I have an asus router with a pi-hole on the network.
I was doing some work on my server and noticed that when pi-hole was down, I couldn’t access the internet. I was looking for some ideas online how to deal with this, but they said to have a second pihole on the network in case one is offline. Is that the only way to do it? Is there any way to have the network go back to normal if the pihole is offline?
I was doing some work on my server and noticed that when pi-hole was down, I couldn’t access the internet.
You’ve opted to take control over a critical piece of network infrastructure. This is to be expected.
There’s a reason DHCP provides for multiple DNS servers to be listed. Having redundant DNS servers is a common setup. So yes, multiple piholes if you want stability.
Just wanted to add onto your comment for clarity for others, the multiple servers are not redundancy so much as first come first serve, which is why your comment of multiple pi-holes is important.
If you were to list a pihole and say Google DNS as primary and secondary respectively, you may have some DNS queries responded to by Google. Negating the point of having a pi-hole or similar DNS service locally.
A secondary can be a docker container, another physical pi-hole (even a zero-w, which I personally don’t recommend being your only way to manage DNS, but is fine when you just need to do some maintenance on the primary).
Could have pihole running on your desktop as a backup
Umm, yea, if your DNS server is offline, how do your machines know how to resolve DNS names to IP addresses?
Which is why IP config has the capability for multiple DNS servers.
If this is surprising, you may wanna read up on your networking.
Why the extra snark? This person is asking a question. Easy to argue that he is trying to learn more about networking, why ostracize?
I think he realized that, he’s looking for a solution though.
One option is just do a temporary change on your PC to different DNS servers while you work on the stuff.
Otherwise a second PiHole set as the secondary DNS in DHCP would keep things online.
Thanks. Yeah, that is what I did during maintenance, but I’m trying to think what happens if I’m gone and my family has issues.
Otherwise a second PiHole set as the secondary DNS in DHCP would keep things online.
No, that just creates time outs and delays when either of them is offline.
The proper way is to have a standby pihole that takes over the IP address of the main pihole when it goes down. It’s quite easy to achieve this with keepalived.
Add another DNS server (1.1.1.1, for instance) to your DHCP options. Your DHCP clients will use 1.1.1.1 when the pi-hole isn’t responsive.
They will also use 1.1.1.1 whenever they want. The order is not guaranteed.
Hosts also tend to use the same one for some time, so if your pihole went down clients may still favor 1.1.1.1 even after it comes back up.
I don’t think this accomplishes what he wants. The router DHCP will assign the second DNS address as you mention, but the devices will select one at random, not as a backup/failover. So what happens is that devices sometimes go through the Pi-hole and sometimes go through the secondary DNS address and receive ads. The only real way I’m aware of is to have a second pi-hole for redundancy. Personally, I decided to use a cloud based service (NextDNS) for this exact reason. I didn’t want my families internet to rely on devices that I host.
I think it depends. In my limited experience, because I have not tested this thoroughly, most systems pick the first DNS adresses and only send requests to the second if first doesn’t respond.
This has lead at least a couple of times to extremely long timeouts making me think the system is unresponsive, especially with things like kerberos ssh login and such.
I personally set up my DHCP to provide pihole as primary, and my off site IPA master as secondary (so I still have internal split brain DNS working in case the entire VM host goes down).
Now I kinda want to test if that offsite DNS gets any requests in normal use. Maybe would explain some ad leaks on twitch.tv (likely twitch just using the same hosts for video and ads, but who knows).
Edit: If that is indeed the case, I’m not looking forward to maintaining another pihole offsite. Ehhh.
It is entirely the case.
DNS queries will go to all on the list, and use whatever responds first.
If you are seeing occasional ad leaks, this is why.
The ONLY DNS server you should have set on your network is a/the PiHole(s).
How many queries a month do you have? I’m at 15 days and I’m already at 750K. Do you pay for your service? I can do that, just curious what is common.
I’m at 30k blocked per day, over 100k queries per day.
This on a small 2 user network, with a handful of machines, but a fucking Samsung TV. That goddamn thing constantly pings all sorts of shit.
If I really restrict it (breaking some stuff on the TV), I can get to 35% of queries blocked per day, mostly from it.
Though nominal blocking kills the ads on the menu system, pretty well, making it much more responsive.
I’m not exactly sure how many queries, but it’s above the free limit. I purchased the pro plan. For $20 a year and it’s been a great service for me. I can send a referral code for 30% off (I think). I think adguard has a similar service.
Wait, but then you cant tell if your device will use pihole even if its up. Afaik primary/secondary dns is not used in that order. I think best way is to set up 2nd pihole
Does it really do that? I thought if pi-hole blocks it, it just says nothing here, normally a pc then looks up your secondary dns and then ads are back at it.
This was my experience when i did that.
Yes, your experience will be different if your DNS is being provided by another kind of DNS resolver. If you want a consistent pi-hole experience (and you can’t avoid downtime of your current pi-hole), add another pi-hole to your network and let that be your secondary DNS resolver.
No, that is not how DNS blocking works. It doesn’t just avoid responding, it responds but with a response that says that the domain does not exist or one that points to a different IP address.
The ONLY DNS server you should have set on your network is a/the PiHole(s).
Except when the ONLY pi-hole is down, which was the original OP’s whole question.
Not sure if this is common knowledge but Pi-hole can also run in a docker container, it doesn’t have to be a raspberry pi. I have it running on portainer on two different machine in my house. I’m a systems architect by trade so there no kill like overkill 😅
You might be a nerd when you have to schedule maintenance at your own house.
one a VM, the other a container, with different upstream targets. I have to schedule maintenance when everyone is asleep or out of the house. I’ll swear one day I’ll have a proper (raspberry pi) cluster with KVM, I just need to finish implementing the other million things I find when I research it.
I totally feel you. I’m in IT and design these incredibly robust systems. But I don’t have that budget for my house and they say “the cobbler’s children have no shoes."
Another trick is setting up a guest/secondary AP that don’t use pi-hole. When your pihole is down, just switch to the secondary AP. Most routers can setup multiple APs, though not all can setup different dns server for the other APs.
Thanks, that might work. I’ll check into it.
I have my pi-hole setup as the upstream DNS in my router, with cloudflare as a secondary DNS. That way, all my devices always use the router for DNS (since that’s what is advertised in my DHCP) and the router then uses pi-hole if it’s available, or cloudflare if it isn’t. But the individual device doesn’t get to choose between different servers.
The vast majority of devices that allow setting multiple DNS servers do not strictly prioritise one over the other even if they label it as primary and secondary.
That’s why I don’t let every device decide individually. I know my router (FritzBox) prioritizes the pi-hole (it’s even called “preferred” and “alternative” DNS-Server in the UI)
Those labels are quite common too with systems that do not prioritize one over the other.
The ONLY DNS server you should have set on your network is a/the PiHole(s).
On Mikrotik I have a script that runs every 30sec. If pi-hole not responding, router switches to public cloudflare dns records, otherwise to pi-hole IP.
This setup works like a charm.
P.S. I am using Blocky, but it’s almost the same as Pi-Hole.
EDIT: Since at least 2 guys asked how to do it:
https://forum.mikrotik.com/viewtopic.php?p=866934#p866934
Don’t forget to configure Mikrotik router to act as passthrough DNS server with cache (for performance) and configure DHCP server’s DNS to router’s IP.
That sounds cool. I’ve never messed with scripts on Mikrotik, but would it be possible to share what you have?
I’m guessing a relatively short DHCP lease time is also in play so devices can get the new DNS address? Or do you have Mikrotik set as the DNS server?
I’ve edited my comment. It contains my used script.
Thank you, I’ll bookmark it for later.
Seconding the request to share your work.
That is an amazing idea you’ve come up with that I never considered, but now I need it.
Aight, let me do it… 😅
I’ve edited my comment. It contains my used script.
Thanks, this looks good, but I’m not sure I can do it on Asus. I’ll look into it.
That’s why you usually have two piholes, or adguard homes
And can even synchronize them
Thanks, I see that is the common recommendation. I also have to think what to do if I’m away and the family has issues.
I appreciate the response.
That’s where having 2 also comes in handy. If one goes down it will still work as if nothing happenedy
You mean 2 piholes or adguard homes, right? That way if one goes down you can still use the other one.
Yes exactly.
I use Nextdns for this reason. DNS is critical for Wife Acceptance Factor
You mentioned you have an Asus router. Which one? Why not move to hosting your stuff on the router? https://www.snbforums.com/forums/asuswrt-merlin.42/ Sure it doesn’t completely solve the issue but in my experience it’s incredibly stable, and more so people expect to restart the router if the Internet isn’t working which simplifies things too. Also beneficial is that you can give different clients different DNS servers comfortably.
Specifically, check out https://diversion.ch/ for dns blocking but its capable of a lot more.
Unfortunately, I don’t think my router is compatible with Merlin.
Thank you, though, I appreciate the feedback.
deleted by creator
ssh into your pi-hole if possible and try using commands systemctl status pihole-FTL Check the status, and if its disabled use the same command but with start instead of status. Also if this this your first time setup, double check that everything you did is correct, like the DNS setting on router, if the devices get the right DNS etc.
Sorry for the confusion, but everything was working fine, I just had to update the server my pi-hole docker container was hosted on and noticed that I lost access to the internet. It works beautifully when the container is up and running.
I have Pihole in a Proxmox LXC Container that does just that. Just Pihole. It is set to automatically restart.
All for that Reason that you just named.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters AP WiFi Access Point DNS Domain Name Service/System HA Home Assistant automation software ~ High Availability IP Internet Protocol LXC Linux Containers PiHole Network-wide ad-blocker (DNS sinkhole)
6 acronyms in this thread; the most compressed thread commented on today has 3 acronyms.
[Thread #481 for this sub, first seen 4th Feb 2024, 14:35] [FAQ] [Full list] [Contact] [Source code]