Break free of your ISP's or Google's DNS

tip

I have been using PiHole for some time now and have experimented a bit with the upstream DNS servers. Do I use my ISP’s one or Google’s or any other one out there on the internet? Either choice didn’t feel optimal with respect to our privacy, but what alternative(s) do I have?

I have been doing it all wrong!

This video introduced me to combining PiHole with a local recursive DNS server called Unbound.

So why is using a local recursive DNS doing it RIGHT?

Forwarding vs recursive DNS server

In short, forwarding resolvers just ask somebody else what the IP address of a domain is, while a recursive resolver is trying to get the answer itself by querying authoritative DNS servers for the requested domain.

The PiHole Unbound guide contains a nice explanation of the difference between using standard PiHole and with Unbound.

Privacy

When forwarding all DNS queries to a single recursive DNS resolver, that resolver can get a lot of information of all the domains that are requested from that internet connection. So, your ISP (or e.g. Google when using Googles DNS server) can get a good idea of your interests.

If you use your own, local recursive DNS resolver, all these queries remain inside your network. There are only queries to all different authoritative DNS servers which each will never get the complete picture.

Network architectures

Most commonly, house owners use an internet connection provided by an internet service provider (ISP). The ISP is providing the user with a router to which the user’s devices connect.

Now, when a user requests for e.g. https://familiehopman.net, the domain name has to be resolved to its corresponding IP address. The browser asks the resolver of the operating system which forwards it to the resolver of the ISP:

typical ISP

When you use a PiHole in your network, the flow changes a bit. The operating system has the address of the PiHole to request DNS resolution. If the PiHole does not have the requested domain name in any of its loaded black lists, it forwards the request to the DNS resolver of the ISP (or of Google’s if configured otherwise):

PiHole & ISP

In both situations above, the DNS resolvers in the operating system and PiHole just forward their request to the DNS resolver of the ISP. The ISP’s resolver recursively resolves the domain name to its IP address.

When combining PiHole with Unbound, the recursive resolver at the ISP is replaced by a local recursive resolver:

PiHole & Unbound

Docker container solutions

I mentioned earlier that I have been using PiHole already quite some time. I am using the PiHole docker image and configured my router’s DHCP settings to pass the IP address of the docker host on which this container runs to the devices in my network. This works like a charm.

Ideally, I would like to run Unbound from a docker container as well. It would be perfect if both PiHole and Unbound run inside the same container. I have searched the internet and found Chris Crowe’s one container solution which does exactly that.

My docker container solution

Although Chris’ solution looks nice, there were some changes I needed/wanted to make it work for me:

docker-compose.yaml refers to a pre-built image published to cbcrowe/pihole-unbound which has the disadvantage that I have to depend on updates created and pushed to the registry by Chris. At the time of writing, it is already out-dated.
docker-compose.yaml refers to volumes which are not defined in the file itself.
docker-compose.yaml specifies network_mode: "host", but some ports conflict with some other services my machine is running.
Dockerfile adds a lighttpd configuration file to allow running the PiHole web UI in an iframe. This is not needed for my use-case.
the Dockerfile is located in a sub-directory. It is more convenient to have it next to the docker-compose.yaml file when building the image directly.

These changes are relative to v5.5.1.

After my customizations, I have the following files in my repository:

.env
.gitignore
Dockerfile
README.md
docker-compose.yaml
start_unbound_and_s6_init.sh
unbound-pihole.conf

Where Dockerfile looks like:

FROM pihole/pihole:latest

RUN apt update && apt install -y \
    unbound \
    && rm -rf /var/lib/apt/lists/*

COPY ./unbound-pihole.conf /etc/unbound/unbound.conf.d/pi-hole.conf
COPY ./start_unbound_and_s6_init.sh start_unbound_and_s6_init.sh

ENTRYPOINT ./start_unbound_and_s6_init.sh

And docker-compose.yaml looks like:

version: '2'

services:
    pihole-unbound:
        container_name: pihole-unbound
        build: .
        image: pihole-unbound:latest
        ports:
            - 444:443/tcp
            - 53:53/tcp
            - 53:53/udp
            - 81:80/tcp
        environment:
            ServerIP: ${ServerIP}
            TZ: ${TZ}
            WEBPASSWORD: ${WEBPASSWORD}
            REV_SERVER: ${REV_SERVER}
            REV_SERVER_TARGET: ${REV_SERVER_TARGET}
            REV_SERVER_DOMAIN: ${REV_SERVER_DOMAIN}
            REV_SERVER_CIDR: ${REV_SERVER_CIDR}
            DNS1: 127.0.0.1#5335 # Hardcoded to our Unbound server
            DNS2: 127.0.0.1#5335 # Hardcoded to our Unbound server
            DNSSEC: "true" # Enable DNSSEC
        volumes:
            - ./etc_pihole-unbound:/etc/pihole:rw
            - ./etc_pihole_dnsmasq-unbound:/etc/dnsmasq.d:rw
        restart: unless-stopped

The start_unbound_and_s6_init.sh and unbound-pihole.conf files are used without changes.

Dutch created Unbound

While investigating what Unbound is and how to use it, I found that Unbound is actually a Dutch product! It is created and maintained by NLnet Labs, which is a Dutch charity foundation located in Amsterdam.

Makes me kinda proud that such a nice piece of software is built in my own country!

Conclusion

Having PiHole as ad-blocker in my network was already a good thing to have. Being able to combine it with Unbound in such an easy way and with that, improving the privacy of my family is just great!

February 2, 2021