This week, the Raspberry Pi the filters out all ads and tracking on my network became unreachable. I’m not sure why, but it’s happened a couple of times since Pi-Hole v5 came out. When your Pi-Hole goes offline, so – effectively – does your internet connection.
The second DNS setting
Most routers offer the option to set a second DNS server, but it’s a little unclear how that setting is used. If the DNS 1 goes down, DNS 2 is very likely used. But it’s not just a back-up. When I set DNS 2 to a public DNS server (Google, OpenDNS or Cloudflare) some ads would show, even when DNS 1 (my Pi-Hole) was up and running.
An experiment
As an experiment, I set up a second Pi-Hole instance on a Raspberry Pi Zero I had lying around. In my router, I set it as DNS 2. So now I had two dashboards full of stats, and could tell how many requests both Pi’s were handling. After the first 24 hrs, these were the numbers:
- Pi-Hole 1: 48,807 requests (40.4% blocked)
- Pi-Hole 2: 2,344 requests (19.8% blocked)
So it looked like the “back-up” Pi-Hole was getting around 4-5 percent of all DNS queries. Even with DNS 1 fully operational. Some of those requests were from ‘localhost’ though, which skews the numbers and probably explains the lower block ratio. So, effectively, probably 2-3%?
UPDATE: For the following 24 hours, the numbers were significantly different:
- Pi-Hole 1: 30,645 requests (32.5% blocked)
- Pi-Hole 2: 3919 requests (20.5% blocked)
This indicates that 11.3% of all DNS queries were handled bij DNS 2, even though I took it down for a couple of hours to give it a better power supply. From the log files, I get the feeling most traffic on DNS 2 is from Windows machines.
It depends on the OS?
From what info I can find (and quite frankly, understand) online, operating systems use the second DNS server setting differently. MacOS and iOS apparently use it only if DNS 1 fails to respond quickly. Windows is suspected of using more of a load-balancing strategy.
Should an OS takes DNS server response times into account, my DNS 1 has a clear advantage. It uses a wired connection, and is a much faster machine (it usually runs near idle).
Our household uses a mix of Android, Windows, ChromeOS, iOS, Linux and other devices. Unfortunately, my router’s (fixed) very short DHCP lease time makes it impossible to tell which devices use DNS 2 from looking at Pi-Hole’s query logs.
Conclusion
Here’s what I’m taking away from this little experiment.
- Don’t set a public DNS server as DNS 2 if you want airtight Pi-Hole protection
- Set up a second Pi-Hole if you need redundancy
- Man, I wish there was a Raspberry Pi Zero with wired internet!
- TP-Link Deco’s are great routers, but they really mess with Pi-Hole’s stats.
Please comment if you have a similar set-up. I’d love to hear what the DNS 1 vs. 2 ratio is on your network.
Hi. I have 2 Rasberry pi’s (both Pi 4, 2Gb ram) and i have number 1, as primary dns, and number 2 as secondary dns on my DHCP server. I then have to say that i have a destination NAT rule that automaticaly sends all DNS requests not directed to my piholes, to my primary DNS (1). I have data for about 6 month. and i can identify some of the clients on both. i have the following information for my laptop (Windows 10 Home): DNS1: 7632 req. DNS2: 1168 req. An Ubuntu 18.04 server, has the following (gets a reserved DHCP address, therefore gets both DNS servers) DNS1: 12284 DNS2: 14. I would say how the requests is used is verry much dependent on the operation system. And in part to how your network is configured (forcing port 53 to a DNS server).