Currently have nice long docker compose file that hosts my PiHole V6 container (along with a bunch of other containers) however, reason i ask this question is because whenever I go to pull an updated image and recreate the container I experience about 20 minutes of no DNS resolution which to my knowledge is due to the NTP clock being out of sync.

What’s the best way to host a DNS sinkhole/resolver that can mitigate this issue?

Was thinking of utilizing Proxmox & LXC but I suspect I’ll get the same experience.


Update: Turns out PiHole doesn’t support two instances, I got both of them on separate devices also set the 2nd DNS server in my routers WAN & LAN DNS settings which did in fact split DNS between both instances however, I lost access to my routers web-ui, my Traefik instance & reverse proxies died and I lost all internet access.

So, don’t do what I did.

Update 2: So everything I said in my first update let’s disregard that, turns out I had my router forcing all DNS to PiHole server 1 which caused my issues mentioned above.

Two servers appears to work!

  • @Jjoiq@lemmy.world
    link
    fedilink
    English
    33 days ago

    2 pihole instances 1 pi5 1 pi4 Keepalived provides vrrp at a set address.

    Instances kept in sync via orbital

    1 goes down the other takes over.

    Quite elegantly.

    • Morphit
      link
      fedilink
      English
      3
      edit-2
      3 days ago

      Where do you do DHCP? I had a primary pihole with DHCP enabled and a secondary with a cron job that enabled DHCP if the primary was down or disabled it if the primary was working. The cron job did sync DHCP leases from one to the other but it was a bit janky. I tried to update the secondary to pihole v6 and hosed it so I have no backup for now. I’d like to re-image the secondary and get a better setup - when I have time.

      Edit to say I really wanted to try keepalived - that’s really cool to fail over without clients noticing.

      • @Jjoiq@lemmy.world
        link
        fedilink
        English
        22 days ago

        On the router.

        My router is locked down so i assign the vrrp address to wach client (pain in the ass) but it works.

        Pivpn takes care or wireguard too.

      • @Jjoiq@lemmy.world
        link
        fedilink
        English
        22 days ago

        Debian & ubuntu sudo apt install keepalived

        sudo apt install libipset13

        Configuration

        Find your IP

        ip a

        edit your config

        sudo nano /etc/keepalived/keepalived.conf

        First node

        vrrp_instance VI_1 {

        state MASTER

        interface ens18

        virtual_router_id 55

        priority 150

        advert_int 1

        unicast_src_ip 192.168.30.31

        unicast_peer {

        192.168.30.32

        }

        authentication {

        auth_type PASS

        auth_pass C3P9K9gc

        }

        virtual_ipaddress {

        192.168.30.100/24

        }

        }

        Second node

        vrrp_instance VI_1 {

        state BACKUP

        interface ens18

        virtual_router_id 55

        priority 100

        advert_int 1

        unicast_src_ip 192.168.30.32

        unicast_peer {

        192.168.30.31

        }

        authentication {

        auth_type PASS

        auth_pass C3P9K9gc

        }

        virtual_ipaddress {

        192.168.30.100/24

        }

        }

        Start and enable the service

        sudo systemctl enable --now keepalived.service

        stopping the service

        sudo systemctl stop keepalived.service

        get the status

        sudo systemctl status keepalived.service

        Make sure to change ip and auth pass.

        Enjoy

  • Shimitar
    link
    fedilink
    English
    34 days ago

    Running unbound on my opnSense with the appropriate blacklists for ad filtering.

  • @johntash@eviltoast.org
    link
    fedilink
    English
    54 days ago

    I think something else may be wrong if it breaks for 20 minutes. How long does it take for compose to bring the stack up?

    Also assuming you run ntpd or chrony, it should always keep your clock in sync.

    • @ohshit604@sh.itjust.worksOP
      link
      fedilink
      English
      2
      edit-2
      4 days ago

      I think something else may be wrong if it breaks for 20 minutes.

      When I originally setup my PiHole many, many, many months ago when I was still learning the Docker engine I had little to no issue.

      I don’t know what caused it either being a power-outage or network loss but ever since I’ve been experiencing DNS related issues (I suspect it’s NTP not syncing), some days I’ll wake up before work realizing “oh shit I have no internet access” frantically trying to fix the issue.

      I think i might take the advice of other commenters here and host two PiHole servers on separate devices/stacks, just got to hope my router supports it.

  • @dmtalon@infosec.pub
    link
    fedilink
    English
    54 days ago

    spin up a second pihole docker and upgrade them separately so they can failover to the other one while upgrading. I do not have an issue with 20min lose of DNS after updating my pi.hole docker, but I did spin up a second one when I wanted to try unbound+pi.hole and just kept them both up/running.

    • @ohshit604@sh.itjust.worksOP
      link
      fedilink
      English
      3
      edit-2
      4 days ago

      spin up a second pihole docker and upgrade them separately so they can failover to the other one while upgrading.

      Think I’m going to take this advice and put it in action! Thank you!

  • @bigDottee@geekroom.tech
    link
    fedilink
    English
    54 days ago

    I am running AdGuard Home DNS, not PiHole… but same idea. I have AGH running in two LXCs on proxmox (containers). I have all DHCP zones configured to point to both instances, and I never reboot both at the same time. Additionally, I watch the status of the service to make sure it’s running before I reboot the other instance.

    Outside of that, there’s really no other approach.

    You would still need at least 2 DNS servers, but you could setup some sort of virtual IP or load balancing IP and configure DHCP to point to that IP, so when one instance goes down then it fails over to the other instance.

  • Matt The Horwood
    link
    fedilink
    English
    134 days ago

    If you run a single DNS server, you will always have downtime when it’s restarted.

    The only way to mitigate that, is to run 2 DNS servers.

    I setup my network to use pihole as the first DNS and the router as the second, most of the time pihole is used. Unless it’s down

  • Possibly linux
    link
    fedilink
    English
    1
    edit-2
    3 days ago

    I would do a single instance of Pihole. If you need HA there are ways to do that. If you need something more switch to a proper DNS service.

  • @Hexarei@programming.dev
    link
    fedilink
    English
    44 days ago

    I run my pi-hole on a dedicated Pi, and I pull the updated image first without any trouble. Then after the updated image is pulled, recreating the container only takes a few seconds.

    Dunno what’s broken about your setup, but it definitely sounds like something unusual to me.

    • @ikidd@lemmy.world
      link
      fedilink
      English
      22 days ago

      Man, I was excited about Technitium, but I’ve had a hell of a time trying to get it to work. I’m not sure if it’s intended to be on a DMZ in order to get TLS working or something, but I’ve not been able to get it to acknowledge a single DNS request, even when I think I’ve shut down DNSSec entirely.

  • @Lantier@jlai.lu
    link
    fedilink
    English
    8
    edit-2
    4 days ago

    For a critical service like DNS, I decided to set it up bare metal on a Raspberry Pi 2 (even a Pi Zero should work). It’s been working fine for years, I just update it from time to time. That way I can mess with my homelab without worrying about DNS issues.

    • @natch@lemmy.today
      link
      fedilink
      English
      34 days ago

      Funny enough, the Pi Zero uses the CPU from the 3 and the Zero 2 uses the CPU from the 3+, so they’re both more powerful than a 2 anyway :)

      • @486@lemmy.world
        link
        fedilink
        English
        64 days ago

        Pi Zero uses the CPU from the 3

        No, the original Pi Zero uses the CPU of the Pi1 (only clocked higher). So it is quite a bit slower than a Pi 2, since it has only a single ARMv6 CPU core. Still fine for a DNS server on a typical home network.

        • @natch@lemmy.today
          link
          fedilink
          English
          22 days ago

          Aha, thank you. Shouldn’t have riffed from memory on that one, I suppose!

          But very much agreed: the Zero series has plenty of beef for a DNS server. Maybe when the 3 comes out I’ll add one as a backup for my 4 server.

  • Higgs boson
    link
    fedilink
    English
    1
    edit-2
    2 days ago

    I run Pihole+Unbound, Debian baremetal on a tinypc. RPi was too unreliable. I was too often dealing with issues.

    My router is the failback, as it has blocking too.

  • 大きいBOY
    link
    fedilink
    English
    2
    edit-2
    2 days ago

    How do you host your DNS sinkhole/resolver?

    Like this, baby:

    services.adguardhome = {
          enable = true;
          mutableSettings = false;
          openFirewall = true;
          settings = {
            dns = {
              # Web Interface
              bootstrap_dns = ["9.9.9.9" "149.112.112.112"];
              upstream_dns = ["https://dns.quad9.net/dns-query"];
              fallback_dns = ["tls://dns.quad9.net"];
            };
            filters = [
              {
                name = "AdGuard DNS filter";
                url = "https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt";
                enabled = true;
              }
            ];
            filtering = {
              blocked_services = {
                ids = [
                ];
              };
              protection_enabled = true;
              filtering_enabled = true;
              rewrites = [
              ];
            };
    

    Deploy to the main home server, and the backup instance. NixOS is fucking awesome. No sync tool needed.

    • @Lem453@lemmy.ca
      link
      fedilink
      English
      02 days ago

      How do I use nixos for docker? I’ve tried before but what I want is to be able to pull docker compose from a git and deploy it. I haven’t been able to find an easy way to do that on docker

      • 大きいBOY
        link
        fedilink
        English
        21 day ago

        Most of the time you don’t need docker. NixOS isolates runtimes.

        That being said, you could use nix to build the docker container, and then run it using the built-in oci-container options.

      • Morphit
        link
        fedilink
        English
        21 day ago

        If you have the docker-compose.yml locally, you can nix run github:aksiksi/compose2nix to translate it into a nix file for inclusion in your nixos system config. I think that could be done in the config itself with a git url but I’m not that great at nix. You will surely still need some manual config to e.g. set environment variables for paths and secrets.