Starting to look at DNS options again with the above options, anyone had particular expierences of them? I’ll be spinning up instances of them on the virtual server to have a further look.
At present pfsense is handling external DNS request with upstream TLS DNS servers. I have conditional forwarding rules to other zones I have internally.
I have AD on one VLAN for personal testing and such, Synology is hosting another zone.
So thought was to have one of the above services running on a VM / Raspberry Pi.
I use Adguard Home. Its block lists are great but it can’t deal with threat actors (surprisingly there are a lot of those for DNS servers) and it’s really lacking in logging (so no way to do it yourself with fail2ban or crowdsec) so you can’t have it exposed to the open internet.
I had people trying to cause memory overflows pretty constantly when I had it public to make it easy for phones to use. The software handled it well and didn’t have security issues but the logs of the failed events would fill the disk on a tiny VPS almost immediately and there was no way to turn them off in the software or block the malicious users. No data about requesting clients is logged to preserve anonymity (a good thing), but that also included malicious users so there is no way to block them outside of Adguard either. I believe most other DNS software that isn’t made for enterprise (e.g. PiHole) have similar issues.
Otherwise it works really well for home use-cases. It’s really easy to set up and use whatever blocklists float your boat. It gives you all of the options on how to perform the block you could want (e.g. NXDomain vs returning 0.0.0.0 vs others) and I’ve only had one thing get blocked that probably shouldn’t have been in the past several years (Alexa devices couldn’t respond to anything without the blocked endpoint).
Cell phones really didn’t like staying on VPNs at the time. Still don’t really. Having an adblocking VPN allowed everyone in my family to use their phones without constant ad spam in every app even if they weren’t tech savvy enough to understand needing to turn the VPN on first.
something sounds odd. Either they use you VPN and so you don’t need to expose your DNS to the Internet, as it is accessed through VPN. Or you expose your DNS server, then they don’t need to use VPN to access it…
They don’t understand VPNs or the need to turn them on at all, let alone know enough to recognize that DNS is acting up because their VPN got randomly turned off by the phone. When I had it public they could still use my DNS server when on the cell network or an outside WiFi, now only I can.
I do have their home routers set up on the VPN and using my DNS for the most part, so they at least get adblocking when they’re home.
Starting to revisit DNS options and considering the usual suspects: AdGuard Home, Pi-hole, and Technitium. I’ll be spinning up instances of each on a virtual server to compare them more hands-on.
Currently, pfSense handles external DNS with upstream TLS servers. I also use conditional forwarding rules for internal zones — AD is running on one VLAN for testing, and Synology hosts another internal zone.
Thinking about offloading some DNS duties to one of these services, maybe on a VM or even a Raspberry Pi.
Anyone here have real-world experience or preferences between the three? Would appreciate your thoughts!