Run your own secure and private DNS server with Unbound + PiHole
Privacy and security on the internet are being discussed on a much wider scale than before, and that’s a good thing. A larger section of the public is now aware of the importance of privacy and security on the internet than before, and as more people start giving importance to privacy, this will have a cascading effect that should hopefully steer the industry in the right direction.
But staying truly private on the internet is easier said than done. The problem is — who do you ultimately trust? Do you trust your ISP? Your government? Your upstream DNS provider?
What you can do is minimize the points of trust. There’s not much you can do trusting your government/ISP, maybe use a VPN based in a country with better privacy standards, but this is subjective and calls for a separate discussion. You can do something about trusting your DNS provider, however. Most of us use many reputable upstream DNS providers (without naming them), but these are potential points of vulnerability. Do you trust these DNS providers with your queries? Popular DNS servers can be points of attack. Attackers can poison the DNS entries of popular servers which could potentially affect millions of users — Imagine logging into your social media or your bank account but actually logging into some phishing site without you knowing about it.
What you could do is run your own DNS server locally. This is what Unbound does. Unbound is a lightweight, open-source, recursive DNS server that you can run in your own home/office network on an inexpensive Raspberry Pi. You could then either point all your DNS queries network-wide to the localhost of your Raspberry Pi or better yet, run a combination of Unbound+PiHole on your pi for ad-blocking and filtering in addition to private DNS queries. I have run both Unbound and PiHole together on my 5$ Raspberry Pi Zero and it’s still going good after 4 months without a glitch.
Since Unbound is a recursive server, no DNS server will have the exact details of the path you are visiting. You also have more control over the DNS lookups, and it also supports secure DNS queries with DNSSEC. Unbound also implements caching and pre-fetching of commonly used lookups, which means subsequent lookups will be much faster since the entries are cached in your local network. Pi-Hole implements its own caching algorithm, which means ultimately over time your DNS requests should be very fast and responsive.
You can refer to the official guide from the Pi-Hole website on integrating Unbound with Pi-Hole. This just takes a few minutes and you should be up and running with a secure, private, ad-free, fast and lightweight DNS server solution — all contained and running on a cheap Raspberry Pi!
