The only haiku you need to know to work in IT (and I say this as I enter into my 21st year in the industry): It's not DNS. It cannot be DNS. It was DNS.

3:02 - Docker still has a lot more usable implementations for container work on Mac and Windows, IMO... until they overcome those issues, I'm still sticking with Docker CE on my servers. Seems like most of the people using and pushing Podman are already deep in the RHEL ecosystem.

I’ve been running a pi hole for about a yr and it’s been great. You don’t realize how many ads are fired at you until you see zero.

Gibson's DNS benchmark is fabulous. I can't believe I forgot about this, but I saw it in the background on the monitor. And you can set up pi-hole to be a DNS cache as well as blocking. That way you are only two levels on anything cached, and only three levels on the first visit.

@MaxPrehl

Жыл бұрын

I'm trying to do a DNSBench myself... Is it just me or does Gibson's dns bench not allow IPv6 DNS servers?

@majstealth

10 ай бұрын

fucking damn usefull thing, even if it is 13years old now. it is always dns, maybe dns is working inside, but if your routers dns is not responding, everything takes 3 refreshes and 12seconds to get anywhere

My dad was just talking this afternoon about how a website he was using is more ad than content. Maybe I could set up an idiotproof Pihole system for him... Love this series! Definitely interested in the DNS video.

@llortaton2834

2 жыл бұрын

you just called your dad an idiot?

@katbryce

2 жыл бұрын

@@emeraldbonsai Use both, but pihole makes things way faster, because you get an instant nxdomain rather than it waiting ages to do its real-time bidding thing to decide which ad to serve to you.

Made the bold decision to use my forbidden router and set up a Samba domain controller, in combination with pfSense Unbound DNS resolver/adblock. Choreographs the systems I've got racked. Little flaky for machine name resolution, but the Windows domain remains consistent. Cool to see similar stuffs. ProxMox, Debian, Windows, pfSense. Really cool to be about to control my drive share mapping via Group Policy for the home lab. Set processes to run as domain accounts for Windows auth. Makes the whole network feel more cohesive.

I'm up 4 hours into midnight and finally do something with my life. Thanks for the tips!

I love the beam-out at the end!

Delightfully geeky. Thanks!

I've been running portainer for months now. Amazing piece of software. I have been manually deploying services using multiple compose files for years and it's a big pain to maintain.

Pihole + Unbound = Simple, Elegant, and Private Pihole Caches DNS lookups

Great series

@Darthborg

2 жыл бұрын

6 days ago… k bro..

@Level1Techs

2 жыл бұрын

Our Patreon and Floatplane supporters get to see stuff early, just fyi ~Editor Autumn

I had to go a few months without using pfBlockerNG with DNSBL... holy hell, the naked web is terrible.

@2:00 Mikrotik RouterOS v7 lets you run containers, and their example is Pihole

Excellent content as usual! However, being a technician for M365/Azure services I have to point out one minuscule item of correction around 12:25. Endpoints that are Azure AD-joined do not use a domain controller so no special considerations for DNS are necessary.

Wendle you bastard. Somehow I find myself building a mini version of this with a ryzem 3600 right now.

Using Pi-Hole some zears now. Great filter. People do not understand that firewalls block traffic by IPonly however DNS is still being asked. Pi Hole seals this leak.

A bit silly that during the DNS bench portion I didn't realize the DNS name was off to the right as I recognized so many of the IPs. Good series.

pihole has a "local dns" settings where one could set the domains to be cached to point to the lancache, but one would have to enter everything manually (or edit the file pihole saves them to)

@bill_and_amanda

Жыл бұрын

Surely that edit could be (and possibly has already been) scripted

@spicybaguette7706

28 күн бұрын

You can also set lancache as an upstream for pi-hole

I used to run a caching proxy server back in the late 1990s / early 2000s. That did the same thing as the Steam Cache system you describe. I think Microsoft's later proxy server (ISA Server?) had caching capability too.

When talking about DNS "slowness" we refer to it as latency. DNS doesn't "slow" your computer but it can take a long time to resolve whatever internet namespace you request. That delay is called latency. I do my own DNS for my LAN and I know it has some latency issues but whatever. I go back to the days of dial-up and so I naturally compare my computing experience to that quagmire.

Interesting video, I also went the virtualization route, took me a few days, but now I have a Proxmox server, with PFsense, Truenas, Linux (for my docker, portainer stuff), Windows for Blue Iris virtualization, and it all runs very well on a 5950x (which I also use for Blender network renderings). I will also have a look at the things you suggest here, but of course I don't have your powerful hardware.

@vonkruel

2 жыл бұрын

Nice! I went much the same way software-wise, but with a 2P Xeon system (used mainboard, CPUs, memory from eBay). It's quite a bit slower than your 5950X but at the time it was a relatively cheap way to get 16c/32t w/ 128GB ECC. I think 64GB is the limit for AM4 (?) but that's enough to do a lot. I could actually make 64GB work for my own needs, but I like the extra breathing room.

@rudypieplenbosch6752

2 жыл бұрын

@@vonkruel Interesting, yes this virtualization is a great thing, Proxmox is pretty amazing, I was a bit hesitant to go the forbidden router route at first. I now have 64 GB, but will go to 128GB as well, just to have some headroom like you mentioned. For Truenas and Ubuntu I still need to figure out how to install a qemu-agent . When I look at some tutorials, they look messy, installing about 150 Mb for an agent its ridiculous, in contrast with Win11 and Pfsense it was relatively clean and easy. I did have some problems with passing through an old Areca1320 HBA adapter through Truenas, decided to leave the adapter on Proxmox and pass 8 individual drives to Truenas, performance seems ok.

@vonkruel

2 жыл бұрын

@@rudypieplenbosch6752 In TrueNAS SCALE qemu-guest-agent is loaded by default. You may not want to switch for that reason, but I thought I'd mention it. I believe your ZFS pool(s) will be safer with a passed-through HBA. Maybe if you move it to a different slot it's easier to pass through? Those IOMMU groups can be a pain, and it could be an advantage of HEDT & especially server mainboards that more thought has been put into the IOMMU groupings. There's a kernel hack that'll let you _force_ a device into its own IOMMU group, but if devices were grouped together for good reason, "you're gonna have a bad time".

@rudypieplenbosch6752

2 жыл бұрын

@@vonkruel Thanks for your suggestions, I did test Truenas Scale on an older system, performance was not great, I understood they are still working on that, so I decided to stay on Truenas Core for now. The passthrough for the HBA was a bit weird, I could see during bootup, the adapter was recognised and all drives were shown, then Seabios came and started alphabetically number each drive, which it should not, after that in Truenas none of the drives were shown . Only yesterday I discovered you can interrupt Seabios in Proxmox, during bootup of a VM. I'll have a look if Seabios can leave my HBA drives alone, because of course I prefer passing through that adapter completely. I don't have a serverboard, but the Aorus Pro, which has IOMMU, seems todo a good job, since all VM's can access the NVMe drive they run on at blistering speeds, 6GB/s. Never expected that kind of speeds when running on a hypetvisor, that is almost native speed for a PCIe4 NVMe drive, amazing. I will run this system for a few years, if I ever upgrade, I want definitely want a server MB, with integrated HBAS controllers, IPMI and more of that server grade features, although I can't complain about the Aorus mainboard. It will be interesting how the NVMe capacities will evolve and how boards will accommodate for more of these speed monsters on a MB. The Icy Dock, which could accommodate 8 of them looks like a direction things are going, I guess the mainboards will have to have an increased amount of onboard ports to easily connect to these kind of devices. Interesting times ahead anyway.

@vonkruel

2 жыл бұрын

@@rudypieplenbosch6752 Yes, the performance can be surprisingly good! Okay, for passthru to work, we need 2 things: 1. The PVE host system's vfio-pci driver needs to attach to the device, _not_ the "normal" driver 2. The VM configuration file needs a new line that tells PVE to give that reserved device to that VM For example, if your VM has id "100" and your HBA has id "83:00" (with no other devices in the same IOMMU group): 1. Edit /etc/default/grub, adding the following to GRUB_CMDLINE_LINUX: "amd_iommu=on iommu=pt kvm-amd.nested=y vfio-pci.ids=83:00" 2. Run "update-grub" (as root) 3. Edit /etc/pve/qemu-server/100.conf, adding the line "hostpci0: 83:00" If that doesn't work, you probably have 1 or more additional devices in your HBA's IOMMU group, or required IOMMU support is disabled in the BIOS. You can find short shell scripts online that will dig through /sys/kernel/iommu_groups/ and use *lspci* to provide information about devices in each group. If your BIOS is cooperative and there's nothing in the target device's IOMMU group that you don't want to pass to that VM, you can just pass all the devices through. I hope it helps. A bunch of things need to be right for it to work, but in a lot of cases it's pretty easy on modern hardware.

Lancache only helps if you frequently download the same things though, if you're just one person, downloading a game and probably not redownloading it for like a few months/years it's probably not worth it, cool for conventions or benchmarking though

4:50 the first time you access a site and DNS is used to get the IP, once it is cashed locally it is not 'slow' anymore as the info is then local (for quite some time).

Seems like this might work on TrueNAS Scale

Pi hole on Pi B 4gb inside a docker container has worked for my small set up at home with 7 people

This went from a DNS discussion to a caching proxy discussion.

Still dreaming of a bromance between Wendell and Jeff Geerling. Cuz it was always DNS!

@dolex161

2 жыл бұрын

Also Wendell will totally get along with red shirt Jeff and the other pi guy

I would love to see a video dedicated to DNS and DNS troubleshooting

Look at me with my "super precocious" Active Directory home network. I feel seen.

You should make a second casual channel for the Docker shmucks

If you do a video for DNS, perhaps you could briefly cover ISP server vs. public server vs. straight to root servers? I imagine the latter would usually be slower unless you have a decent number of users and processes on your LAN caching stuff, but to be honest I never benchmarked it. I've been using my own bind9 server with a list of root servers for years and usually it's fast enough for me.

If piHole and lan cache could join forces it would be amazing, I hope we see that some day

In terms of blocking ads, I know with ublock and other extensions you can unblock individual, say, youtube channels, not just sites. I'm guessing pihole has a similar provision (though I also run youtube premium, so not only do I get no ads, from what Linus has said, I'm also giving more to the people I watch, as compared to just watching ads).

MikroTik RouterOS 7 allows docker containers to run on the router. I play it safe so I'm going to wait a while until it's prod ready

Thankfully for me settings steam server to *the other side of the continent* makes it way better. Also, if you are concerned about ad income, donate $1 through patreon to the creators, that's way more than what they would get for showing you personally any number of ads.

Btw, Gibson's DNS Benchmark runs fine on linux with Wine.

run your own dns resolver? unbound in recursive mode? it is actually default on pfsense iirc and also available on openwrt and such

I get to do this with the extra layer of Consul because my UniFi gear apparently doesn't have the ability to specify which IP my monitoring VM resolves to.

Conditional forwarding in named.conf or local AD -> pihole -> internet DNS?

Podman is nice, but it's not a drop-in replacement though

While not related to this project. What would the implications be of using a CCR2004-1G-2XS-PCIe tied to a VM server? Would this router direct attached to a VM server have more use, or just be confusing? It would definitely be in the forbidden router category, but also the confused role and function category!

I use pihole’s lists in pfBlocker-ng rather than running pihole, but couldn’t the DNS Resolver in pfSense use override lists to send lancache/pihole requests to the respective containers? Else the rest to your chosen pubDNS. It’s something I’ve always wondered, but I haven’t felt the need for a lancache.

6:50 - WAIT!! How did he know?? 😲 I told no one. 😳

Great series! One question on this: What's the best way to setup fallback? If something in the chain breaks, is there a way to direct to an alternate DNS? From what I read, "Primary" and "Secondary" DNSs aren't really a thing. They get picked depending on which one is fastest. So how would you set a hierarchy there?

@MichaelSmith-fg8xh

2 жыл бұрын

Both Pfsense and pihole let you add multiple DNS servers for their requests. You can configure pfsense to hand out multiple DNS servers via DHCP to clients. Order/priority is often opaque. I just loaded 8 DNS ips in opnsense/unbound so it's got options. DHCP hands out the ipv4 and IPv6 addresses for my router as DNS servers

@richardbeirne827

2 жыл бұрын

@@MichaelSmith-fg8xh Yeah, it's the order/priority bit I'd like to figure out. Unless of course there's just a better way to handle DNS failures / fallback that I'm not aware of.

@MichaelSmith-fg8xh

2 жыл бұрын

@@richardbeirne827 If you really need it for your WAN dns, Dnsmasq has a checkbox for query sequence

We really need dns-server/framework to unify all the query modification and make pihole and similar basically a middleware/plugins.

its possible to import the lancache domains, did it on my system with a small script that is supplied in the github repo for the DNS list that lancaches uses. the annoying part is to have to manually add the generated files to the dnsmasq config for pihole.

Why did you choose pihole over pfBlockerNG?

Any thoughts about using/benchmarking Unbound as a root server rather than going to a provider?

I have all endpoints pointing directly to Pi-Hole first, and Pi-Hole forwards any steam cache requests to my local server.

MikroTik just added docker support to RouterOS 7.4 beta4

Why not block ads with the pfBlockerNG addon for pfsense? One less VM to manage.

Can the router do internet bonding ?

does this setup support dnssec or dns over tls/https?

My Raspberry Pi-hole will work for like a month then randomly die and not reboot until I burn another image onto the SD Card? This has happened 2 or 3 times now on the same memory card. I don't know what's happening.

could you use regex in pi hole to whitelist and send dns requests to the steam cahe?

On a Microsoft Active Directory Domain, it does almost all of it's security providing using DNS. So if your LAN is an Active Directory domain and your Windows workstation is a member of that domain then turning primary DNS over to a third party provider is a very bad idea. I've had clients do that to their member workstations and then I'd get a call where they'd be experiencing very strange network related issues. One client had a user who thought she knew better than I did and kept pulling her workstation out of the domain this way. I told her that she can't do that on a domain computer but she kept doing it then I'd get a call. I didn't want to lock down the workstations but I did after awhile.

Um, there's a toothbrush leaning against the computer there... I have questions.

I do Pi-hole with the vm as the resolver (craft computer video) then onto cloudflair. Do I really want my isp dns anywhere near me?

I tried running the DNS Benchmark, but I've set my edgerouter to cache DNS, I think If I ignore the number 1 result (that's my router) I'll still get a valid benchmark?

2:50 did Wendell expose his Portainer GUI into WAN or is the editor less technical?

Any reason your using Pi-hole over pfBlockerNG pfSence plug in, besides the nice dashboard?

@nitroblueuk

2 жыл бұрын

Pihole is less resource intensive. Pihole outright serves a response to say request unavailable. Pfblocker on the other hand serves a 1x1 image in response to a blocked request. It also tends to be a little bit slower when responding.

I feel like I'm talking back to my teacher (Wendel's Pfsense vidéo got me started years ago)... but why use lancache and pihole when the same functionality (DNS cache, ad blocking, http cache) exists in your router software (pfsense or opnsense).

@romevang

2 жыл бұрын

pfsense doesn't cache steam downloads natively, its kinda been a theme with Wendell, that's his specific use case. Which actually is the case with a lot of gamers.... in my house hold, we play a lot of the same steam games, so when there's an update, that's N times the downloads that have to occur, which is a waste of bandwidth and time. So... lancache.

@MichaelSmith-fg8xh

2 жыл бұрын

@@romevang Squid (as a transparent http proxy in pfsense)... Or does it hit a bunch of different domains for successive requests of the same updates?

Azure AD actually doesn't provide any DNS. You have to have "Azure AD DS" which is stupidly expensive and an additional product.

Wendell:"I don't want a whole separate video on DNS" Me: 🥺🥺 P-pwease do a whole separate video on DNS, Senpai

do a video on Ceph plz. I want to roll it out but want you to make all of the mistakes for me first

This is really cool and all, but how can i do any of this when my internet is provided by Cable/Coaxial? xp

Engagement

I got a Pixel 6 Pro and getting it to use PiHole for DNS on it was a whole ordeal because of the built-in VPN and DNS over HTTP.

Wendell i'm sorry to break it to you but your MSN page still has ads, they are marked with a green "Ad" ticker "2 cards charging 0% interest until 2024" I guess not all ads can be blocked, especially if they are using their own domain to show off other domains that aren't normally ads.

Its neat to watch you do this. But I stil wouldnt recommend people virtualize pfsense unless you really understand networking and know what ur doing (as you say in the videos). It feels like asking for trouble and fixing what ain't broke lol. I like the discussion of the plugins and whatnot. And please more xcpng content, the world's needs to hear about it :)

Would Unbound be the thing that could "string together the things" (unbound be the single thing for pihole/lancache/dns)? Unbound is self hosted recursive dns cache, I wonder if it could locally cache the multi step dns path you setup to make it even faster by being a local single point.

all i have is an old ISP router running OpenWRT (as an AP)...

POD MAN FRAGRANCE SPRAY! Fragrance for… oh

Dead by dawn, dead by dawn!

1 MB/s when using the isp steam Cache? I would love to see this kind of performance The steam cache of my isp caps out at 200kb/s... Completely unusable

Can somebody point me to a home networking primer? Something addressed to a user who can spec, build and commission a PC, but who has long been baffled by how hard it is to share files from one PC to another, day in day out. There was that one time I put a USB drive in the back of my wireless router, and it worked for a week or two as a network drive that all the computers in the house could see, but then it vanished. What's a NAS? What do I want it for? What is RAID in the context of 2022. It does me no good to tell me that RAID hardware is dead, since I really don't know what RAID hardware is. I have a vague understanding that RAID can provide various degrees of speed and redundancy improvements. The box my cable company gave me has some wifi and RJ45 sockets. What should I do with it? I wish somebody would make a coherent series on this stuff. Level1 has the expertise, but it doesn't seem that Wendell & crew want to get to such elementary questions, such uninformed users. Which is fine for them and their usual audience.

Why a PiHole next to the pfSense and not just configure pfBlockerNG on pfSense ??????? I like virtual machines, but why run 2 if one can already do the job.

I know the benchmark for dns I tested the dns years ago I don't think it all works, at least I found something faster on the net linux is not mine at the moment I'm over a hundred anyway, even with google just not on my cell phone I'm at 4g with 899MB/s that's the only reason it's crazy for 4g

My brain went apple Linux? What Macs have to do with this? Then i remembered not everyone mixes Hungarian with English...

Like for thumbnail and title alone.

Every time I think I get land cash set up correctly DNS breaks and new and interesting ways or my router runs at 100 million% CPU usage

Like I get what is going on here but I feel dumb every time you explain these builds.

It's always DNS...except when it's MTU!

I live off-grid on solar photovoltaic so any reduction in power use is a godsend for me. I just ordered a J4125 Celeron box with 6x 2.5gbps interfaces to replace a raspberry 4. i know i'll never get that much (6x 2.5gbps) of, especially QoS'd throughput, but it's actually way cheaper than buying a 2.5gbps switch. have you used them?

Quad9.

I wish they would do a tutorial for xbox to create something similar to thr steam cache.

why not just use unbound with pihole, I run pihole + unbound on my rpi 3 with no issues or bandwidth problems with 1gb fiber. Also firebog has really good lists to add to pihole for site blocking.

@xxcr4ckzzxx840

2 жыл бұрын

Thats what i do too. Any way i can then still use Lancache, because i dont have 1Gb fiber (yet)?

@pheelix-

2 жыл бұрын

@@xxcr4ckzzxx840 no clue, I would do a search for pihole and lancache. looks to be a few guides out there for it.

@kenzieduckmoo

2 жыл бұрын

because unbound isnt as good of a router software than pfsense.

@pheelix-

2 жыл бұрын

@@kenzieduckmoo your comparing apples to grapes, unbound is just a dns server, pfsense is that plus more and also cost as much as a top of the line name brand router if not more.

143,000 blocklist entries....... am I the only one here with over 6 million ips on my pihole blocklist?

@GameBacardi

2 жыл бұрын

...if possible, set whitelist instead. Then you need just few IPs

@nitroblueuk

2 жыл бұрын

@@GameBacardi It's a home network with over 20 devices on it. It's easier to blacklist than whitelist.

Docker... Keep breaking ever update...

There is no benefit of lancache if you are a single user. This is only useful if multiple clients in the same network download the same game or if you setup an instance which automatically downloads games while you are away. But then again you could just download games over night or left your PC on....

First

So lancache is like DNS for bad DNS, or DNS for bad DNS replies? I have to watch the 1st video, don't I? Though router that preemptively recognizes ads and doesn't even download them AND is system wide seems like a fantastic thing to have. Especially, because malware defense is something other people in my house have problem with. Though I have to check the video to know how expensive it would be to build one.

dns doesn't work as you explain...

Please don't support Redhat. Look what they did to CentOS. It's a joke.

@5:30 Jeff: "Hold my beer..." A few hours later... $ ansible-playbook pi_steam.yaml