This stack combines the Wireguard server and UI from WGEasy, the DNS sinkhole Pihole and the recursive DNS server Unbound.
The goal of this stack is the ability to use your Pihole DNS on your home network, and while being connected from the outside with a Wireguard server, and lastly to have Pihole make use of a local Unbound instance for DNS lookups.
TL;DR. I wanted this:
- Wireguard server for clients
- Pihole exposed on local network
- Pihole usable from Wireguard client
- Unbound used as upstream DNS server by Pihole
wg-easy/wg-easy
I chose this project as my Wireguard server + UI for the following reasons:
- Easy setup
- Nice minimal UI for handling Wireguard clients
- Actively maintained
- Good rep
rlabinc/docker-pihole-unbound
I wanted a repo that included both Pihole and Unbound, so I didn't need to touch the configuration, and just had an easy deployment. This project fit my criteria:
- Minimal configuration needed (eww gross Unbound configs)
- Actively maintained
Pihole is a great tool not only for blocking requests to ads from your network, but also nescessary for local DNS records.
Why the need for Unbound? What does it do differently than a regular upstrema DNS server from Cloudflare or Google? The Pihole docs has a good article on this, that I would recommend you'd read, but in summary the pros -and cons are similar to that of selfhosting a password manager.
| # | Local Unbound DNS instance | Cloudflare DNS |
|---|---|---|
| Logging? | None/up to you | Some |
| Likelyhood of attacks/poisining | Unlikely target | Likely target |
| How is an IP of website attained? | Recursively through authoritative servers | Their cache |
| Censorship? | None | Potentially |
So what you are getting is enhanced privacy, for the tradeoff of a slower inital resolve. By avoiding a centralised DNS server for all your resolves, no DNS authority can fully log the exact path you're visiting.
sudo sed -r -i.orig 's/#?DNSStubListener=yes/DNSStubListener=no/g' /etc/systemd/resolved.conf
sudo sh -c 'rm /etc/resolv.conf && ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf'
Then edit /etc/resolvconf.conf
systemctl restart systemd-resolved