TL;DR: I made the switch an hour ago and thought I’d share my motivations and experiences here in case anyone wants to do the same.
A few years ago, when the number of devices in my LAN threatened to get out of hand for reasonable maintainability, I made the switch to network-wide ad blocking. An older Raspberry Pi model connected directly to my router turned out to be a good solution. After checking the available options, I ran AdGuard Home on it for a while, which is (in my opinion) a nicer solution than the top dog Pi-Hole, but essentially does the same thing: every DNS request is forwarded to a customisable DNS server and filtered using equally customisable blocking lists, plus there’s a nice web interface.
Third-party DNS servers have some advantages, but they are not protected against censorship (e.g. the attacks by corporations against Quad9) and surveillance. Because what used to be called ‘paranoia’ can now be called healthy caution again, my own DNS server wouldn’t be such a bad idea, I thought. The most obvious solution, setting up an Unbound in addition to AdGuard Home, did not seem wise to me for two reasons: Firstly, I have had rather mixed experiences with setting up and running Unbound on my mail server, and secondly, the concept of having to run two different services on the same device for the same purpose, which then have to talk to each other, seemed ill-conceived to me: not only is it quite complex and seems partially redundant, it is also more error-prone than a standardised solution.
Shortly afterwards, I accidentally found the answer to my doubts with the Technitium DNS server. Technitium (they have more products, but I’ll cut it short for now) is something similar to AdGuard Home and Pi-Hole: you start a software and this software then acts as a DNS server. Technitium does not (necessarily) use a third-party service, but sends all queries directly to the root nodes. This takes a little longer than usual the first time a domain is called, but is censorship-free and then (naturally, because it is within the local network) lightning-fast.
Technitium works without further configuration, right after starting (and setting the admin password) it is fully operational. Fine-tuning is possible, there are also some plugins, I myself have actually only set up a few ad filters, because Technitium can also use these by default. I like it.
I regret not having started until 2025. I was always put off by Unbound. If I had known that something like Technitium existed (for over five years now), I would probably have skipped AdGuard Home straight away. I am happy to recommend it.
You must log in or register to comment.
For me 2x local pihole + unbound works great. I also have pihole + unbound running on a VPS exposed to my tailnet, serving as a backup when my home changes IP or goes offline.
For the record, any DNS server you choose to employ should default to only using the root servers. You would need to configure your own forwarder IP(s) to point to a general purpose resolver.
… censorship-free …
You should also be aware that even if you use root servers, a DNS server which is authoritative for the domain you are querying may well return different results depending on where in the world you are. This can be in order to direct you to an IP that is closer to you, or because “different global locations get different content” for any reason, including censorship and malicious goals. The latter is definitely less likely than the former, but it’s just as possible.
For the record, any DNS server you choose to employ should default to only using the root servers.
If that was the case, there would be a market for exactly 0 DNS servers.
You should also be aware that even if you use root servers, a DNS server which is authoritative for the domain you are querying may well return different results depending on where in the world you are.
Thank you, this is valuable information to me. :-)
If that was the case, there would be a market for exactly 0 DNS servers.
I’m not sure what you mean by that, but it’s definitely the case.
I mean that, if all DNS servers just returned whatever the root servers tell them, nobody would want to run his own one, I think.
That’s not what I was talking about.
Technitium does not (necessarily) use a third-party service, but sends all queries directly to the root nodes.
By default, any DNS server will look to the root servers for any query. The root servers only know what DNS servers are authoritative for top level domains (TLDs), and tell the client querying “Hey, go ask the “.com” (for example) server.”
That server knows what DNS servers are authoritative for the zones under .com, and says “Hey, go ask the “querieddomain” server.”
Then your machine asks that server for the “www” (for example) host, and that DNS server says “Here’s the IP.”
Unless the DNS server your machine is pointing at is configured to use a forwarder, wherein queries for any records that it isn’t authoritative for or aren’t in its local cache are resent to whatever DNS server is configured as the forwarder. The recursion like above is done between your DNS server and its forwarder, finally returning you an IP address when one is identified.
There’s a bit more to it than that, but that’s what I was talking about. Out of the box, a DNS server uses root hints, which are IP addresses of the root DNS servers. You would need to configure forwarder(s) in your DNS server if you desire them.
Ah, sorry. This is a new technology to me. Thank you!
I’ve got multiple adguard/unbound instances running locally. Confused as to why you don’t like unbound. Its robust and fairly straight forward to setup IMO. Only time I’ve ever had issues with it was when I was trying to set up DoT, but that was most likely an issue on my side. Oh there was a brief stint of some DNSSEC issues, so I opted for a less strict config. A lot of this is easily found online or via chatting with a friendly neighborhood LLM
I now just have it setup to recursively resolve, and its been running without any issue for over a year now
Its robust and fairly straight forward to setup IMO.
I never got it working reliably on OpenBSD, something always resets its root directory’s permissions to
root:rootwhich makes the service break. It’s probably unfair of me to blame Unbound for this, but it always sticks in my mind. In addition, Unbound wants a text file as configuration and the solution I have now found does not. It’s also a question of convenience, at least a little. :-)I’m not ruling out the possibility that I could recreate my local setup with Unbound (there should be a way to automatically download and integrate an AdBlock filter list somehow), but I admit that I’m just not familiar enough with it. It’s a bit of a shame, I know, but unlike a mail or web server, I have really big problems when my DNS server goes down with a cryptic error message. I would like to minimise this risk.
Blocky is another nice AdBlocker and DNS proxy. I’ve been using it for quite a while. Seems to be pretty efficient, too. If you’re looking at community DNS servers, have a look at https://opennic.org/ that’s a democratic DNS root.
And by the way, take care not to expose your DNS server to the public internet, or some people will start using it for DNS amplification attacks. But that shouldn’t be any concern if you run it on a Raspberry Pi at home.
Blocky is another nice AdBlocker and DNS proxy.
Blocky does look nice, but there is no way to use it without any upstream DNS server, which limits its usefulness. Technitium works without having to rely on third-party DNS services, which is its main selling point, I guess.
Sure, it’s just a proxy/forwarder. I mean I kind of see your point. But I don’t think I agree on the word “usefulness”. In practice, for an average person, it has the exact same effect, no matter if you pick an intermediary, caching DNS server, or recursively look it up, starting at the root. It returns the same answer and the same webpage opens. With the one requirement that you need to pick an DNS server which doesn’t mess with the results. But that’s not a huge issue, there are quite some uncensored DNS servers out there. Like the OpenNIC ones for example.
But I don’t want to talk you out of it. Originally, it was frowned upon querying the root DNS servers. Since it puts more strain on them and the very core of the internet. And it’s a bit more inefficient for you, since your DNS server needs to store more database information and do more queries from a residential internet connection which might be slower than a server in a datacenter. But a lot has changed since DNS got invented and I think it’s probably fine to run a full, recursive DNS server at home these days.
So enjoy your unhindered internet access. For the other people who don’t want to run a full DNS server, I can recommend opennic.org And I think it’s really a shame that lots of ISPs mess with the DNS results and introduce third-party blocklists. Mine does that, too.
With the one requirement that you need to pick an DNS server which doesn’t mess with the results. But that’s not a huge issue, there are quite some uncensored DNS servers out there. Like the OpenNIC ones for example.
I know, and some of them have quite some latency, while others may or may not start censoring and/or logging my requests in the future. The downside is that having my own DNS server outside my LAN doesn’t make much sense, because (you’re right!) my home internet connection is struggling to keep up with the major providers, as is my hardware. However, at, I’ve just checked, an average of just under 2,000 requests per hour, it’s more than feasible.
There’s a good chance that the operators won’t even notice my requests, especially because my cache is filling up fast.
And I think it’s really a shame that lots of ISPs mess with the DNS results and introduce third-party blocklists. Mine does that, too.
This. Very much this.
@tux0r nice idea, need to look into that. Github looks promising. Are you running it on a Raspberry Pi? Do you have some specs, like external HDD/SSD for storage/logs? Other Services on that Host? RPi4?
AdGuard and Pi Hole feels a bit slow in my setup, to be honest. Sometimes like 200ms Answer time from Quad9. Even optimistic caching doesnt seem to have an positive impact.
Yes, it’s running on a Raspberry Pi. Only internal SD, no other services. RPi 3B, I think. It’s been mine for quite a few years now.
