This week, the Raspberry Pi the filters out all ads and tracking on my network became unreachable. I’m not sure why, but it’s happened a couple of times since Pi-Hole v5 came out. When your Pi-Hole goes offline, so – effectively – does your internet connection.
The second DNS setting
Most routers offer the option to set a second DNS server, but it’s a little unclear how that setting is used. If the DNS 1 goes down, DNS 2 is very likely used. But it’s not just a back-up. When I set DNS 2 to a public DNS server (Google, OpenDNS or Cloudflare) some ads would show, even when DNS 1 (my Pi-Hole) was up and running.
As an experiment, I set up a second Pi-Hole instance on a Raspberry Pi Zero I had lying around. In my router, I set it as DNS 2. So now I had two dashboards full of stats, and could tell how many requests both Pi’s were handling. After the first 24 hrs, these were the numbers:
- Pi-Hole 1: 48,807 requests (40.4% blocked)
- Pi-Hole 2: 2,344 requests (19.8% blocked)
So it looked like the “back-up” Pi-Hole was getting around 4-5 percent of all DNS queries. Even with DNS 1 fully operational. Some of those requests were from ‘localhost’ though, which skews the numbers and probably explains the lower block ratio. So, effectively, probably 2-3%?
UPDATE: For the following 24 hours, the numbers were significantly different:
- Pi-Hole 1: 30,645 requests (32.5% blocked)
- Pi-Hole 2: 3919 requests (20.5% blocked)
This indicates that 11.3% of all DNS queries were handled bij DNS 2, even though I took it down for a couple of hours to give it a better power supply. From the log files, I get the feeling most traffic on DNS 2 is from Windows machines.
It depends on the OS?
From what info I can find (and quite frankly, understand) online, operating systems use the second DNS server setting differently. MacOS and iOS apparently use it only if DNS 1 fails to respond quickly. Windows is suspected of using more of a load-balancing strategy.
Should an OS takes DNS server response times into account, my DNS 1 has a clear advantage. It uses a wired connection, and is a much faster machine (it usually runs near idle).
Our household uses a mix of Android, Windows, ChromeOS, iOS, Linux and other devices. Unfortunately, my router’s (fixed) very short DHCP lease time makes it impossible to tell which devices use DNS 2 from looking at Pi-Hole’s query logs.
Here’s what I’m taking away from this little experiment.
- Don’t set a public DNS server as DNS 2 if you want airtight Pi-Hole protection
- Set up a second Pi-Hole if you need redundancy
- Man, I wish there was a Raspberry Pi Zero with wired internet!
- TP-Link Deco’s are great routers, but they really mess with Pi-Hole’s stats.
Please comment if you have a similar set-up. I’d love to hear what the DNS 1 vs. 2 ratio is on your network.