Enhancing Network Privacy and Security: Setting Up Pi-hole with Unbound DNS

In today's digital landscape, protecting your network privacy and security is more crucial than ever. One powerful combination for achieving this is Pi-hole with Unbound DNS. In my previous post comparing Pi-hole versus Adguard Home, I mentioned I use Pi-hole with Unbound DNS. Let's explore why this setup is beneficial and how to implement it step by step.

Why Pi-hole with Unbound DNS?

Pi-hole acts as a network-wide ad blocker and DNS sinkhole, protecting all devices on your network from unwanted advertising and tracking. When combined with Unbound DNS, a validating, recursive DNS resolver, you get additional benefits:

• Complete control over your DNS queries
• Enhanced privacy by eliminating reliance on third-party DNS servers
• DNSSEC validation for improved security
• Reduced DNS latency for frequently visited domains
• Protection against DNS-based tracking and manipulation

Step-by-Step Setup Guide

1. Prepare Your System

First, download and install Debian, Ubuntu Server or your preferred distribution. I use Debian 12. This provides a stable foundation for our DNS infrastructure.

Minimum Hardware Requirements for Pi-hole

Basic Setup

• CPU: Single-core 700MHz processor
• RAM: 512MB
• Storage: 2GB
• Network: Ethernet (recommended) or Wi-Fi
• Architecture Support: x86_64, ARM (32/64-bit)

Recommended Hardware

• CPU: Multi-core 1GHz+ processor
• RAM: 1GB or more
• Storage: 4GB+
• Network: Gigabit Ethernet
• Temperature control: Basic cooling for 24/7 operation

Additional Requirements for Unbound DNS

Hardware

• RAM: Additional 128MB recommended
• Storage: Additional 1GB recommended
• CPU: Minimal additional load

Combined Recommended Specifications

• CPU: 1GHz+ multi-core processor
• RAM: 2GB
• Storage: 8GB
• Network: Gigabit Ethernet
• Architecture: x86_64 or ARM64

Operating System Requirements

Supported Operating Systems

• Raspberry Pi OS (formerly Raspbian)
• Ubuntu/Debian
• Fedora
• CentOS
• Docker containers

OS-Specific Requirements

• Clean installation recommended
• Updated package repositories
• Basic networking tools installed
• Root or sudo access
• Systemd (for most modern implementations)

Network Requirements

Connectivity

• Static IP address
• Open ports:
  • TCP 22 (SSH)
  • TCP/UDP 53 (DNS)
  • TCP 80 (Web interface)
  • TCP 443 (HTTPS, if configured)
  • UDP 67/68 (DHCP, if enabled)
  • Port 5335 (Unbound DNS)

Bandwidth

• Minimal requirements: 1Mbps
• Recommended: 10Mbps+
• Data usage varies based on network size and query volume

Virtual Machine Specifications

If running in a VM environment:

• vCPUs: 1-2
• vRAM: 2GB
• Storage: 8GB
• Network: Bridged adapter recommended
• Virtualization platforms:
  • VMware
  • VirtualBox
  • Proxmox
  • Hyper-V

Container Requirements (Docker)

Minimum

• Docker version 19.03 or higher
• 512MB RAM allocation
• 2GB storage
• Network access (host or bridged)

Recommended

• Docker version 20.10 or higher
• 1GB RAM allocation
• 4GB storage
• Host network mode

Performance Considerations

Small Network (Home/Small Office)

• Up to 50 devices
• Basic hardware sufficient
• 1GB RAM adequate
• Standard cooling

Medium Network

• 50-200 devices
• Multi-core processor recommended
• 2GB+ RAM
• Active cooling recommended

Large Network

• 200+ devices
• High-performance CPU
• 4GB+ RAM2
• Enterprise-grade cooling
• Redundant power recommended

Additional Recommendations

1. Backup Power
   • UPS recommended for 24/7 operation
   • Power monitoring capabilities
2. Monitoring
   • Temperature monitoring
   • Resource utilization tracking
   • Log monitoring
   • Network performance tracking
3. Maintenance
   • Regular updates
   • Log rotation[Previous content about OS requirements, network requirements, etc. remains the same][Previous content about OS requirements, network requirements, etc. rem22ains the same][Previous content about OS requirements, network requirements, etc. remains the same]
   • Backup strategy
   • Performance monitoring
4. Security
   • Firewall configuration
   • Regular security updates
   • Access control
   • Network isolation considerations

Raspberry Pi Options

Raspberry Pi 4

• Models Available: 2GB, 4GB, or 8GB RAM
• Processor: Quad-core Cortex-A72 (ARM v8) 64-bit SoC @ 1.5GHz
• Network: Gigabit Ethernet
• Power: 5V/3A via USB-C
• Storage: MicroSD card (32GB+ recommended)2
• Performance: Excellent for home/small office deployment
• Cost-Effective: Great performance-to-price ratio
• Power Consumption: 3W-7W depending on load

Raspberry Pi 5

• Models Available: 4GB or 8GB RAM
• Processor: Quad-core Cortex-A76 64-bit SoC @ 2.4GHz
• Network: Gigabit Ethernet
• Power: 5V/5A via USB-C
• Storage: MicroSD card (32GB+ recommended)
• Performance: Superior for larger networks
• Enhanced Features: Better thermal management, faster networking
• hPower Consumption: 4W-12W depending on load

Recommended Accessories for Raspberry Pi Deployment

• Active cooling (fan) or heatsink
• Quality power supply
• Premium MicroSD card (A2 rating recommended)
• Case with good ventilation
• Ethernet cable (Cat 5e or better)

Performance Considerations

Small Network (Home/Small Office)

• Raspberry Pi 4 (2GB) sufficient
• Up to 50 devices
• Basic cooling adequate
• Standard MicroSD card acceptable

Medium Network

• Raspberry Pi 4 (4GB) or 5 (4GB) recommended
• 50-200 devices
• Active cooling recommended
• High-quality MicroSD card recommended

Large Network

• Raspberry Pi 5 (8GB) recommended
• 200+ devices
• Active cooling required
• Premium MicroSD card required
• Consider SSD boot option for better performance

Raspberry Pi-Specific Optimizations

1. Storage Options
   • High-quality MicroSD (Samsung PRO, SanDisk Extreme)
   • USB SSD boot option for better performance
   • Regular backups recommended
2. Cooling Solutions
   • ICE Tower Cooler
   • FLIRC case
   • Active fan cooling
   • Heatsinks on key components
3. Power Considerations
   • Official power supply recommended
   • UPS backup recommended
   • Power monitoring2
   • Clean power source
4. Network Configuration
   • Static IP setup
   • Ethernet preferred over Wi-Fi
   • Quality network cable
   • Network segregation options

Operating System Recommendations for Raspberry Pi

Recommended OS Options

• Raspberry Pi OS Lite (minimal, recommended)
• Ubuntu Server for Raspberry Pi
• DietPi
• Docker on Raspberry Pi OS

OS-Specific Notes

• Headless installation recommended
• Regular updates crucial
• Minimal installation preferred
• Disable unnecessary services

Additional Raspberry Pi Considerations

1. Backup Strategy
   • Regular SD card imaging
   • Configuration backups
   • Automated backup scripts
   • Secondary SD card with ready setup
2. Performance Monitoring
   • Temperature monitoring critical
   • CPU usage tracking
   • Memory utilization
   • Storage wear monitoring
3. Maintenance Schedule
   • Weekly updates
   • Monthly SD card checks
   • Quarterly full system review
   • Annual hardware inspection

Remember that these requirements are guidelines, and your specific needs may vary based on network size, query volume, and additional services running on the same system. While both Raspberry Pi 4 and 5 are excellent choices for Pi-hole with Unbound DNS, the Pi 5's improved processing power and thermal management make it a more future-proof option, particularly for growing home networks or those requiring additional services alongside Pi-hole.

2. Install Pi-hole

Execute the following command to install Pi-hole:

sudo curl -sSL https://install.pi-hole.net | bash 

After installation, set your admin password:

pihole -a -p [your-password]

3. Install Unbound DNS

Install Unbound with:

sudo apt install unbound

4. Configure Unbound

Create a new configuration file: (you can use the template file at the following URL)

sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf

server:
    # If no logfile is specified, syslog is used
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0

    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    #root-hints: "/var/lib/unbound/root.hints"

    # Trust glue only if it is within the server's authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # IP fragmentation is unreliable on the Internet today, and can cause
    # transmission failures when large DNS messages are sent via UDP. Even
    # when fragmentation does work, it may not be secure; it is theoretically
    # possible to spoof parts of a fragmented DNS message, without easy
    # detection at the receiving end. Recently, there was an excellent study
    # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <
    # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
    # in collaboration with NLnet Labs explored DNS using real world data from the
    # the RIPE Atlas probes and the researchers suggested different values for
    # IPv4 and IPv6 and in different scenarios. They advise that servers should
    # be configured to limit DNS messages sent over UDP to a size that will not
    # trigger fragmentation on typical network links. DNS servers can switch
    # from UDP to TCP when a DNS response is too big to fit in this limited
    # buffer size. This value has also been suggested in DNS Flag Day 2020.
    edns-buffer-size: 1232

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1

    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

The provided configuration includes several important security features:

• DNSSEC validation through harden-dnssec-stripped: yes
• Protection of private IP ranges
• Optimized UDP buffer size to prevent DNS fragmentation attacks
• Thread optimization for typical home network usage
• Privacy protection for local IP ranges

5. Finalize Setup

1. Restart Unbound to apply the configuration:

sudo service unbound restart

1. In the Pi-hole web interface:
   • Disable forwarding DNS
   • Set custom DNS to 127.0.0.1#5335

Maintaining Your Setup

To keep Pi-hole updated, regularly run:

pihole -up

Security Benefits Explained

This setup provides multiple layers of protection:

1. Ad Blocking: Pi-hole blocks ads and trackers at the network level before they reach your devices.
2. DNS Privacy: By running your own recursive resolver (Unbound), your DNS queries never leave your network unencrypted.
3. DNSSEC Validation: Unbound validates DNS responses, protecting against DNS spoofing attacks.
4. Network-Wide Protection: All devices on your network benefit from these security measures without individual configuration.
5. Reduced Attack Surface: By eliminating reliance on external DNS providers, you reduce potential points of compromise.

Adding Centralized Logging with syslog-ng

To enhance our security monitoring capabilities, we'll add syslog-ng to forward Pi-hole logs to a centralized logging solution like Graylog. This enables better visibility into your network's DNS activity and potential security events.

Installing and Configuring syslog-ng

• Install syslog-ng:

sudo apt-get install syslog-ng

• Create a new configuration file for Pi-hole logging:

sudo nano /etc/syslog-ng/conf.d/pihole.conf

• Add the following configuration (adjust based on your Graylog server details):

Add the file as shown below:

/etc/syslog-ng/conf.d/10-pihole.conf
source s_pihole_log { file("/var/log/pihole.log"); };
destination d_graylog {udp("192.168.1.100" port(2515)); };
log { source(s_pihole_log); destination(d_graylog); };

 Modify the following file section:

/etc/syslog-ng/syslog-ng.conf
###
# Include all config files in /etc/syslog-ng/conf.d/
###
@include "/etc/syslog-ng/conf.d/*.conf"

Or

# Define source for Pi-hole logs
source s_pihole {
    file("/var/log/pihole.log");
    file("/var/log/pihole-FTL.log");
};

# Define destination for Graylog
destination d_graylog {
    syslog("graylog-server-ip" transport("tcp")
        port(1514)
        disk-buffer(
            mem-buf-size(10485760)   # 10MB
            disk-buf-size(2147483648) # 2GB
            reliable(yes)
        )
    );
};

# Create logging path
log {
    source(s_pihole);
    destination(d_graylog);
};

• Restart syslog-ng:

sudo systemctl restart syslog-ng

Configuring Graylog Input

1. In your Graylog web interface:
   • Create a new Syslog TCP input
   • Set the port to match your syslog-ng configuration (1514 in our example)
   • Enable the input
2. Create a stream for Pi-hole logs:
   • Add rule: message contains "pihole"
   • Set appropriate stream title and description

Log Analysis Benefits

Adding centralized logging provides several advantages:

• Real-time monitoring of DNS queries and blocks
• Historical analysis of network activity
• Early detection of potential security incidents
• Compliance requirements fulfillment
• Automated alerting capabilities

Best Practices for Operation

1. Regularly update Pi-hole, Unbound, and syslog-ng
2. Monitor your Pi-hole dashboard and Graylog for unusual patterns
3. Keep configuration files backed up
4. Review blocked domains periodically
5. Set up alerts in Graylog for suspicious DNS activity
6. Regularly verify log forwarding is working correctly
7. Consider implementing log rotation to manage storage
8. Monitor system resources as logging can be resource-intensive

Sample Graylog Alerts to Configure

1. High volume of DNS queries from a single source
2. Repeated attempts to access known malicious domains
3. DNS queries to uncommon TLDs
4. Sudden spikes in blocked queries
5. Failed DNSSEC validations

Maintaining Your Setup

Regular Maintenance Tasks:

• Update Pi-hole:

pihole -up

• Check syslog-ng status:

sudo systemctl status syslog-ng

• Verify log forwarding:

sudo tail -f /var/log/syslog | grep syslog-ng

• Monitor log storage:

du -sh /var/log/

Troubleshooting Common Issues

• Log Forwarding Issues:

# Check syslog-ng configuration
sudo syslog-ng -s

# View syslog-ng logs
journalctl -u syslog-ng

• Pi-hole and Unbound:

# Check Pi-hole status
pihole status

# Test Unbound
dig google.com @127.0.0.1 -p 5335

By implementing this comprehensive setup, you'll have a robust DNS filtering solution with detailed logging capabilities. This combination provides not only enhanced privacy and security but also the visibility needed to monitor and respond to potential threats effectively.

Remember to adjust the configuration based on your specific network requirements and logging needs. Regular monitoring and maintenance of all components will ensure optimal performance and security.