Hi guys! So…I have a self-hosted DNS server. Initially I’d use pihole, with unbound, and the more or less basic blocklists. But from time to time things would start acting wonky. Sometimes a reboot would fix it. Sometimes…not really and I was really not sure what was going wrong, but it was clearly DNS. Changing the clients settings from my own server to something like 9.9.9.9 would immediately get it sorted out.
So I went with an adguard server. In the last few days I’ve started to notice weird behaviors. Today I’ve lost the Azure desktop I was connected, and it was very clearly looking like DNS. So I checked…and yup, 9.9.9.9 again would sort it all out. So…I’m not sure what’s going wrong. I’m selfhosting these on an LXC container in proxmox. Nothing else seems to have issues connecting, and I see almost no resources being used. Any ideas? Any other DNS server I might be able to try?
Thanks!
I use pfsense as my router os and run pfblockerng for my filter. Anytime I have some problem I can log in to the router and look at what is being blocked and if necessary whitelist the entry that is being blocked.
I also redirect all dns to my router at the firewall and block dns over https. This means that all dns no matter the settings on the client machine are redirected to the router. Its not fool proof but so far so good.
When I set up opnsense with unbound I switched on detailed logs, just for checking what’s going on and if course I forgot to turn it off, which resulted in horrible overall performance, in particular when the drive filled up and everything broke.
In my experience with unbound, it tends to return expired records in the hope that they are still valid, causing issues with services hosted in the cloud, where IP addresses rotate regularly. What I did was update the
serve-expired-ttlsetting in unbound’s configuration to 3 hours (down from the default 24h)Thanks. I think I might rebuild the pihole-unbound server and try again with this setting.
Any other DNS server I might be able to try?
I use and warmly recommend Technitium DNS. Unlike most other solutions, it uses the root servers by default while still providing an ad blocker, DoH, DoQ etc. - and it does not even require any command-line kung-fu for that (except for the installation, which is one command).
I absolutely second Technitium as well. That thing is rock solid, can be used for basically everything, has blocking with a multitude of options and does provide a nice graphical GUI.
I have it running in a dual DNS setup (main server+a Zimablade nowadays) and that shit just works - it’s the container that has caused the least amount of problems in the last 3 years.
The API is fairly handy and quite easy - I have it integrated into HomeAssistant so I have a “Disable DNS Blocking” button in my “Network control” tab in the app.
The only downside is the fact that initially it can be quite overwhelming, especially if you are not an DNS guru and just did the step from AdGuard/PiHole - but soon you realise that you actually only need a few fields for basic operations.
I have it integrated into HomeAssistant so I have a “Disable DNS Blocking” button
I need that. I already have a bunch of physical buttons on my desk, which do things via Home Assistant, so that’d be an obvious one for me to add next.
Just saw that my way of doing this isn’t actually needed anymore, there is an integration now:
My 2c.
Changing “DNS” won’t fix it. There are two DNS: dnsmasq and unbound (and bind, ok). What else you use doesn’t matter (pihole, adguard, opnSense) at the end of the day it’s always them inside.
In my experience ISPs will block your direct DNS queries overtime, so it might be that. I set up my unbound as caching and forwarding, not as a pure resolver. This fixed all my issues with DNS self hosted. You can forward to 9.9.9.9 if you like it.
Another issue might be with your blocklists of course, your azure might have been temporary listed maybe.
Over time I ended up choosing a very lax blocklist setup due to this reason
In my experience ISPs will block your direct DNS queries overtime,
I have no idea what ISP you’re using, but that’s probably not true. Lots of devices have hard-coded DNS servers and nothing would work if ISPs stated blocking dns upstream queries.
Above some threshold, the one you will cross when filtering port 53 in your network and setup a custom full resolver, it can happen.
I experienced it, it seems they filter excess dns traffic from inside. Probably more a malware/anti spam measure than an actually DNS blocking.
Even if your ISP did have something in place to try and prevent abuse I find it unlikely it would trigger over normal traffic. Do you have a huge network/many hosts/exposed services?
Just a normal 4 people home, two teenagers tough. Enabling a DNS resolver indeed stop working after a few days while setting it up as forwarder to 1.1.1.1 or 8.8.8.8 or pick yours works just fine.
Maybe it’s something else, but when it happens, that’s the feel
Not trying to go down a rabbit hole, nor invade your teen’s privacy, but have you done any kind of packet inspection on what’s going out/in? Teens can surprise you with the kind of stuff they’re up to sometimes.
I’m not sure why your resolver started acting up but what you’re describing doesn’t sound like normal cause/effect. Four people on a residential connection, even if you throw in a ton of electronic devices and iot/crap that calls home constantly shouldn’t cause any kind of ISP engagement.
Not like it really matters, for 99.9% of people having a forwarder is easy and just fine and there isn’t good reason to troubleshoot it if there’s a working solution. I’m pretty privacy conscious and I don’t even think having my own forwarder is worth the hassle, I am just choosy about my upstream.
