How I Set Up Pi-hole and Unbound as My Own DNS Server
When it comes to privacy and control over internet traffic, there’s no better way than setting up your own DNS server. With a combination of Pi-hole for ad-blocking and Unbound as a recursive DNS resolver, you can filter unwanted content and avoid reliance on third-party DNS services. Here’s a breakdown of how I set up Pi-hole and Unbound on my home network.
Why Pi-hole and Unbound?
Pi-hole is a powerful network-level ad blocker that filters traffic and blocks ads across all devices connected to your network. Unbound, on the other hand, is a recursive DNS resolver that queries the internet directly, eliminating the need for third-party DNS services like Google or Cloudflare. Together, they form a robust, privacy-respecting DNS server that reduces latency, enhances security, and blocks ads.
Step 1: Setting Up the Hardware
I decided to install Pi-hole and Unbound on a Raspberry Pi, which is perfect for the job due to its low power consumption and always-on nature. Here's how I got started:
- Hardware requirements: Raspberry Pi (I used a Raspberry Pi 4), a microSD card (8GB or more), power supply, and Ethernet cable.
- OS Installation: I flashed Raspberry Pi OS Lite to the microSD card using the Raspberry Pi Imager tool. This is a lightweight, headless version of the OS that minimizes resource usage.
Once the OS was installed, I connected the Raspberry Pi to my home network via Ethernet and SSH'd into the device for remote access.
Step 2: Installing Pi-hole
First, I updated the system with:
sudo apt update && sudo apt upgrade -y
Then, I installed Pi-hole using the following command:
curl -sSL https://install.pi-hole.net | bash
The installer walked me through a few key configuration steps:
- Network interface: I selected my Ethernet connection (usually
eth0). - Static IP: Pi-hole requires a static IP address for reliable performance, which I configured during the installation.
- DNS provider: I chose not to select any third-party DNS providers because I planned to integrate Unbound later.
- Web interface: Pi-hole offers a web interface for easy management, which I enabled.
After installation, I logged into the Pi-hole admin interface by visiting the Pi’s IP address in my browser.
Step 3: Setting Up Unbound as a Recursive DNS Resolver
The real magic happens when Pi-hole is paired with Unbound, as it allows for direct DNS resolution without third-party involvement. Here’s how I configured it:
-
Install Unbound: To install Unbound, I used the command:
sudo apt install unbound -y -
Basic Unbound Configuration: After installation, I set up Unbound to act as a recursive resolver. I created a configuration file at
/etc/unbound/unbound.conf.d/pi-hole.confwith the following contents:server: # Use the root servers directly root-hints: "/var/lib/unbound/root.hints" auto-trust-anchor-file: "/var/lib/unbound/root.key" # Perform DNSSEC validation trust-anchor-file: "/var/lib/unbound/root.key" # Allow access from the local network interface: 127.0.0.1 access-control: 127.0.0.1/32 allow access-control: 192.168.0.0/16 allow # Hide DNS Server info hide-identity: yes hide-version: yes -
Download Root Hints: The root DNS servers' addresses are required for Unbound to function. I downloaded them with:
sudo curl -o /var/lib/unbound/root.hints https://www.internic.net/domain/named.root -
Restart Unbound: To apply the changes, I restarted the Unbound service:
sudo systemctl restart unbound
Step 4: Integrating Pi-hole with Unbound
To make Pi-hole use Unbound as its DNS resolver, I logged into the Pi-hole web interface and navigated to the DNS settings. Under “Custom DNS,” I entered 127.0.0.1#5335 (which is where Unbound listens for DNS queries).
This configuration ensures that all DNS requests are resolved directly by Unbound, bypassing external DNS providers.
Step 5: Final Tweaks and Testing
With both Pi-hole and Unbound working together, I performed a few checks:
-
DNSSEC Validation: To confirm DNSSEC was working properly, I ran:
dig google.com @127.0.0.1 -p 5335 -
DNS Resolution Speed: To test speed, I used
digto check query times. Since Unbound caches queries, subsequent requests were resolved nearly instantaneously. -
Blocklists: I also added some popular blocklists for enhanced ad-blocking, which are easy to manage through the Pi-hole admin panel.
Step 6: Setting Up DNS Forwarding from Unbound to Quad9
In some cases, you might prefer using a trusted DNS provider like Quad9 for enhanced security and performance while still benefiting from Pi-hole's filtering. Quad9 is known for blocking malicious domains, which can add an extra layer of protection to your network. Here’s how I set up DNS forwarding from Unbound to Quad9.
-
Modify Unbound Configuration: To forward DNS queries to Quad9, I needed to edit the Unbound configuration file. I opened
/etc/unbound/unbound.conf.d/pi-hole.confand modified it to include the Quad9 DNS servers.Here’s the updated configuration:
server: # Forward all DNS queries to Quad9 do-ip4: yes do-udp: yes do-tcp: yes # Use Quad9's DNS servers (with DNSSEC validation) forward-zone: name: "." forward-addr: 9.9.9.9 # Primary Quad9 server forward-addr: 149.112.112.112 # Secondary Quad9 serverThis setup ensures that all DNS queries that Pi-hole sends to Unbound will be forwarded to Quad9 for resolution.
-
Restart Unbound:
After making these changes, I restarted the Unbound service to apply the new configuration:
sudo systemctl restart unbound -
Verify DNS Forwarding: To confirm that Unbound was correctly forwarding queries to Quad9, I used dig to check DNS resolution. I ran:
dig google.com @127.0.0.1 -p 5335This command shows the query details, and I verified that Quad9 servers were being used by checking the
SERVERsection in the output. -
Additional Benefits of Quad9: By setting up DNS forwarding to Quad9, I gained access to their robust DNS filtering for malicious domains and threat prevention while still benefiting from the privacy of using Unbound. Quad9 supports DNSSEC, ensuring that DNS queries are validated for security.
Step 7: Configuring Ubiquiti UniFi Dream Machine to Use Pi-hole as DNS Server
After setting up Pi-hole and Unbound, the next step was to configure my Ubiquiti UniFi Dream Machine (UDM) to use Pi-hole as the primary DNS server. This ensures that all devices connected to my network benefit from Pi-hole’s ad-blocking and filtering capabilities.
Here’s how I configured it:
-
Accessing the UniFi Network Controller: I logged into my Ubiquiti UniFi Controller by opening a browser and visiting the UDM’s IP address, then navigating to the Settings panel.
-
Setting DNS for the LAN Network: Under Settings, I clicked on Networks and selected the LAN network that all my devices connect to. In the DNS Server field, I entered the IP address of my Raspberry Pi running Pi-hole (for example,
192.168.1.2). -
Save Changes: After entering the Pi-hole’s IP address, I saved the configuration. The Dream Machine now uses Pi-hole as the DNS server for all devices connected to my network.
-
Testing the Configuration: To confirm that devices were using Pi-hole for DNS resolution, I visited a blocked site or checked the Pi-hole admin interface for active queries from the devices on my network. Everything was working smoothly!
Additional Note:
It’s important to disable any other DNS servers or automatic DNS configuration that might override Pi-hole. By using Pi-hole as the DNS server for the UniFi Dream Machine, every device on my network automatically benefits from the ad-blocking and enhanced privacy features without needing to configure each device individually.
This setup gives me centralized control over my DNS traffic while maintaining network-wide ad-blocking.
Conclusion
By integrating Quad9 into my Pi-hole and Unbound setup, I struck a balance between full control and leveraging external DNS threat protection. Quad9 adds a level of security that protects against known malicious domains, while Pi-hole blocks unwanted ads and Unbound ensures privacy by handling all DNS requests internally. By configuring my Ubiquiti UniFi Dream Machine to use Pi-hole, I ensured that all devices in my network benefit from these features seamlessly. This setup is a powerful combination that maximizes privacy, security, and control over internet traffic.