Published 13 minutes ago
Maker, meme-r, and unabashed geek, Joe has been writing about technology since starting his career in 2018 at KnowTechie. He’s covered everything from Apple to apps and crowdfunding and loves getting to the bottom of complicated topics. In that time, he’s also written for SlashGear and numerous corporate clients before finding his home at XDA in the spring of 2023.
He was the kid who took apart every toy to see how it worked, even if it didn’t exactly go back together afterward. That’s given him a solid background for explaining how complex systems work together, and he promises he’s gotten better at the putting things back together stage since then.
I’ve been…
Published 13 minutes ago
Maker, meme-r, and unabashed geek, Joe has been writing about technology since starting his career in 2018 at KnowTechie. He’s covered everything from Apple to apps and crowdfunding and loves getting to the bottom of complicated topics. In that time, he’s also written for SlashGear and numerous corporate clients before finding his home at XDA in the spring of 2023.
He was the kid who took apart every toy to see how it worked, even if it didn’t exactly go back together afterward. That’s given him a solid background for explaining how complex systems work together, and he promises he’s gotten better at the putting things back together stage since then.
I’ve been self-hosting for a very long time, whether it was an IRC bouncer to keep my nickname online and authenticated, a media server to watch movies, listen to music, and read manga from, and more recently, everything from smart home control to replacements for cloud services. I’ve also long been a user of DNS-based adblocking software, because I’ve been infected with malware from dodgy ad networks before, and I don’t recommend it happening again.
For the longest time, that was AdGuard, because it had apps for my smartphone and tablet, and things worked. Then the number of devices I owned grew exponentially, and I switched to Pi-hole, like many of you probably did. For years, it’s been working fine, protecting my home network and every device on it, but something has changed recently to make me look for alternatives, and I decided on Unbound DNS. This now runs on my OPNsense router and firewall, adding another layer of protection that wasn’t there before, and I don’t have to worry about the service or the hardware it’s running on going dark.
Why I switched from Pi-hole
It all started when the Pi-hole decided to block ALL my DNS traffic
The troubles began a few months ago, when all of my services started dropping out, and web browsing worked for some sites but not others, and then eventually not at all. You know what I’m about to say if you self-host an AdBlocker, DNS server, or similar service. The Pi-hole had stopped working properly, and DNS requests were only being served from the small number of entries in the local cache — until they weren’t at all.
Unlike my colleague Adam, I didn’t want to double the problem by running two Pi-hole instances. It would just break again, and I wanted something more robust. I’ve used many different DNS servers recently, but this time I decided the replacement would be Unbound. Why? Because it runs on my OPNsense router, which is always on. And now I have several OPNsense installs, so I’ve got CARP set up so that the routers failover when one goes down, keeping my network running no matter what. Okay, unless I lose power too, and then wired internet is the last thing on my mind.
Pi-hole to Unbound wasn’t a one-to-one swap
| Aspect | Pi-hole | Unbound | Impact |
|---|---|---|---|
| Initial Query Speed | Fast (20-50ms to upstream) | Slower (200-300ms first lookup) | Unbound is slower for uncached queries |
| Cached Query Speed | Very fast | Very fast with prefetching | Similar performance |
| Cache Efficiency | Basic DNS caching | Advanced with hierarchical caching | Unbound provides better hit rates |
| Resource Usage | Low (50–100 MB RAM) | Low (similar resource usage) | Comparable efficiency |
| Network Resilience | Single point of failure | Highly resilient | Unbound more robust |
Now you might look at that chart and think that recursive DNS resolvers like Unbound are slower, and you’d be right — but only for the first time you browse to a website. After that, web browsing speeds right up as you’re caching the results, so your browser doesn’t have to wait, and you eliminate third-party DNS latency.
Hosting it on two OPNsense installs with failover set up properly meant no more interruptions like the Pi-hole’s glitches, and I could still use the same blocklists to keep unwanted things off my network. In some ways, this was even simpler to use, because everything was already running, and it was just a matter of ticking a few boxes inside OPNsense to get Unbound running.
Pi-hole
OPNsense
Unbound isn’t a perfect replacement
But it gives me much more utility
Unbound isn’t exactly a straight swap, but it’s more proficient and has more advanced features. I don’t need Pi-hole’s GUI and statistics page because OPNsense carries that role out for me, and being able to enable Domain Name System Security Extensions (DNSSEC) is a huge plus. And I’m no longer simply forwarding DNS requests to upstream resolvers, I’m validating and caching them on my own network, keeping my traffic a bit more private.
No more Google or my ISP seeing every DNS request I make, able to sell that data for advertising and other uses. No more fingerprinting of me, my household, and our socio-economic profile, which is a great benefit. Yes, the ISP could track me if they wanted to spend the resources, or I could enable DNS over HTTPS or TLS for fully encrypted requests, but muddying the waters to make it cost the ISP more to track me is often enough of a deterrent.
Plus, it has better local nameserver functionality, so I can assign local domains to the growing sea of self-hosted services on my Proxmox server, and then accessing them is a matter of knowing which service I want, and not the IP-port combo that I had stored in my password manager.
Unbound DNS saved my network from issues and ads
When I first started self-hosting, I liked the novelty of adding services like Pi-hole to its own SBC, partly to keep track of things in my mental map. But space is a premium, and I can stuff so many containers and VMs onto the 12TB of SSDs on my Proxmox server. One of those containers is now OPNsense with Unbound DNS enabled, with all the blocklists I was using on Pi-hole, without the worry of the Pi-hole deciding to blackhole its own network. And really, uptime is the name of the game for network appliances, and I’m glad I switched over.