Redundant Pi-Hole Setup
Pavan Bagde
Acting as a DNS-level ad blocker, Pi-hole intercepts and blocks requests to known ad and tracking domains before they ever reach your devices. It’s fast, private, and works network wide.
Because Pi-Hole is intercepting DNS requests, we need to be careful about its availability, if your DNS goes down, your internet goes down. That’s why, in my VLAN segmented home network, I decided to go with Redundant/highly available Pi-hole deployment for resiliency.
I’ve split my home network into two VLANs to separate traffic and added firewalls rules such that firewall allows calls initiated from trusted to untrusted VLAN but block all call initiated from untrusted to trusted VLAN.
| VLAN | Purpose | Example Devices |
|---|---|---|
| VLAN 10 (Trusted) | Personal devices | Phones, laptops, desktops |
| VLAN 20 (Untrusted) | IoT devices | Smart-home devices, Sometime Phones, TVs etc |
The cross-VLAN DNS traffic is slower because packets need to go through router.
- When a device on VLAN 20 queried a Pi-hole on VLAN 10, response times spiked.
- Slowness of new page or images requests can be felt on mobile devices and Apple TV.
So it was clear every VLAN needs its own local Pi-hole instances.
Hardware and Software Setup
To create a redundant and flexible DNS solution, I deployed two Pi-hole servers per VLAN, for a total of four instances:
| Instance | Device | Network | Method |
|---|---|---|---|
pihole1-trusted |
HP Mini G5 - 1 | VLAN 10 (Trusted) | LXC on Proxmox |
pihole2-trusted |
Raspberry Pi Model B - 1 | VLAN 10 | Bare-metal |
pihole1-iot |
HP Mini G5 - 2 | VLAN 20 (Untrusted) | LXC on Proxmox |
pihole2-iot |
Raspberry Pi Model B - 2 | VLAN 20 | Bare-metal |
Proxmox LXC containers were provisioned with VLAN-aware bridges.
Each Pi-hole is configured with a static IP in its VLAN subnet and is assigned via DHCP on router as the primary and secondary DNS for devices in that VLAN .
Future plans
There is a drawback of having to manually sync config and settings at not one but across all four Pi-hole instances. I found Gravity Sync project addressed that but it is discontinued and doesn’t support latest Pi-Hole v6. So will look or build something to make it easier.
Conversely, there is benefit of having tailored config/list for each VLAN.