13h ago

Pi-Hole question regarding unbound and cloudflared

Hello lemmings! I have recently started the process of setting up my own Pi-Hole, I am a developer and pretty comfortable with Linux but I am a bit of a newcomer when it comes to networking.

Now, during the process I noticed that the VPN I use (Mullvad) claim to have DNS leaks (This is a bit obvious since I was no longer using the DNS they expected in the VPN tunnel). So after reading a bit on the pi-hole guides I figured I'd set up a cloudflared service, but instead of using the cloudflare dns-query I route it to Mullvads own DNS.

Now this works fine and all, it's DoH and running Mullvads own DNS to query so Mullvads own tool is happy with the DNS settings I have.

However, I also read about unbound in the Pi-Hole guides. I was curious if this was to prefer over cloudflared? Since I am running through Mullvads own DNS I don't think there should be any issues. However locally hosting your own recursive DNS server also sounds good.

What is your opinion? Is it overkill? Is what I have now enough or should I try to set up unbound aswell?

Happy with just a discussion around this to learn more, just curious whether I should continue cooking on what I have now or if I should just focus on getting the entire network set up to use this.

4 comments

I prefer cloudflared myself.
While unbound requests its answers from the authoritative servers for each domain; it does so using regular DNS queries, so it's susceptible to monitoring and modification like any other DNS request. While adding latency by extending that request to several servers, instead of a single trusted provider.
That doesn't really seem beneficial to me. I'd rather use DOH.

I think what you have is fine, and wouldn't worry about it too much.
That said, I run unbound with pi-hole, directing the dns queries through a wireguard tunnel. It's a bit slower, but I do like having my own recursive DNS, especially with news that more and more services are implementing DNS level blocking.

However, I also read about unbound in the Pi-Hole guides. I was curious if this was to prefer over cloudflared?
Many people advocate for Cloudflared as a tunneling solution, but it’s not a one-size-fits-all tool. Personally, I avoid it. Your VPS already functions as a firewall for your connection. Using Tailscale is also self-host and avoids reliance on third-party services like Cloudflare while maintaining security and the same functionality.
For DNS privacy, I prefer odoh-proxy, which enables your VPS to act as an oDoH (Oblivious DNS over HTTPS) proxy for the cloudflare network. While oDoH introduces a slight latency increase, it significantly enhances privacy by decoupling query origins from content, making it a more secure option for DNS resolution. So you would be able to set your DoH resolver to your domain (https://dns.whatever.com/dns-query) and it would forward the request to cloudflare for resolution, and then back again.
As for Pi-Hole, its utility has diminished with the modern alternatives like serverless-dns. It allows you to deploy RethinkDNS resolver servers on free platforms, handling 99% of security concerns out-of-the-box. The trade-off is a loss of full custody over your DNS infrastructure, which may matter to some users but is less critical for general use cases.
Lastly, using consumer VPNs like Mullvad to proxy connections often introduces unnecessary complexity without meaningful security gains. While VPNs have their place they can really overcomplicate setups like this and rarely provide substantial privacy benefits for services like DNS.
- Many people advocate for Cloudflared as a tunneling solution, but it’s not a one-size-fits-all tool. Personally, I avoid it. Your VPS already functions as a firewall for your connection. Using Tailscale is also self-host and avoids reliance on third-party services like Cloudflare while maintaining security and the same functionality.
  OPs not using cloudflareds tunneling or services at all; in this application, it's purely a local tool for translating regular DNS to DOH using the chosen DOH provider. Mullvad in this case.