One of the first things many home labbers install is Pi-hole, the DNS sinkhole that cleans up unwanted traffic on your network by preventing your devices and browsers from resolving domain names. It's a great program, but because it uses DNS, troubleshooting it when it goes wrong isn't easy.
That also means your network becomes more complicated the moment you connect a Pi-hole instance, and a simple configuration mishap or a failed update can take your network offline. Plus, the SBCs often suggested for running it aren't really up to the task for extended use or when you have many devices on your network. The more complex things get, the more headaches you'll have, but it's not always the Pi-hole's fault.
Setting up a local DNS was one of the easiest improvements I made to my home network
Having local control opens up so many possibilities
Pi-hole as a software package is pretty powerful
The hardware that it's often running on is not
Pi-hole isn't bad software, far from it, but the usual implementation suggestions need revising for more complex network setups. Over the years, it's morphed from a simple DNS-level sinkhole to a more fully-featured DNS solution, with split DNS, custom domains, and more. It's powerful, and even if the UI doesn't expose all the options, you can still use configuration files to bend dnsmasq to your will.
The Raspberry Pi needs to go
The thing is, SBCs like the Raspberry Pi aren't really up to the task. I/O slowdowns to the microSD card, a single gigabit Ethernet link, and varying levels of system resources, depending on which variant you use, all add together to a system that could fail from multiple angles. Before I migrated to more powerful DNS systems, I used Pi-hole in several containers instead, so that it could take advantage of more capable hardware, and it was mostly fine.
Pi-hole
- OS
- Linux
- Price model
- Free
Time to build in redundancy and control
Two (or more) instances synced with Nebula Sync and Keepalived
Having a single DNS server is bad practice, whether you're still using your ISP's, or self-hosting your own. And you should be self-hosting your own in the home lab if you want to create custom records, manage internal DNS zones, or block traffic at the DNS level before it reaches your devices. A single point of failure on any network is bad news, but that's especially true for a service like DNS that every other device relies on.
The fix is to run multiple DNS servers, with synced records between them and something like Keepalived to make the switchover between them transparent to the user. With Pi-hole, Nebula Sync is the way to go for ensuring DNS records are synced between the two instances. You could also add a second DNS server to the mix, maybe Unbound or another popular, easy-to-self-host DNS server.
You don't have to run Pi-hole on its own
While Pi-hole has become more capable over the years, and does far more than simple DNS-level blocking, it's even better paired with an upstream resolver like Unbound. That brings as much of the DNS chain as possible under your control, reducing your reliance on external DNS, whether that's the ISP servers you want to get away from, Google, or major players like Quad9 and Cloudflare.
you don't have to run Pi-hole on its own
The more you run this configuration, the better it gets, as the recursive, caching resolver in Unbound is the first to handle DNS queries after you browse to a new website. And managing DNS locally adds resilience, bolstering the Pi-hole instances that you're also hosting to ensure uptime. It's also going to be easier to manage the local domains for any self-hosted services you've got running, and gives you more tools to use.
5 ways I use Keepalived to make my home network more resilient
Nothing sucks more than having a service go down.
Pi-hole can have issues with DHCP
One thing that can happen with Pi-hole if your network is segmented with VLANs is that it struggles to resolve device names via reverse lookup, leaving you with lists of IP addresses in the logs that make it harder to find out where anything is being blocked. This could be handled by letting Pi-hole handle DHCP, but that's not a good idea for most networks and only adds more complexity that needs manual management.
But since Pi-hole uses dnsmasq, you can use the config files to expose settings the UI doesn't, and get you the human-readable domain names again. Creating a 20-customdns.conf file in the /etc/dnsmasq.d folder and adding the forward and reverse routes for your VLAN setup fixes this permanently; all you need to remember is to add any new VLANs to this file when you create them.
server=/data/10.10.10.1
server=/local/10.10.99.1
server=/guests/10.10.30.1
server=/iot/10.10.20.1
server=/20.10.10.in-addr.arpa/10.10.20.1
server=/30.10.10.in-addr.arpa/10.10.30.1
server=/10.10.10.in-addr.arpa/10.10.10.1
Not only will this give you device names, but it will add the VLAN tag to the end, making administration even easier.
Pi-hole can struggle when your network gets complex, but there's a fix
Pi-hole isn't the tiny project that it used to be. But with that added feature set comes new considerations about complexity, and one of the biggest is that many Pi-hole tutorials tout it as a one-box solution for ad blocking and DNS, without warning that if the box breaks, your browser won't be able to resolve domains. The fix is either to scale your Pi-hole to the complexity by hosting multiple copies that sync, or to move to another DNS solution that provides blocking, like Technitium, Unbound, or PowerDNS.