STFN

How to make Pi-hole even more private and secure by switching to Unbound and adding extra blocklists

self-hosting
adblocking
degoogling
10 minutes

This is the next episode in my series on using Pi-hole, the previous ones are:

WireGuard and PiHole for secure ad blocking on your smartphone
Using PiHole and Tailscale to block ads on all my devices, including mobile

Wait, I just saw it took me three blog posts to realize that Pi-hole is written with a hyphen :O

A few weeks ago, my part of the Fediverse was full of discussions about DNS that were sparked by the DNS4EU controversy. Not going into details, a new service was announced, stating to provide DNS that is EU based and adhering to EU privacy laws. And it turned that most probably their way of operation is not as clear as they say. There is a very good writeup on this, which I recommend reading.

BTW, the Fediverse is the only social medium where DNS is a hot topic. And that’s what I love about it, never change Fedi <3

That discussion made me realize that even though I use Pi-hole as my DNS server, its upstream (upstream meaning the next server it queries) is still Google. When my devices send a request to resolve the IP address of a particular site for the first time, Pi-hole forwards it to Google’s DNS server, 8.8.8.8. And I do not like that.

At first I switched my upstream DNS to Quad9, which was several times suggested in the threads about DNS4EU. It worked just fine, I saw no issues with my day-to-day internet browsing, and changing the upstream DNS from Google to Quad9 is a matter of two clicks in the Pi-hole settings.

Pi-hole DNS settings, switching from Google to Quad9 means changing one checkbox

But as usual with computer stuff, there is still one level more. When I mentioned on my Fediverse account that I moved to Quad9, a few people suggested to move to Unbound instead. I heard that name a few times before but never got around to try it. So, why not take it for a spin now? And so I did.

Unbound

Unbound describes itself as a validating, recursive, caching DNS resolver. The official explanation of what that means can be found in the docs, but in short, the way I understand it, it means that Unbound does not query a single upstream server for all queries, but divides them per domain. So for example to get the IP address of one of the .com domains, it asks the .com DNS server, and for the .net it asks the .net DNS server. Unbound also keeps a local cache of all the queries that went through it so speed up subsequent queries. All that makes the users’ internet life more private, as there is no one server that knows of all the queries a single user is doing.

Installation and usage

Pi-hole provides an excellent guide how to install Unbound and configure it so that it talks to Pi-hole. I don’t think it makes sense to rewrite it here, so just go and follow it. The whole process took me maybe 20 minutes from start to finish.

In my case, I installed Unbound using apt on the same VPS that my Pi-hole is running. It has been running for almost a week now and I have not seen any degradation in speed or anything else. I think there is a tiny, tiny increase in the VPS’s load factor, by 2-3%, but I cannot say for sure. Still, my basic Hetzner VPS’s load rarely ever goes up over background noise.

After installation I set the log level to 3, just to see what happens, and yeah, it’s not a level to keep indefinitely, in 24 hours the logs grew to around 150MB. I changed the log level to 1 and the logs stopped growing like mushrooms on a wet Autumn day.

Adding extra blocklists to Pi-hole

As I was digging around Pi-hole setting up Unbound I started thinking about maybe adding additional blocklists apart from the default one.

I did some searching and came across a Reddit thread about where to find blocklists. One source that was mentioned several times was a GitHub repository from a user called Hagezi, and this is what I went with.

I added the Multi PRO++ list to Pi-hole and the results for me are mixed. I have not seen any change when browsing the Internet using the web browser, mostly because in my Firefox, uBlock Origin already removes basically all shady stuff before it is being resolved by DNS.

What I did however observe, is more blocking of desktop and mobile apps calling home, as seen on the screenshot below. Mostly mobile, I was surprised how often Revolut is doing “stuff”.

My top blocked domains from a period of light phone use. Still, mobile apps take the lead

I did not see any false positives yet, but then again, I don’t visit that many “controversial sites”.

All in all, the percentage of blocked request in Pi-hole changed from around 1.5% to 4%, but it fluctuates based on how much I use I phone, for reasons I explained above.

And that’s it, I have to say that the combination of Firefox, uBlock Origin and Pi-hole does wonders, makes the experience of browsing the Internet bearable again.

Thanks for reading!

If you enjoyed this post, please consider helping me make new projects by supporting me on the following crowdfunding sites: