From today on I have configured my Pi-hole to my "raspberry pi 4b" - could not wait...
What I did?
Clean Pi-hole install
Tested Pi-hole DNS directly with Quad9 Uplink DNS Server
Installed and Configured - Unbound - Recursive DNS Server and Signatures
Looped the DNS Querys back from Unbound to PI-hole
Like this all DNS Querys hit the Pi-hole and it makes a direct request to the Root-DNS-Servers plus Signature chain. (DNSSEC)
Pi-hole unbound instructions ->
Pi-hole as All-Around DNS Solution - Pi-hole documentation
Example DNS Query:
PC----> eblocker -----> Pi-hole <---> Unbound (Service Local on Pi-hole) ---> Router ----> ISP--->RootDNSServers if not cached by Pi-hole
Best part out of it is that I do not need to rely on services like cloudflare, quad9 and google to function since I request directly from the root servers.
DNSSec works too!
eBlocker is setup to have the Pi-hole as the Uplink server and disabled all Domain Blocklists since Pi-hole will take care of that part by itself and I am able to see what domains are "bogus" or "insecure". Now the added advantage is the following with eBlocker...
HTTPs Inspection --- goes to Pattern Files ---- that forwards unblocked querys to the DNS (Pi-hole) ---- that checks if the Domains are Blacklisted and allows/denys that query ---- verfiys DNSSEC ------ So you have the best of two worlds HTTPS Inspection from eBlocker and DNSSec, RecursiveDNS, Domain / Regex Blocklist from unbound/Pi-hole.
Best regards
Val.