Raspberry Pi, Pi-hole and Unbound

Setting up a Raspberry Pi 3B+ with Pi-hole and Unbound to serve as our local DNS Server.

What I am trying to achive:

Information used in this Post

Install Pi-hole

Pretty simple. One Line to auto install PiHole

curl -sSL https://install.pi-hole.net | bash

Install Unbound

sudo apt install unbound

Configure Unbound

Create config file:

sudo vi /etc/unbound/unbound.conf.d/pi-hole.conf

Add content:

server:
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0

    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    do-ip6: no

    prefer-ip6: no

    #root-hints: "/var/lib/unbound/root.hints"

    harden-glue: yes

    harden-dnssec-stripped: yes

    use-caps-for-id: no

    edns-buffer-size: 1232

    prefetch: yes

    num-threads: 1

    so-rcvbuf: 1m

    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

Restart Service:

sudo service unbound restart

Unbound should now be able to perform DNS resolving:

dig pi-hole.net @127.0.0.1 -p 5335

Configure Pi-hole

Under Settings navigate to DNS.

We add our unbound DNS Server:

Custom 1 (IPv4): 127.0.0.1#5335

We can uncheck Google upstream DNS Servers.

Hard coded DNS, DoT, DoH and Firewalls

A Device might have it’s DNS Server hard coded. Or it might use DNS over TLS. With a Firewall we can force the query to still be resolved by Pi-hole. We need to redirect all outgoing TCP and UDP traffic to Pi-hole.

DoH masks DNS traffic by using HTTPS. Currently the approach is to block this kind of traffic by using an IP List from Github.

Under the first Section one can find a lot more information regarding this Topic. Information about how DoT and DoH work. How to setup a Ubiquiti Firewall to redirect Traffic.