Awesome video Frank. I now have a clearer understanding about what Unbound actually is. Never really fully understood it. But now thanks to you I do! Have a great day.
Great video and I've installed and uninstalled pihole and unbound from Casaos a thousand times because it never worked, I always thought that pihole had to have one IP and unbound another IP but no one ever said that. First video that gives a different IP for each one, I'll test it.
nice! I wonder, how would you configure redundant setup with such NAS, plus opnsense/pfsense? I think unbound is on by default on opnsense/pfsense itself, so just create another pihole instance on another device and point it there? or would it make more sense to configure both pihole instances to point on both unbound instances?
Just a couple things not mentioned. If you using pfsense or opnsense, you can just configure Unbound on your router. And you should never run one instance of pihole. Always run two and the second one should be on another device, like a raspberry pi or in an lxc in proxmox. Setting up only one on Synology, if you reboot your synology or a network issue, then your whole network loses internet access.
Agreed - I mentioned the redundancy at the end of the video. The only disclaimer I'd add to the pfSense or OPNsense setup is you need to point Pi-hole to it directly so it's best to modify DHCP to point directly to the DNS servers rather than modifying the pfSense/OPNsense DNS servers.
also, there will be sites or devices that uses hardcoded DNS... you can monitor this by setting up firewall rules on your router (mine's Synology) to deny traffic to Google DNS on port 53 and see the hits pile up over time... to counter this, first setup an allow rule for your pihole/unbound servers to port 53, then setup a deny rule below to all traffic to port 53... at this moment, I see 14% of hits are denied DNS traffic to Google
"Error response from daemon: Bind mount failed"😥 my Synology volume is "Volume 1"....so I changed compose file to reflect that. Tried "Volume 1" and Volume1" and the lowercase variants of those. Error suggests it a path problem but don't know how to resolve it.
@WunderTech So I'm trying to understand this setup but it looks like to me this is installing both pihole and unbound. If I already have pihole installed and working; what am I exactly needing to add to get unbound to work properly with what I have already with Pihole?
That's correct - the second block that has the Unbound information is what ultimately creates the Unbound container, but there may be a few other minor modifications you have to make if you compare the docker compose file in this video to the one you're using.
@@WunderTechTutorials I went ahead and just reinstalled it the way you had it but nslookup isn't working as it keeps failing but when I go into pihole and look at the logs it does show Unbound is catching them with an OK. The replies on the other hand is stating SERVFAIL. Any idea what I could of done wrong?
@@lilchinito00 The only thing I could guess is the nslookup command is using the wrong port or something if the queries are actually going through on Pi-hole.
@@WunderTechTutorials fixed the issue. Seems like Unbound was attempting to resolve queries using IPv6. I had to disable it for it to start working strictly with ipv4. Hopefully its meant to do that but i now no longer get a SERVFAIL. Wanted to mention it here just incase someone else may have this particular issue.
If you mean that you'd manually configure the DNS server on the NAS to the bridge interface, it should use it no matter how you connect, but keep in mind that's the NAS only.
Anyone know how I can get my Pihole time correct? I'm running a stratum 1 time server on the same network Pihole is on. There's nothing in the GUI and my Pihole time seems to be GMT and not local. Thank you.
Thanks for your video. Does this procedure work with link aggregation on the Synology NAS? I found some problems in the past with pihole and link aggregation.
I think this will depend on the type on LAG you’re using. When using Adaptive Load Balancing I couldn’t get the mac VLAN working. Others have experienced the same online. Using IEEE 802.3ad Dynamic Link Aggregation worked fine with a mac VLAN. I think you can only have 1 mac VLAN per interface. I hope that helps
When you talk about encrypting DNS queries with Unbound do you mean between Pi-Hole and Unbound? I don't believe that recursive queries are able to be encrypted to the root and authorative DNS servers.
Either DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH). Unbound supports both, but yes, that's why I said "kind of" in the video, because it's not end-to-end encrypted so someone, somewhere will end up getting the request in plain text.
Awesome video Frank. I now have a clearer understanding about what Unbound actually is. Never really fully understood it. But now thanks to you I do! Have a great day.
Thanks, Tony! I'm glad it helped - I've used it for a while (pfSense uses it by default) and I've had nothing but great experiences with it!
Great video and I've installed and uninstalled pihole and unbound from Casaos a thousand times because it never worked, I always thought that pihole had to have one IP and unbound another IP but no one ever said that. First video that gives a different IP for each one, I'll test it.
Excellent video Frank! This is really taking DNS based privacy to the next level.
Thanks, Avi! Appreciate you watching!
another way to check is to run an online dns leak test... if unbound is working, it should report your own IP address as the DNS
Another great video Frank, thank you!
nice!
I wonder, how would you configure redundant setup with such NAS, plus opnsense/pfsense?
I think unbound is on by default on opnsense/pfsense itself, so just create another pihole instance on another device and point it there?
or would it make more sense to configure both pihole instances to point on both unbound instances?
Just a couple things not mentioned. If you using pfsense or opnsense, you can just configure Unbound on your router. And you should never run one instance of pihole. Always run two and the second one should be on another device, like a raspberry pi or in an lxc in proxmox. Setting up only one on Synology, if you reboot your synology or a network issue, then your whole network loses internet access.
Agreed - I mentioned the redundancy at the end of the video. The only disclaimer I'd add to the pfSense or OPNsense setup is you need to point Pi-hole to it directly so it's best to modify DHCP to point directly to the DNS servers rather than modifying the pfSense/OPNsense DNS servers.
@@WunderTechTutorials Sorry, my bad, I watched most of the video. Should have stayed to the end :)
@@WunderTechTutorialsI love the way your explain things. Can you do a video on pfSense/ OPNsense and firewalls?
also, there will be sites or devices that uses hardcoded DNS... you can monitor this by setting up firewall rules on your router (mine's Synology) to deny traffic to Google DNS on port 53 and see the hits pile up over time... to counter this, first setup an allow rule for your pihole/unbound servers to port 53, then setup a deny rule below to all traffic to port 53... at this moment, I see 14% of hits are denied DNS traffic to Google
i need unbound with adguard home. can't make it work
The process should be the same, but you'd have to modify the upstream DNS server to be the Unbound IP.
Loved this thanks
"Error response from daemon: Bind mount failed"😥 my Synology volume is "Volume 1"....so I changed compose file to reflect that. Tried "Volume 1" and Volume1" and the lowercase variants of those. Error suggests it a path problem but don't know how to resolve it.
Bind mount fail would definitely be the volume mount. What is the full path you're using?
I wish you also did a tutorial on Raspberry Pi (not on docker)
Article and video here: www.wundertech.net/use-unbound-to-enhance-the-privacy-of-pi-hole-on-a-raspberry-pi/
@@WunderTechTutorials You sir, earned a sub.
Frank, would it even be more private or secure by adding Stubby to the mix?
I don't know much about stubby unfortunately, but I'll look into it! Thanks for the suggestion!
@WunderTech So I'm trying to understand this setup but it looks like to me this is installing both pihole and unbound. If I already have pihole installed and working; what am I exactly needing to add to get unbound to work properly with what I have already with Pihole?
That's correct - the second block that has the Unbound information is what ultimately creates the Unbound container, but there may be a few other minor modifications you have to make if you compare the docker compose file in this video to the one you're using.
@@WunderTechTutorials I went ahead and just reinstalled it the way you had it but nslookup isn't working as it keeps failing but when I go into pihole and look at the logs it does show Unbound is catching them with an OK. The replies on the other hand is stating SERVFAIL. Any idea what I could of done wrong?
@@lilchinito00 The only thing I could guess is the nslookup command is using the wrong port or something if the queries are actually going through on Pi-hole.
@@WunderTechTutorials fixed the issue. Seems like Unbound was attempting to resolve queries using IPv6. I had to disable it for it to start working strictly with ipv4. Hopefully its meant to do that but i now no longer get a SERVFAIL. Wanted to mention it here just incase someone else may have this particular issue.
Will the NAS still use the .direct QuickConnect connection with unbound and pihole? or will it use synology's relay server?
If you mean that you'd manually configure the DNS server on the NAS to the bridge interface, it should use it no matter how you connect, but keep in mind that's the NAS only.
Anyone know how I can get my Pihole time correct? I'm running a stratum 1 time server on the same network Pihole is on. There's nothing in the GUI and my Pihole time seems to be GMT and not local. Thank you.
I believe there is a "TZ" parameter you can use in the Docker Compose file.
@@WunderTechTutorials I figured it out and you simply secure. Shell into the command line and run set up.
Thanks for your video. Does this procedure work with link aggregation on the Synology NAS? I found some problems in the past with pihole and link aggregation.
I think this will depend on the type on LAG you’re using.
When using Adaptive Load Balancing I couldn’t get the mac VLAN working. Others have experienced the same online.
Using IEEE 802.3ad Dynamic Link Aggregation worked fine with a mac VLAN. I think you can only have 1 mac VLAN per interface. I hope that helps
It could certainly be what Nabz commented - are you using Adaptive LB?
I think it is LACP. Not sure if this makes any sense.
When you talk about encrypting DNS queries with Unbound do you mean between Pi-Hole and Unbound? I don't believe that recursive queries are able to be encrypted to the root and authorative DNS servers.
Either DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH). Unbound supports both, but yes, that's why I said "kind of" in the video, because it's not end-to-end encrypted so someone, somewhere will end up getting the request in plain text.
How does this compare with NextDNS ?
I don't have any experience with NextDNS unfortunately.
you afraid of twitter now because Elon is scary ?
As ironic as it sounds, I'm not a social media guy so while I have one, I never sign into it.