DNS Sinkhole, DNS Forwarder, & DNS Resolver
I was inspired to do this as my first IT project mainly because of the obvious benefits it provides for an entire network. The prospect of not seeing any advertisements prompted me to try out this project!
I bought all the components of Raspberry Pi, assembled and installed Raspian, which is a Linux (Debian) based operating system. Raspian is a free operating system and considered as the official operating system of the Raspberry Pi. Then, I installed Pi-hole, which is a Linux based network-level adblocking application that can act as a DNS sinkhole. In the Raspberry Pi, I enabled SSH and RDP that helped me configure the entire setup from my laptop. Once I successfully installed and tested the operation of Pi-hole, I changed my router configuration and put the local IP address of my Raspberry Pi as the primary DNS server. This made sure all the DNS traffic from my network goes through the Pi-hole and gets filtered. I also leveraged the built-in DHCP server feature that Pi-hole offers and used it as my DHCP server as well. Now, my Pi-hole both acts as a DNS and DHCP server, which you can see in the picture below.
Like every other home network, I constantly saw ads in one form or the other in every browser and the browser adblockers were not that effective. After deploying Pi-hole, I hardly see any ads. Pi-hole has stripped down all the ads from the most common ads prone applications such as YouTube videos, online/mobile games, apps, and websites. My home network DNS architecture before the implementation of Pi-hole is shown below.
Pi-hole has been running great and serving the entire network as I expected. Apart from acting as DNS sinkhole, Pi-hole also acts as a DNS forwarder because it does not resolve the DNS queries but simply forward them to the designated upstream DNS servers. The upstream DNS servers resolve the queries by going through the DNS hierarchy and get the answer from the authoritative DNS server to the client. Though this set up does not necessarily affect the DNS functions, it leaves room for the upstream DNS servers to monitor your DNS traffic, if they want. Since all the DNS traffic goes through upstream servers, every DNS activity is logged in their servers. So, I wanted to take it one step further by implementing a DNS resolver in my home network. I installed Unbound, which is an open-source package that provides DNS resolver capability, supports encryption and caching of DNS queries. The new DNS architecture of my home network is shown below.
To me, the idea of having a DNS sinkhole, DNS forwarder and DNS resolver that along with caching and encryption of DNS queries in a single credit card-sized machine sounded unrealistic at first. But, when I saw it working extremely well and had the first-hand experience of building it, it was not too hard to believe. This was the moment that I realized how powerful the technologies are! One might think if a server has all these roles installed and handles 8 clients (as in my case), it would need a lot of memory. Surprisingly, the whole set up is very lightweight, robust and versatile. My Raspberry Pi has only 32GB memory, and all these setups take only 5-6% of my memory at any given time (see the picture below).
Pi-hole offers other cool features such as a web interface, an built-in DHCP server, and customizable domain listings. The number of domains one can put in the blocklist depends on the level of blocking one needs for their network. For my network, I have currently little over 870,000 domains on my blocklist. I enabled auto-update and set my blocklists to get updated every 24 hours. The DNS requests of my network are answered by the local DNS resolver that I have set up. The queries answered section (see the picture below) shows the percentage of DNS queries blocked by the DNS sinkhole and queries answered by the DNS resolver and caching.
This project was great fun! I am happy to see it working extremely well. Since I use this device every day, this project is one of my favorites!