I am currently installing a pi-hole for the first time. Just after the installation, the installer ask me to select an upstream DNS provider.
I have found some explanation (https://github.com/pi-hole/pi-hole/wiki/Upstream-DNS-Providers), but it is not really clear what an upstream DNS provider is and what my choice is implying here in term of advertising removal. As I install a Pi-hole as a general movement out of the GAFAM hands, I am quite surprised that google is the default choice.
What is an upstream DNS Provider and why do I care ?
What are the long terms consequences of the choice of an Upstream DNS Provider (could they change ? could they block something … ? etc.)
What Upstream DNS do you use ?
What would be your advised DNS Upstream Provider to a noob like me that just want to remove advertising ?
Your PiHole doesn’t by default know much about DNS. All it really does is this:
Systems on your network ask it about a domain.
It checks the block list, and of it finds the domain there, blocks the request.
If the domain isn’t on the block list, it goes to your upstream provider and asks them, and passes the response along to your machine.
Google generally provides a fast DNS service that’s reasonably good and relabile and crucially accessible to everyone. Most of the included DNS services are like this.
It is possible that any upstream provider you choose could track you, or issue you bad responses for their own gain. For what it’s worth none of the default providers are known for doing this and I’d choose based on speed.
I think I’m using quad9, as I did a DNS speed test when I set up my pi hole and it came out fastest, that’s it.
A different solution is to use unbound. This is a service that you run alongside pihole that will go directly to the authoritative name server for the domain you request, removing Google and cloudflare and the like from the loop. It’s not a setup I’m using so I can’t comment on how difficult it is to set up, or what the performance is like.
Google, Cloudflare, Quad9, Opendns, Level3 … These are upstream dns servers.
Cloudflare’s 1.1.1.1 is fastest dns server and you can use it.
Or the easiest way is Adguards dns server that blocks ads. Set Adguard’s dns server ip as dns1 and dns2 in your routers dhcp/dns settings.
I use OpenDNS as my upstream resolver, their filtered servers for IP v4 and v6. I want their rapid-response malware blocking and easy to add/remove category blocks (v4 only) if the grand kids are visiting.
Aside from ones that offer response filtering they are pretty much all the same. Some may snoop on your queries, some may be faster for you but for the most part it isn’t a big deal.
Hi. I’ve set my router to hand out the Pihole IP for DNS as part of DHCP. Pihole then handles the DNS requests. Upstream on the Pihole for me is set to the router IP. So Pihole does the blocking according to the blacklist then hands all other requests back to the router (which I set to whatever external DNS provider I choose).
A different solution is to use unbound. This is a service that you run alongside pihole that will go directly to the authoritative name server for the domain you request, removing Google and cloudflare and the like from the loop. It’s not a setup I’m using so I can’t comment on how difficult it is to set up, or what the performance is like.
Performance can be a little slow at first while it caches your queries and then outperforms other DNS providers after its cached your queries
I’ve been redoing a lot of my home network recently. I’ve actually got my pi-hole currently turned off, as ive been trying a new router and getting IPv6 working, and I like to start with a small number of moving parts and work my way up.
I’m not sure whether I’m going to run Unbound, or DNSoHTTPS yet. But I’m very keen to try Unbound.
I used pfsense as a router so I set up DHCP to hand out the IP of the Pihole (or in my case Piholes - I have 2) for the DNS for all connected devices. If I want to exclude a device I set up a static assignment for that device (via the MAC address) and specify a different DNS i.e. Google, Cloudflare etc. End result is all devices are sent to to the Pihole unless I choose to exclude one and send it external without ad blocking.