PI-Hole not only for blocking adverts! Don't overlook this project for your network

O.K. so this setup will point directly to the root DNS servers? So then it’s not efficient, as I could just go to where that goes, as I learn, the top level domain servers.

Does each server have all of the top level domains or does one list only that letter? So if I were to set OS dns settings, and could only add one or two, I couldn’t add them all then.

You already got it earlier, you want to avoid the root servers because they don’t support DoT, so all your traffic to them is open to scrutiny (otherwise they’re fine). What Quad9, Cloudflare, Google, and on and on provide is a service that queries the root servers on their back end, and more often than not caches those results. On your (front) end of the deal, you send a single query to 9.9.9.9:853 and it is encrypted on the line and you get back a single (usually) response that is also encrypted.

So, to sum up, the benefits of pointing unbound, bind, etc to use a service rather than rely on the root servers are

  1. You can use DoT (port 853) with virtually all of the services, hence privacy is improved. Root servers are port 53 only.
  2. You only need to make a single query as they do the backend recursion (where, as describe above, you need multiple queries - the “recursion” - for the root servers to find “.”, then “com” from there, then “google”, then “maps”).
  3. DNS services are usually local (“anycast” hosts) and hence faster in that regard (I happen to know there’s a Quad9 DNS node like 40 miles from me, no frickin’ idea how close the nearest root servers are, I could traceroute it I suppose).

Oops, should also mention “stubby”, which is an “stub dns resolver”. It’s sole mission in life is to supply DoT service with as small a footprint as possible, so if you’re using dnsmasq or Pi-Hole (which is built on dnsmasq), which do not implement DoT, but do a lot of other nice stuff like DHCP, local domain registration and DNS filtering, then you can run stubby on 127.0.0.1:5453 → 9.9.9.9:853 and point Pi-Hole → 127.0.0.1:5453 (and IPv6 equivalents, of course).

1 Like

+1 for stubby.

Although I have not tried Unbound yet.
Stubby just works pretty simply

Absolutely +1, stubby is the most “unix-ish” one of the bunch in that it does just one thing and does it well. That’s my issue with bind, dnsmasq and unbound, they just cram all sorts of stuff into one box and try to make it work, sometimes coming up short. Lots of duplication across the various DNS packages, like many of the “higher level” ones implement full DCHPv4/v6 systems, too. Gah!!!

If you really want simple, look at nsd, which only does authoritative lookups, no recursion. It’s used in some of the internet core DNS root servers. NLnet Labs - NSD - About

I’ve played with nsd on one of my servers just becuz, pointing unbound to it for local domain searches, but that’s just fun and games, serving no real purpose other than education.

I get a fairly local root server response when I use the dig command, maybe 100 miles away or so guessing based on travel time.

Yeah, but then you sacrifice 1) DoT and 2) all those extra packets do to dnsmasq/Pi-hole doing the recursion locally. If you’re using Pi-hole for privacy and not just ad blocking, then you really need to talk DoT to one of the recursors like quad9. The cost of talking to a recursor 500 miles off for a single packet transaction, versus a 100-mile-away root with three packet transactions is probably won by the single query recursor.