hack that I have to have in MY security because the school wants to do it's things its ways (which I also get). I should re-architect my network to have a zero-trust, wide open segment for crap like that. Well...one of these years...

On 4/16/22 13:31, Keith C. Perry via plug wrote:

File under, "you-have-not-lived-until-you-have-done-something-that-humbled-you"  :D

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Keith C. Perry, MS E.E.
Managing Member, DAO Technologies LLC
(O) +1.215.525.4165 x2033
(M) +1.215.432.5167
www.daotechnologies.com <http://www.daotechnologies.com/>

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
*From: *"Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
*To: *"Philadelphia Linux User's Group Discussion List" <PLUG@Lists.PhillyLinux.org>
*Sent: *Saturday, April 16, 2022 7:11:30 AM
*Subject: *[PLUG] Pi-Hole, BIND9, & Latency - Big Mistake

Hey kids, don't make the same stoopid mistake I made.  I really messed up when I combined PiHole and BIND9 on my home network.  I had DNS latencies of 500 milliseconds or more, with lots of timeouts.  Ugh!  [spoiler: I figured it out and it works great now]

For over a decade, I've been using BIND9 for my internal home network.   Yeah, I coulda just used a simple */etc/hosts* file, but what fun is that?  Figuring out BIND9 and getting it running was a rewarding technical challenge.  Challenging, but with the plethora of documentation on the internet, it's a very doable task.

For the past year or so, I've been running PiHole to suppress ads.  I had shut down BIND and replaced it with PiHole running on an old Raspberry Pi I had lying around.  It worked great, and I eventually migrated it from the Raspberry Pi to a Debian VM on my main server.   This way I'd get the advantage of PiHole software, with the maintainability and speed of a Debian virtual machine.

...


Later,
JP
--  -------------------------------------------------------------------
JP Vossen, CISSP | http://www.jpsdomain.org/ | http://bashcookbook.com/
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] Pi-Hole, BIND9, & Latency - Big Mistake
  - From: Aaron Mulder via plug <plug@lists.phillylinux.org>

References:
- [PLUG] Pi-Hole, BIND9, & Latency - Big Mistake
  - From: Casey Bralla via plug <plug@lists.phillylinux.org>
- Re: [PLUG] Pi-Hole, BIND9, & Latency - Big Mistake
  - From: "Keith C. Perry via plug" <plug@lists.phillylinux.org>

Prev by Date: Re: [PLUG] Pi-Hole, BIND9, & Latency - Big Mistake
Next by Date: [PLUG] Does WPS work with Wifi extenders?
Previous by thread: Re: [PLUG] Pi-Hole, BIND9, & Latency - Big Mistake
Next by thread: Re: [PLUG] Pi-Hole, BIND9, & Latency - Big Mistake
Index(es):
- Date
- Thread