As you know by now Pi-hole is one of my most recommended Raspberry Pi projects not only does it work great as a network wide ad-blocker but it is always getting better. The Pi-hole team is always making things better and the latest improvement to come is integration with Unbound which allows you to run your own local recursive DNS server giving you a level of security that really has never been seen in the DIY space.
Integrating Unbound into your Raspberry Pi based Pi-hole system removes your dependency on the middleman Recursive DNS servers run by Google, OpenDNS and CloudFare which does a couple of things for you. First it stops you from giving your data to a company that could be using it for any number of reasons and it also makes you less susceptible to attacks on these big name DNS servers. But this level of security and data privacy does not come without some drawbacks, it should be notes that because you are running the Recursive DNS server locally things might slow down a little bit for you the first time you try to load a new website as Unbound needs to trace the path itself to the destination. In my testing however I have not see any noticeable decline in speed and once the site is cached you should not see any difference.
Setup of Unbound and Pi-hole is pretty simple all you need to do is follow the steps below and obviously if you already have Pi-hole up and running you can ignore the initial setup steps.
First what will you need?
- Raspberry Pi 3+B (nice to start with a kit as they will typically include a case and power supply)
- MicroSD Memory Card
- Micro USB Power Supply
- Raspberry Pi Case
To begin the installation process you will need a MicroSD Memory Card, and the ability to format and burn an image to that MicroSD Memory Card. I am sure most of you know how to do these steps already, but I will give my recommendations, for formatting I prefer to use SD Memory Card Formatter for Windows and to burn the image Etcher.
Memory Card Preparation:
- Insert MicroSD Memory Card into a computer
- Open SD Memory Card Formatter for Windows
- In SD Memory Card Formatter for Windows Select the Drive that corresponds to your Memory Card
- In SD Memory Card Formatter for Windows Click Format and wait for it to finish
- Download the Raspbian disk image from https://www.raspberrypi.org/downloads/raspbian/
- Open Etcher.
- In Etcher Select the previously Downloaded Image
- In Etcher Select the Drive that corresponds to your Memory Card
- In Etcher Click Flash and wait for Etcher to Finish
Raspberry Pi Setup:
- From the Raspbian Desktop launch Terminal
- From Terminal install Pi-hole using the following command
curl -sSL https://install.pi-hole.net | bash
- When the installer finished we need to switch over to the FTLDNS beta by running the following commands in Terminal
echo "FTLDNS" | sudo tee /etc/pihole/ftlbranch
pihole checkout core FTLDNS
pihole checkout web FTLDNS
- Once you are on the FTLDNS beta branch you will need to install, configure and run Unbound by running the following commands
sudo apt install unbound
sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf
server: verbosity: 1 port: 5353 do-ip4: yes do-udp: yes do-tcp: yes # May be set to yes if you have IPv6 connectivity do-ip6: no # Use this only when you downloaded the list of primary root servers! root-hints: "/var/lib/unbound/root.hints" # Trust glue only if it is within the servers authority harden-glue: yes # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS harden-dnssec-stripped: yes # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details use-caps-for-id: no # Reduce EDNS reassembly buffer size. # Suggested by the unbound man page to reduce fragmentation reassembly problems edns-buffer-size: 1472 # TTL bounds for cache cache-min-ttl: 3600 cache-max-ttl: 86400 # Perform prefetching of close to expired message cache entries # This only applies to domains that have been frequently queried prefetch: yes # One thread should be sufficient, can be increased on beefy machines num-threads: 1 # Ensure kernel buffer is large enough to not loose messages in traffic spikes so-rcvbuf: 1m # Ensure privacy of local IP ranges private-address: 192.168.0.0/16 private-address: 172.16.0.0/12 private-address: 10.0.0.0/8
sudo service unbound start
- Next we need to configure Pi-hole to use Unbound which can be done through your Pi-hole Admin Console and entering the information below for the Upstream DNS Server
Hopefully many of you are using Pi-hole as I can not possibly recommend it enough. If you are please let me know your thoughts of using Unbound to have your own local Recursive DNS Server in conjunction with Pi-hole in the comments below.
I am passionate about the IoT and connected devices. Using connectivity to automate our lives will empower civilization to achieve greatness.