Self-Hosting Pi-hole with Unbound for Enhanced DNS Privacy

If you’ve ever been annoyed by constant ads or felt uneasy about who’s monitoring your internet activity, setting up Pi-hole with Unbound on your home network is a game-changer. I can say this is one of the most effective ways to control and enhance privacy in your browsing experience. This guide will walk you through setting up Pi-hole, an ad-blocking DNS server, and pairing it with Unbound to make a fully recursive and self-contained DNS resolver.

Why Use Pi-hole and Unbound?

Pi-hole acts as a network-wide ad blocker, filtering out unwanted ads before they reach your devices. This not only enhances your browsing experience but also improves privacy and reduces data usage.

Unbound is a recursive DNS resolver that we can pair with Pi-hole to bypass upstream DNS providers (like Google DNS), directly resolving DNS queries from authoritative sources on the internet. By combining Pi-hole and Unbound, we achieve a private and self-contained DNS server, reducing the need for third-party DNS resolvers and improving overall privacy.

Getting Started

Before diving into the setup, here’s what you’ll need:

• A Raspberry Pi (or any compatible Linux server)
• Basic understanding of the terminal (we’ll use some Linux commands)
• Internet connection for downloads and updates

If you’re ready, let’s get started.

Step 1: Install Pi-hole

1. Access your server by opening a terminal on your device. If using a Raspberry Pi, SSH into it.

2. Update your system with the following commands:

   sudo apt update && sudo apt upgrade -y
   

3. Install Pi-hole by running the official installation script:

   curl -sSL https://install.pi-hole.net | bash
   

   The installer will prompt you through various configuration options, like choosing a DNS provider (we’ll change this to Unbound later). Just select Google or Cloudflare for now.

4. Complete the setup. Once done, Pi-hole will start filtering DNS requests for your network.

Step 2: Install Unbound

With Pi-hole installed, we’ll now set up Unbound to act as our recursive DNS resolver.

1. Install Unbound:

   sudo apt install unbound -y
   

2. Configure Unbound by creating a configuration file. This will ensure Unbound works securely with Pi-hole:

   sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf
   

   Copy and paste the following configuration into the file:

   server:
     verbosity: 1
     interface: 127.0.0.1
     port: 5335
     do-ip4: yes
     do-udp: yes
     do-tcp: yes
     root-hints: "/var/lib/unbound/root.hints"
     hide-identity: yes
     hide-version: yes
     harden-glue: yes
     harden-dnssec-stripped: yes
     use-caps-for-id: yes
     edns-buffer-size: 1232
     prefetch: yes
     num-threads: 1
   

   This config tells Unbound to listen on 127.0.0.1:5335 (localhost) and applies privacy settings.

3. Download Root DNS Servers:

   sudo wget -O /var/lib/unbound/root.hints https://www.internic.net/domain/named.cache
   

   This file provides the list of root DNS servers Unbound will use for DNS lookups.

4. Restart Unbound to apply the changes:

   sudo systemctl restart unbound
   

Step 3: Configure Pi-hole to Use Unbound

Now, we need to point Pi-hole to Unbound instead of a third-party DNS provider.

1. Open the Pi-hole admin interface in your browser. By default, it’s accessible at http://<your-pi-hole-ip>/admin.
2. Navigate to Settings > DNS.
3. Uncheck all pre-set DNS providers.
4. Scroll down to Custom 1 (IPv4) and enter 127.0.0.1#5335. This tells Pi-hole to use Unbound on port 5335 as its DNS server.

Step 4: Test Your Setup

After completing the setup, let’s confirm that Pi-hole and Unbound are working correctly.

1. Verify Pi-hole is working by checking your network devices. If Pi-hole is filtering ads, you’ll notice fewer ads across devices connected to your network.

2. Verify Unbound by running the following command on your Pi-hole device:

   dig google.com @127.0.0.1 -p 5335
   

   You should see a response from 127.0.0.1#5335, indicating Unbound is correctly resolving DNS queries.

3. To check that Unbound is using the root DNS servers (and not forwarding queries to other DNS servers), look for the ANSWER section in the output. If it takes slightly longer on the first query but speeds up for repeated queries, Unbound is working as expected.

Benefits of Pi-hole and Unbound

Setting up Pi-hole with Unbound has several advantages:

• Privacy: No more third-party DNS servers—your queries go directly to root DNS servers.
• Ad-blocking: Network-wide ad blocking for devices connected to your network.
• Faster Local DNS Resolution: Cached responses make repeated queries faster.

Troubleshooting

Here are some common issues and solutions:

• Pi-hole not blocking ads: Double-check Pi-hole’s configuration, especially the DNS settings.
• Unbound not resolving: Ensure the Unbound service is running. Use sudo systemctl status unbound to check.
• Slow initial DNS resolution: This is normal for the first query, as Unbound is establishing connections with root servers.

Wrapping Up

With Pi-hole and Unbound set up, you now have a self-hosted DNS that enhances privacy and blocks ads across your network. This setup empowers you to maintain control over DNS queries, eliminates reliance on external DNS providers, and improves your browsing experience.

“A self-hosted DNS setup like Pi-hole and Unbound not only improves privacy but also ensures faster, ad-free browsing. It’s a worthwhile setup for anyone looking to secure their network.”

Take your time exploring the settings, and soon you’ll be enjoying a cleaner, more private internet experience.