ad blocking

[Tech9]

Why dual DNS? I was thinking dual Pi-Hole is for fail-safe purposes. Share some ideas.

 

[shabbs]

Why dual DNS? I was thinking dual Pi-Hole is for fail-safe purposes. Share some ideas.

Yeah you got it. Primary and Secondary DNS. I call it Dual DNS. So my DHCP hand out give Primary and Secondary DNS IPs as the two Pi-hole's. It will act as a fail-safe if one goes down, then the other will answer. Under normal operation it's an 80/20 split between Primary and Secondary with requests.

EDIT: Dashboard's of my Pi-hole's if anyone is curious.

Primary:

Secondary:

 

[bennor]

Why dual DNS? I was thinking dual Pi-Hole is for fail-safe purposes. Share some ideas.

Why not? Main reason is redundancy in case one fails. Probably the same reason why there are two DNS fields in the router interface. Redundancy. Like some others here I've been running two Pi's (Pi 3B+ and Pi Zero W) with Pi-Hole and Unbound for a while. I typically see around 90/10 or higher split between LAN DNS 1 and LAN DNS 2 requests.

While SD card failure is possible on a Raspberry Pi, if it does happen the other Pi-Hole is there to pick up the slack. Or if one is updating or reconfiguring one Raspberry Pi/Pi-Hole and it crashes (been there, done that) the other will pickup the slack. Pi's are relatively cheap. Pi-Hole can be run on the lowly dirt cheap Raspberry Pi Zero's. On the newer Pi's one can use USB/SSD boot drives instead of SD cards if one is worried about SD card failure. If one is using an SD card, using Log2RAM can help reduce the writes to the SD card extending it's life span.

As others have posted one can go hog wild and get very aggressive with large block lists (into the millions). I don't. I typically just use the main ones from Firebog.net via jacklul/pihole-updatelists update script.

.

 

[ducky124]

My original post was worded wrong. I was looking for an opinion on using Diversion or AdGuardHome. I do appreciate everyone's replies.

 

[Jack Yaz]

Why not? Main reason is redundancy in case one fails. Probably the same reason why there are two DNS fields in the router interface. Redundancy. Like some others here I've been running two Pi's (Pi 3B+ and Pi Zero W) with Pi-Hole and Unbound for a while. I typically see around 90/10 or higher split between LAN DNS 1 and LAN DNS 2 requests.

While SD card failure is possible on a Raspberry Pi, if it does happen the other Pi-Hole is there to pick up the slack. Or if one is updating or reconfiguring one Raspberry Pi/Pi-Hole and it crashes (been there, done that) the other will pickup the slack. Pi's are relatively cheap. Pi-Hole can be run on the lowly dirt cheap Raspberry Pi Zero's. On the newer Pi's one can use USB/SSD boot drives instead of SD cards if one is worried about SD card failure. If one is using an SD card, using Log2RAM can help reduce the writes to the SD card extending it's life span.

As others have posted one can go hog wild and get very aggressive with large block lists (into the millions). I don't. I typically just use the main ones from Firebog.net via jacklul/pihole-updatelists update script.

View attachment 39304


.

those are rookie numbers

my AGH home runs in docker on Pi (with unbound), with a sync every 10 minutes of config and stats to another machine. failover is handled by a script/watchdog that will update dnsmasq and DNS Filter on the router in the case of the primary machine being unavailable

 

[eightiescalling]

For those running dual pi-hole, any recommendations for syncing local DNS entries, white lists etc?

@bennor - While an SSD is overkill for pi-hole, another benefit is that if worried about failure you can monitor the health of it. No guarantees it'll catch things before failure but better than the SD card that has no indications.

 

[bbunge]

Diversion works OK for me with little fuss. When I ran Pi Hole with Unbound AiProtect blocked more threats than ever. Went back to trusty Quad9 and used the Pi for something else. Have not had an AiProtect hit in months.

 

[shabbs]

For those running dual pi-hole, any recommendations for syncing local DNS entries, white lists etc?

I'm still in manual mode - not a lot of changes to the block lists once I got mine set, but white lists do change every now and then.

There are a number of sync tools like Gravity Sync and Pi-hole Sync. The Pi-hole sub on Reddit is a good place to check: https://www.reddit.com/r/pihole/

 

[Tech9]

The Pi-hole sub on Reddit is a good place to check: https://www.reddit.com/r/pihole/

I never run Pi-Hole on RPi long enough, but the folks there are talking about common yearly SD cards failure issues. I get the dual Pi-Hole idea now. I would run it on mini PC and Ubuntu (for example) for added reliability. I actually had it running on HP 800 Mini at one point, with Unbound. The little guys are very reliable and can be found for about the same price as RPi4 kit. HP 705 Mini (AMD version) are usually cheaper.

 

[homenetworkyeet]

I currently run Pi-Hole but I like the solution of a mitm HTTPS proxy as well (read: root certs on user devices for SSL inspection). It can remove some pesky js and youtube ads as well. Can also set up wpad and pac file with that and set up a web server to serve your root cert. Then you can easily configure each device to essentially have an invisible adblock plugin by proxying web requests.

Edit: Maybe not since SSL inspection can introduce some security holes. Will need to do some more research on this.

 

[bennor]

I never run Pi-Hole on RPi long enough, but the folks there are talking about common yearly SD cards failure issues.

And there are folks like me who are still using the original microSD card in their Raspberry Pi/Pi-Hole more than four years later without (knock on wood) issues. There tends to be a number of factors that go into an SD card failure on an Pi. From using cheap (knockoff) SD cards, to many read/writes. There are ways to backup/clone the SD card so it can be restored to a new card/storage device if a card does go bad. Which leads to another reason to use dual Pi-Holes, take one down to clone it for backup while the other continues to run with no network interruption.

 

[ajp2k14]

I can recommend DietPi, easy setup of either Pi-Hole or Adguard and Unbound as well. Works on different hardware and even VMs.

 

[Tech9]

I like the solution of a mitm HTTPS proxy as well

You need much better hardware for this. I'm assuming you want IDS/IPS. It has to be your router/firewall and x86 for Gigabit.

And there are folks like me who are still using the original microSD card in their Raspberry Pi/Pi-Hole more than four years

Yes, with memory logging and high endurance SD cards. I also believe it's possible, but with some extra cost/configuration involved.

 

[bennor]

Yes, with memory logging and high endurance SD cards. I also believe it's possible, but with some extra cost/configuration involved.

Not sure how "high endurance" a dirt cheap ($5) generic 32GB Microcenter branded memory card is that runs my Pi Zero W. The card's been in that Pi for a few years. As to a USB flash drive for boot, I've been using a old 32 GB Sandisk 2.0 USB stick as a boot drive for a Pi 3B+ for a couple of years now. Log2RAM takes only a minute or two post Raspberry Pi OS Lite installation and boot to install. It is only four commands (or five commands manual method) to issue and a reboot then one more command post reboot to ensure Log2RAM is running.

 

[Kabouter Plop]

2 pihole servers + ublock currently run pihole on my own build home server and my nas, altho you bassicly wanna run it on its own device that does not get any high loads.
I use pihole also as local dns for network booting from local web adresses.

 

[Centrifuge]

Running Pfblocker on my Pfsense install. Granular control, not in there all the time whitelisting stuff though, not getting too restrictive either. Yeah, ublock origin in the browser too. I tried Pihole for a while on an appliance and loved the interface, if I go to a pure Linux firewall that is probably what I'd run. Since the OP is restricted to ASUS, Diversion works really well.

 

[Skiron]

I never run Pi-Hole on RPi long enough, but the folks there are talking about common yearly SD cards failure issues. I get the dual Pi-Hole idea now. I would run it on mini PC and Ubuntu (for example) for added reliability. I actually had it running on HP 800 Mini at one point, with Unbound. The little guys are very reliable and can be found for about the same price as RPi4 kit. HP 705 Mini (AMD version) are usually cheaper.

I have 4 Pi's and apart from the earlier years with cheap(er) cards haven't had an SDCard failure for over 6 years. I found the cheaper 'no-name' cards are not up to it. Spend your money and buy a decent, more expensive San-Disk - they just work.

I also clone mine using dd in Linux, and that works a treat, although sometimes (as all SDCards might be the same size, each could be slightly smaller/larger than advertsed) have to use G-parted to shrink the image.

 

[shabbs]

those are rookie numbers

Daaaaaaammmmmnn.... the only time I got numbers like that is when the Internet cut out and all my devices start going crazy trying to find home.

Latest updates of Pi-hole has excessive DNS query detection to kill that type of stuff when it happens based on a threshold.

 

[Wisiwyg]

My 2 cents..

Dual Pi 3b+, one plain vanilla UI, the other dark theme so I can tell which at a glance. Both with same block list, white list and unbound. These have been up without fail using the same SD card for ~ 9 months.

 

[shabbs]

Nice to see so many Dual Pi members.

RISE UP!