I have an asus router with a pi-hole on the network.
I was doing some work on my server and noticed that when pi-hole was down, I couldn’t access the internet. I was looking for some ideas online how to deal with this, but they said to have a second pihole on the network in case one is offline. Is that the only way to do it? Is there any way to have the network go back to normal if the pihole is offline?
Primary and secondary dns is not a thing. There is no priority for DNS. Depending on the device it will use ether address and will only try the other on failure.
Sorry for the confusion, I was just doing maintenance on my home server and so the docker container hosting pi-hole was down. Usually it works beautifully.
If your DNS sinkhole is down, your modem/router/host operating system settings (and even the PiHole itself) should allow a fallback. If you didn’t set that up and don’t know how, then you should consider not using Pihole until you know what you’re doing.
On Mikrotik I have a script that runs every 30sec. If pi-hole not responding, router switches to public cloudflare dns records, otherwise to pi-hole IP.
This setup works like a charm.
P.S. I am using Blocky, but it’s almost the same as Pi-Hole.
Don’t forget to configure Mikrotik router to act as passthrough DNS server with cache (for performance) and configure DHCP server’s DNS to router’s IP.
I don’t think this accomplishes what he wants. The router DHCP will assign the second DNS address as you mention, but the devices will select one at random, not as a backup/failover. So what happens is that devices sometimes go through the Pi-hole and sometimes go through the secondary DNS address and receive ads. The only real way I’m aware of is to have a second pi-hole for redundancy. Personally, I decided to use a cloud based service (NextDNS) for this exact reason. I didn’t want my families internet to rely on devices that I host.
I’m not exactly sure how many queries, but it’s above the free limit. I purchased the pro plan. For $20 a year and it’s been a great service for me. I can send a referral code for 30% off (I think). I think adguard has a similar service.
I think it depends. In my limited experience, because I have not tested this thoroughly, most systems pick the first DNS adresses and only send requests to the second if first doesn’t respond.
This has lead at least a couple of times to extremely long timeouts making me think the system is unresponsive, especially with things like kerberos ssh login and such.
I personally set up my DHCP to provide pihole as primary, and my off site IPA master as secondary (so I still have internal split brain DNS working in case the entire VM host goes down).
Now I kinda want to test if that offsite DNS gets any requests in normal use. Maybe would explain some ad leaks on twitch.tv (likely twitch just using the same hosts for video and ads, but who knows).
Edit: If that is indeed the case, I’m not looking forward to maintaining another pihole offsite. Ehhh.
Does it really do that? I thought if pi-hole blocks it, it just says nothing here, normally a pc then looks up your secondary dns and then ads are back at it.
No, that is not how DNS blocking works. It doesn’t just avoid responding, it responds but with a response that says that the domain does not exist or one that points to a different IP address.
Yes, your experience will be different if your DNS is being provided by another kind of DNS resolver. If you want a consistent pi-hole experience (and you can’t avoid downtime of your current pi-hole), add another pi-hole to your network and let that be your secondary DNS resolver.
Wait, but then you cant tell if your device will use pihole even if its up. Afaik primary/secondary dns is not used in that order. I think best way is to set up 2nd pihole
Can you send me some more information on this because this is the first I’ve ever heard that it would not automatically pick the fastest closest and most responsive DNS system available.
No remote DNS server will ever be as fast as one that is local
I tried this. Put a DNS override for Google.com for one but not the other Adguard instance. Then did a DNS lookup and the answer (ip) changed randomly form the correct one to the one I used for the override.
I’m assuming the same goes for the scenario with the l public DNS as well. In any case, the response delay should be similar, since the local pi hole instance has to contact the upstream DNS server anyway.
Actually they do know what they’re talking about. Configuring DHCP with multiple DNS servers isn’t for failover, it’s for redundancy. The result is ultimately operating system dependent, but modern Windows operating systems will query all configured DNS servers in parallel and will accept the first answer it receives. So if you configure your Pihole as one DNS server and a public DNS server as a second, a lot of your traffic will just bypass your Pihole ad filtering entirely.
I read 15 different sites about DNS and not a one of them claimed anything like this. They universally all stated that your network attached devices would use the 1st one unless it didn’t respond and only use the 2nd one if the 1st one did not.
So once again, I ask “Can you send me some more information on this” and not just claim it without any backup information?
I apologize if I am coming off rude, just my BS meter is getting close to the red zone and I would really appreciate some reliable evidence.
If what you said was true, my secondary Pi-hole wouldn’t have to respond to any queries. But it in fact gets quite a lot of them. As the other poster has said, it is about 80/20 for 1st and 2nd pihole. Sometimes the ratios are different, depending on the time of day (don’t ask me why….).
The best proof would be to just try it yourself and see what happens. Load up Wireshark, make a query, and look at your traffic. Because the problem is there isn’t a single technical article I can point you to that details exactly how DNS resolution works on every device running any given operating system. “Network attached devices” could be anything and so you can’t be certain exactly how each device will operate.
I’ll give you that in the case of Windows devices specifically, Microsoft isn’t good at keeping documentation up to date, and on older version of windows it used to work the way you describe. It would send the request to your first DNS server, wait one second for a response, and only if it didn’t get one would it move on to your next one. However in Windows 10 today if I edit my configuration so that I use a local DNS server located at 192.168.69.210 as my “Preferred” DNS server and 1.1.1.1 as my “Alternate” DNS server look what happens:
It sends the same request out to both without waiting and the response from Cloudflare actually comes in before the one from my local DNS server. So if this were a request for a blocked domain, the client would accept the response from Cloudflare because it was received first and so the request wouldn’t be blocked.
Run two and check the logs. You’ll see about 20% of your requests will log on the second instance. So currently, that’s 20% of your DNS requests not being filtered.
You’ll also find some devices just latch on the the second and never use the first - again, in your scenario, these are not being filtered.
I’m actively running two piholes for years now. About 2/3rds of my traffic does go to the primary and some seem to ‘lock on’ to using just one, but most devices will swap between the two at their leisure.
Not sure if this is common knowledge but Pi-hole can also run in a docker container, it doesn’t have to be a raspberry pi. I have it running on portainer on two different machine in my house. I’m a systems architect by trade so there no kill like overkill 😅
You might be a nerd when you have to schedule maintenance at your own house.
one a VM, the other a container, with different upstream targets.
I have to schedule maintenance when everyone is asleep or out of the house.
I’ll swear one day I’ll have a proper (raspberry pi) cluster with KVM, I just need to finish implementing the other million things I find when I research it.
I totally feel you. I’m in IT and design these incredibly robust systems. But I don’t have that budget for my house and they say “the cobbler’s children have no shoes."
ssh into your pi-hole if possible and try using commands systemctl status pihole-FTL
Check the status, and if its disabled use the same command but with start instead of status.
Also if this this your first time setup, double check that everything you did is correct, like the DNS setting on router, if the devices get the right DNS etc.
Sorry for the confusion, but everything was working fine, I just had to update the server my pi-hole docker container was hosted on and noticed that I lost access to the internet. It works beautifully when the container is up and running.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !selfhosted@lemmy.world
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
I have Pihole in a Proxmox LXC Container that does just that. Just Pihole. It is set to automatically restart.
All for that Reason that you just named.
Umm, yea, if your DNS server is offline, how do your machines know how to resolve DNS names to IP addresses?
Which is why IP config has the capability for multiple DNS servers.
If this is surprising, you may wanna read up on your networking.
I think he realized that, he’s looking for a solution though.
Why the extra snark? This person is asking a question. Easy to argue that he is trying to learn more about networking, why ostracize?
Does it work if you change your DNS server by editing
/etc/resolv.confand having it show exactly one name server likenameserver 9.9.9.9?
I use Nextdns for this reason. DNS is critical for Wife Acceptance Factor
That’s why you usually have two piholes, or adguard homes
And can even synchronize them
Thanks, I see that is the common recommendation. I also have to think what to do if I’m away and the family has issues.
I appreciate the response.
That’s where having 2 also comes in handy. If one goes down it will still work as if nothing happenedy
You mean 2 piholes or adguard homes, right? That way if one goes down you can still use the other one.
Yes exactly.
Use something like AdGuard or NextDNS as your secondary resolverCheck out the comment by @AtariDump@lemmy.world
Primary and secondary dns is not a thing. There is no priority for DNS. Depending on the device it will use ether address and will only try the other on failure.
Windows calls them ‘preferred’ and ‘alternate’ DNS servers. That roughly translates to primary/secondary.
Yeah, that’s how they are named, my experience showed that the devices used whichever of the two they wanted.
It does not.
When it comes to a “secondary”DNS… there is nothing like a primary and secondary DNS server. These indications are quite misleading but many systems adopted it this way. Pihole only list the DNS servers as primary and secondary, because this is what the providers write on their pages. The bad phrasing is supported especially by how Windows handles it.
Most operating systems implement DNS servers as alternatives, not as fallbacks, i.e. they will query any of both servers from time to time, so it is quite likely that you will loose your Pi-hole filtering capabilities (at least partially) [if you specify a secondary DNS server on your network].
The ONLY DNS server you should have set on your network is a/the PiHole(s).
Damn, fuck Windows. Fortunately I don’t have to use it.
That’s exactly what I do, since I never had any stability issues with my Pihole.
It’s not just windows.
What are you asking? It sounds like you need some sort of HA (high availability)
Ssh to pihole.
$ pihole restartdnsusually works for meSorry for the confusion, I was just doing maintenance on my home server and so the docker container hosting pi-hole was down. Usually it works beautifully.
If your DNS sinkhole is down, your modem/router/host operating system settings (and even the PiHole itself) should allow a fallback. If you didn’t set that up and don’t know how, then you should consider not using Pihole until you know what you’re doing.
When it comes to a “secondary”DNS… there is nothing like a primary and secondary DNS server. These indications are quite misleading but many systems adopted it this way. Pihole only list the DNS servers as primary and secondary, because this is what the providers write on their pages. The bad phrasing is supported especially by how Windows handles it.
Most operating systems implement DNS servers as alternatives, not as fallbacks, i.e. they will query any of both servers from time to time, so it is quite likely that you will loose your Pi-hole filtering capabilities (at least partially) [if you specify a secondary DNS server on your network].
The ONLY DNS server you should have set on your network is a/the PiHole(s).
You still should set two dns servers… Two piholes/adguards
deleted by creator
deleted by creator
On Mikrotik I have a script that runs every 30sec. If pi-hole not responding, router switches to public cloudflare dns records, otherwise to pi-hole IP.
This setup works like a charm.
P.S. I am using Blocky, but it’s almost the same as Pi-Hole.
EDIT: Since at least 2 guys asked how to do it:
https://forum.mikrotik.com/viewtopic.php?p=866934#p866934
Don’t forget to configure Mikrotik router to act as passthrough DNS server with cache (for performance) and configure DHCP server’s DNS to router’s IP.
Seconding the request to share your work.
That is an amazing idea you’ve come up with that I never considered, but now I need it.
Aight, let me do it… 😅
I’ve edited my comment. It contains my used script.
Thanks, this looks good, but I’m not sure I can do it on Asus. I’ll look into it.
That sounds cool. I’ve never messed with scripts on Mikrotik, but would it be possible to share what you have?
I’m guessing a relatively short DHCP lease time is also in play so devices can get the new DNS address? Or do you have Mikrotik set as the DNS server?
I’ve edited my comment. It contains my used script.
Thank you, I’ll bookmark it for later.
Add another DNS server (1.1.1.1, for instance) to your DHCP options. Your DHCP clients will use 1.1.1.1 when the pi-hole isn’t responsive.
When it comes to a “secondary”DNS… there is nothing like a primary and secondary DNS server. These indications are quite misleading but many systems adopted it this way. Pihole only list the DNS servers as primary and secondary, because this is what the providers write on their pages. The bad phrasing is supported especially by how Windows handles it.
Most operating systems implement DNS servers as alternatives, not as fallbacks, i.e. they will query any of both servers from time to time, so it is quite likely that you will loose your Pi-hole filtering capabilities (at least partially) [if you specify a secondary DNS server on your network].
The ONLY DNS server you should have set on your network is a/the PiHole(s).
Except when the ONLY pi-hole is down, which was the original OP’s whole question.
They will also use 1.1.1.1 whenever they want. The order is not guaranteed.
Hosts also tend to use the same one for some time, so if your pihole went down clients may still favor 1.1.1.1 even after it comes back up.
I don’t think this accomplishes what he wants. The router DHCP will assign the second DNS address as you mention, but the devices will select one at random, not as a backup/failover. So what happens is that devices sometimes go through the Pi-hole and sometimes go through the secondary DNS address and receive ads. The only real way I’m aware of is to have a second pi-hole for redundancy. Personally, I decided to use a cloud based service (NextDNS) for this exact reason. I didn’t want my families internet to rely on devices that I host.
How many queries a month do you have? I’m at 15 days and I’m already at 750K. Do you pay for your service? I can do that, just curious what is common.
I’m not exactly sure how many queries, but it’s above the free limit. I purchased the pro plan. For $20 a year and it’s been a great service for me. I can send a referral code for 30% off (I think). I think adguard has a similar service.
I’m at 30k blocked per day, over 100k queries per day.
This on a small 2 user network, with a handful of machines, but a fucking Samsung TV. That goddamn thing constantly pings all sorts of shit.
If I really restrict it (breaking some stuff on the TV), I can get to 35% of queries blocked per day, mostly from it.
Though nominal blocking kills the ads on the menu system, pretty well, making it much more responsive.
I think it depends. In my limited experience, because I have not tested this thoroughly, most systems pick the first DNS adresses and only send requests to the second if first doesn’t respond.
This has lead at least a couple of times to extremely long timeouts making me think the system is unresponsive, especially with things like kerberos ssh login and such.
I personally set up my DHCP to provide pihole as primary, and my off site IPA master as secondary (so I still have internal split brain DNS working in case the entire VM host goes down).
Now I kinda want to test if that offsite DNS gets any requests in normal use. Maybe would explain some ad leaks on twitch.tv (likely twitch just using the same hosts for video and ads, but who knows).
Edit: If that is indeed the case, I’m not looking forward to maintaining another pihole offsite. Ehhh.
It is entirely the case.
DNS queries will go to all on the list, and use whatever responds first.
If you are seeing occasional ad leaks, this is why.
When it comes to a “secondary”DNS… there is nothing like a primary and secondary DNS server. These indications are quite misleading but many systems adopted it this way. Pihole only list the DNS servers as primary and secondary, because this is what the providers write on their pages. The bad phrasing is supported especially by how Windows handles it.
Most operating systems implement DNS servers as alternatives, not as fallbacks, i.e. they will query any of both servers from time to time, so it is quite likely that you will loose your Pi-hole filtering capabilities (at least partially) [if you specify a secondary DNS server on your network].
The ONLY DNS server you should have set on your network is a/the PiHole(s).
Does it really do that? I thought if pi-hole blocks it, it just says nothing here, normally a pc then looks up your secondary dns and then ads are back at it.
This was my experience when i did that.
No, that is not how DNS blocking works. It doesn’t just avoid responding, it responds but with a response that says that the domain does not exist or one that points to a different IP address.
Yes, your experience will be different if your DNS is being provided by another kind of DNS resolver. If you want a consistent pi-hole experience (and you can’t avoid downtime of your current pi-hole), add another pi-hole to your network and let that be your secondary DNS resolver.
Wait, but then you cant tell if your device will use pihole even if its up. Afaik primary/secondary dns is not used in that order. I think best way is to set up 2nd pihole
Yeah this is the next best option, but a secondary pihole is the best, so you still get the dns blocking while the first one is down.
You listed cloudflare now (1.1.1.1) but I prefer https://www.quad9.net/ for the privacy and security.
When it comes to a “secondary”DNS… there is nothing like a primary and secondary DNS server. These indications are quite misleading but many systems adopted it this way. Pihole only list the DNS servers as primary and secondary, because this is what the providers write on their pages. The bad phrasing is supported especially by how Windows handles it.
Most operating systems implement DNS servers as alternatives, not as fallbacks, i.e. they will query any of both servers from time to time, so it is quite likely that you will loose your Pi-hole filtering capabilities (at least partially) [if you specify a secondary DNS server on your network].
The ONLY DNS server you should have set on your network is a/the PiHole(s).
Didn’t know that, thanks for clarification!
Then I suggest two piholes. :)
If you’re router has a failover DNS option, usually listed as DNS 2, I would set something like quad 9 as your backup DNS. Address is 9.9.9.9.
If you don’t want to do that, then having a second instance of pihole running as the secondary DNS is pretty much your only good option
That’s not how the two entries for DNS works. Devices will use both rather randomly, and therefore some requests will not be filtered.
The best way is to run two instances for redundancy.
Can you send me some more information on this because this is the first I’ve ever heard that it would not automatically pick the fastest closest and most responsive DNS system available.
No remote DNS server will ever be as fast as one that is local
I tried this. Put a DNS override for Google.com for one but not the other Adguard instance. Then did a DNS lookup and the answer (ip) changed randomly form the correct one to the one I used for the override. I’m assuming the same goes for the scenario with the l public DNS as well. In any case, the response delay should be similar, since the local pi hole instance has to contact the upstream DNS server anyway.
Yeah, looks like you don’t know what you’re talking about.
The second ipv4 DNS address is for redundancy and every network connected system will use the first one as long as it responds.
It’s perfectly fine to have a single pihole and use something like quad9 as a failover in the unlikely event that your pihole goes down unexpectedly.
Actually they do know what they’re talking about. Configuring DHCP with multiple DNS servers isn’t for failover, it’s for redundancy. The result is ultimately operating system dependent, but modern Windows operating systems will query all configured DNS servers in parallel and will accept the first answer it receives. So if you configure your Pihole as one DNS server and a public DNS server as a second, a lot of your traffic will just bypass your Pihole ad filtering entirely.
Proof?
I read 15 different sites about DNS and not a one of them claimed anything like this. They universally all stated that your network attached devices would use the 1st one unless it didn’t respond and only use the 2nd one if the 1st one did not.
So once again, I ask “Can you send me some more information on this” and not just claim it without any backup information?
I apologize if I am coming off rude, just my BS meter is getting close to the red zone and I would really appreciate some reliable evidence.
If what you said was true, my secondary Pi-hole wouldn’t have to respond to any queries. But it in fact gets quite a lot of them. As the other poster has said, it is about 80/20 for 1st and 2nd pihole. Sometimes the ratios are different, depending on the time of day (don’t ask me why….).
The best proof would be to just try it yourself and see what happens. Load up Wireshark, make a query, and look at your traffic. Because the problem is there isn’t a single technical article I can point you to that details exactly how DNS resolution works on every device running any given operating system. “Network attached devices” could be anything and so you can’t be certain exactly how each device will operate.
I’ll give you that in the case of Windows devices specifically, Microsoft isn’t good at keeping documentation up to date, and on older version of windows it used to work the way you describe. It would send the request to your first DNS server, wait one second for a response, and only if it didn’t get one would it move on to your next one. However in Windows 10 today if I edit my configuration so that I use a local DNS server located at 192.168.69.210 as my “Preferred” DNS server and 1.1.1.1 as my “Alternate” DNS server look what happens:
It sends the same request out to both without waiting and the response from Cloudflare actually comes in before the one from my local DNS server. So if this were a request for a blocked domain, the client would accept the response from Cloudflare because it was received first and so the request wouldn’t be blocked.
Run two and check the logs. You’ll see about 20% of your requests will log on the second instance. So currently, that’s 20% of your DNS requests not being filtered.
You’ll also find some devices just latch on the the second and never use the first - again, in your scenario, these are not being filtered.
I can back this up with experience.
I’m actively running two piholes for years now. About 2/3rds of my traffic does go to the primary and some seem to ‘lock on’ to using just one, but most devices will swap between the two at their leisure.
Not sure if this is common knowledge but Pi-hole can also run in a docker container, it doesn’t have to be a raspberry pi. I have it running on portainer on two different machine in my house. I’m a systems architect by trade so there no kill like overkill 😅
You might be a nerd when you have to schedule maintenance at your own house.
one a VM, the other a container, with different upstream targets. I have to schedule maintenance when everyone is asleep or out of the house. I’ll swear one day I’ll have a proper (raspberry pi) cluster with KVM, I just need to finish implementing the other million things I find when I research it.
I totally feel you. I’m in IT and design these incredibly robust systems. But I don’t have that budget for my house and they say “the cobbler’s children have no shoes."
ssh into your pi-hole if possible and try using commands systemctl status pihole-FTL Check the status, and if its disabled use the same command but with start instead of status. Also if this this your first time setup, double check that everything you did is correct, like the DNS setting on router, if the devices get the right DNS etc.
Sorry for the confusion, but everything was working fine, I just had to update the server my pi-hole docker container was hosted on and noticed that I lost access to the internet. It works beautifully when the container is up and running.