Private DNS with privacy and advertisment blocking - built for Balena hosted devices.
This work brings together three great tools. balenaCloud for managing devices (think Raspberry Pi's etc), Unbound (recursive DNS resolver) and PiHole (advertising and privacy at a network level).
PiHole is great, but it's even greater with Unbound. Not having to manage releases across a bunch of devices is great also!
If you succeed in completing the below - you will have a fully functional recursive DNS server operating. If you were to expose it to the Internet, it could easily be used for DNS amplification attacks - annoying others and potentially seriously degrading your network performance.
Do not expose a device configured in this way directly to the Internet without appropriatly configured firewalls.
This is as simple as it can be. It is assumed that you know how to get around Balena Cloud's interface, how to create an application and how to provision devices. If you don't - start here and come back to visit once you grok that.
- Create the application in the balena Cloud dashboard
- Clone this repository
git clone https://github.com/aperim/balena-pihole-unbound.git- Add the balena remote via git (hint - it's in the top right corner of the dashboard)
git remote add balena <USERNAME>@git.balena-cloud.com:<USERNAME>/<APPLICATION_NAME>.git- Push it to Balena
git push balena master- There will now be two services in the dashboard. One is
unboundthe other ispihole. Those services can be configured with environment variables (service variables)
The pihole service takes all the standard environment variables. You should configure:
| Variable Name | Example Content |
|---|---|
TZ |
Australia/Sydney |
WEBPASSWORD |
sUp3r_s#crET! |
NOTE: You don't need to override the settings of the other variables. Setting more than the above could break things.
Unbound will operate with no configuration. This typically won't suit most environments where domains used locally may need to return private IP addresses. This can be managed with PRIVATE_DOMAINS (example below).
The IP restriction only applies to Unbound - it does not change how PiHole answeres queries. This should not normally need to be changed as Unbound is operating on a non standard (5353) port. Add IP's here only if you know what you are doing, and need access to the recursive DNS server from elsewhere.
| Variable Name | Use | Example | Default |
|---|---|---|---|
IP_ACCESS_CONTROL |
Comma separated list of IP addresses permitted to access the DNS server. | 127.0.0.1/32,::1/128,192.168.100.0/24 |
127.0.0.1/32,::1/128 |
PRIVATE_DOMAINS |
Comma separated list of domains that can return RFC1918 and RFC4193 private IP addresses | example.com,example.org |
[NONE] |
Once you have started the services of your application - you should be able to send DNS queries to the IPv4 or IPv6 address of your device. You can test be using dig and supplying your devices IP address. For example, if I was using a RaspberryPi and it had the address 192.168.100.100 I would check it was working with:
| => dig A aperim.com @192.168.100.100
; <<>> DiG 9.10.6 <<>> A aperim.com @192.168.100.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55235
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;aperim.com. IN A
;; ANSWER SECTION:
aperim.com. 1800 IN A 198.185.159.144
aperim.com. 1800 IN A 198.185.159.145
aperim.com. 1800 IN A 198.49.23.144
aperim.com. 1800 IN A 198.49.23.145
;; Query time: 232 msec
;; SERVER: 192.168.100.100#53(192.168.100.100)
;; WHEN: Mon Sep 30 14:07:32 AEST 2019
;; MSG SIZE rcvd: 103You now need to configure the devices on your network to use your new DNS server. A great place to start is the PiHole documentation.