Private and Secure DNS with Pi-hole and Unbound

This section provides detailed configuration guides to help implement a privacy-focused, secure DNS environment using Pi-hole and Unbound. It covers multiple installation approaches and essential security enhancements to protect DNS traffic from unwanted surveillance or manipulation.

Specifically, this type of configuration addresses:

  • Strong privacy with DNSSEC validation: Protecting DNS integrity and authenticity by validating DNSSEC signatures on all queries.

  • Upstream DNS encryption with DNS-over-TLS (DoT): Encrypting DNS queries between your local DNS resolver and upstream DNS servers to prevent eavesdropping and tampering.

  • SELinux compliance for Unbound running directly on the host: Guidance on configuring SELinux policies and booleans to allow Unbound to function correctly on enforcing systems.

  • Docker container isolation when both Pi-hole and Unbound run as containers: Best practices for networking, volume management, and security confinement within Docker environments.

  • Proper firewall and network configuration for DNS leak prevention: Cross-platform instructions for firewall rule configuration to ensure all DNS traffic is forced through Pi-hole and Unbound, blocking any attempts to bypass or leak outside the secured DNS path.

Explanation: Using Unbound with Pi-hole

What is Unbound?

Unbound is a fast, validating, recursive, caching DNS resolver. It can:

  • Query DNS root servers directly, or

  • Forward DNS requests to upstream servers.

Importantly, Unbound supports DNS over TLS (DoT), meaning it can encrypt DNS queries sent to upstream providers, preventing eavesdropping and tampering on the network.

What is Pi-hole?

Pi-hole is a network-wide ad blocker that acts as a DNS sinkhole. It:

  • Intercepts DNS queries from clients,

  • Blocks requests to known ad and tracker domains,

  • Forwards allowed queries to an upstream DNS resolver.

Combining Pi-hole with Unbound

When running them together (often on the same device or local network):

  1. Clients send DNS queries to Pi-hole.

    • Pi-hole filters and blocks ads/trackers.

  2. Pi-hole forwards DNS queries to Unbound.

    • Unbound acts as the upstream DNS resolver.

    • Unbound can itself use DoT for encrypted communication to external DNS servers.

  3. Unbound returns DNS responses to Pi-hole, which forwards them to clients.

This setup provides:

  • Ad-blocking and privacy filtering on the local network (via Pi-hole),

  • Encrypted DNS resolution to the internet (via Unbound’s DoT), protecting DNS queries beyond your network.

Typical Configuration Steps

  • Install Pi-hole on your local device or server.

  • In Pi-hole’s settings, set the upstream DNS server as the IP address where Unbound is running.

    • This could be 127.0.0.1 if both run on the same machine, or a LAN IP of the Unbound host.

  • Install and configure Unbound as a local DNS recursive resolver.

  • In Unbound’s config, set upstream DNS servers with DoT (for example, Cloudflare’s 1.1.1.1@853 or Quad9’s 9.9.9.9@853). Ensure certificate verification is enabled.

  • Make sure Unbound listens on the IP/interface IP to receive queries from Pi-hole.

  • Configure any necessary firewall rules to allow DNS (port 53) traffic from Pi-hole to Unbound, and allow Unbound outbound TCP port 853 to the upstream DoT servers.

Benefits of this Setup

  • Privacy: DNS queries from your network are encrypted in transit to the internet, preventing ISP or attacker spying.

  • Ad and tracker blocking: Pi-hole prevents many unwanted requests, improving privacy and network performance.

  • Control and transparency: Both Unbound and Pi-hole are open source and configurable.

Important Considerations

  • Avoid DNS loops: Ensure Pi-hole sends queries only to Unbound, and Unbound is not forwarding back to Pi-hole.

  • Firewall rules must allow Pi-hole to query Unbound on port 53 and allow Unbound to use port 853 outbound.

  • Optionally, enforce clients to use Pi-hole by DHCP or firewall rules to prevent DNS leak.

By following these guides, you can set up a robust DNS stack that offers enhanced privacy, security, and control, suitable for home or small business networks on a wide range of Linux distributions.

PreviousPrivacy-Focused DNS Configuration GuidesNextDNS Leak Prevention and Firewall Configuration

Last updated