[SOLVED] Run Pi-Hole as Container or VM?

T

thimplicity

Member
Feb 4, 2022
89
14
13
45
Hi everyone,

I am running pfSense as a VM on proxmox on an AliExpress box and after a lot of stability issues, it seems like I have gotten this thing stabilized - 12 days and counting (knockonwood). Now I would like to add Pihole to the mix again. I had it set up as a container before I turned everything except pfSense off to get the box stable. Despite the fact that pfSense had stability issues, proxmox ran fine and stable. Now I am asking myself, whether it would be better so run Pihole as a container or a VM. I read that a container basically means that it should consume less resources, as it shares those with the proxmox host.

Which one would be a better choice from a stability perspective (in case there is a "better" here)?

Thanks in advance!
 
Hey,

a container is more lightweight, since no CPU, etc. has to be virtualized. So for something like a pihole, I'd recommend using a container. A VM is more isolated than a CT, but that does not seem too relevant for your use case. For stability I'd say using less resources make a system more stable, but other than that there shouldn't be much of a difference stability wise.
 
  • Like
Reactions: thimplicity
Hannes Laimer said:
Hey,

a container is more lightweight, since no CPU, etc. has to be virtualized. So for something like a pihole, I'd recommend using a container. A VM is more isolated than a CT, but that does not seem too relevant for your use case. For stability I'd say using less resources make a system more stable, but other than that there shouldn't be much of a difference stability wise.
Click to expand...
Thanks!
 
I first ran Pihole on VMs but meanwhile switched to LXCs. Pihole shouldn't be public accessible, needs no NFS/SMB shares and is very lightwight. So perfect case for a LXC.
 
Last edited:
  • Like
Reactions: thimplicity
In case you got two hosts I would also recommend to setup two Piholes on different machines. If you don't got two PVE nodes a single PVE node + any cheap Raspberry Pi (even a 12€ Raspberry Pi zero 1/2 W) would work too.
Because otherwise your whole internet at home wouldn't work in case the PVE node or Pihole LXC would fail.
This is especially important as you shouldn't setup a secondary DNS server beside yours Piholes at your machines, as this would bypass any blocking rules Pihole applies.
There is also gravity-sync and keepalived you could setup for synchonization and high availability. That way you will only need to admin a single Pihole but still got redundancy.
 
  • Like
Reactions: kevintm and thimplicity
Dunuin said:
In case you got two hosts I would also recommend to setup two Piholes on different machines. If you don't got two PVE nodes a single PVE node + any cheap Raspberry Pi (even a 12€ Raspberry Pi zero 1/2 W) would work too.
Because otherwise your whole internet at home wouldn't work in case the PVE node or Pihole LXC would fail.
This is especially important as you shouldn't setup a secondary DNS server beside yours Piholes at your machines, as this would bypass any blocking rules Pihole applies.
There is also gravity-sync and keepalived you could setup for synchonization and high availability. That way you will only need to admin a single Pihole but still got redundancy.
Click to expand...
My plan is to run on on the pfSense box and one on my homelab server as a failover
 
I am using sometime a Pi-hole AlpineLinux LXC Container, is a port from the original project. https://gitlab.com/yvelon/pi-hole
Also another LXC just with unbound. I did this approach because else the the Pi-hole LXC itself couldn't update because Unbound is not running port 53, but instead Pi-Hole is, and while updating, Pi-Hole goes offline. I submitted a request to just append a cloudflare IP on /etc/resolv.conf during update, and remove after, which is already applied, but I have sticked with my config. I am creating another PVE and will put other Unbound and Pi-Hole in the other, this way will configure each Pi-Hole to request DNS from the two instances of Unbound in each PVE. This way If a unbound container goes down, I still get replies, also if I needed to reboot any of the PVE servers.
 
  • Like
Reactions: thimplicity
Did you read the documentation on how to install Unbound on the Pi-hole LXC?: https://docs.pi-hole.net/guides/dns/unbound/

Here Pi-hole listens on port 53 and Unbound on port 5353. You could tell your LXC to use 127.0.0.1:5353 as DNS server, then it would always use Unbound and updating Pi-hole should work.

And again, you should setup two Pi-holes for redundancy. Would be no problem then to update a Pi-hole, as DNS resolution still would be working even if one of the Pi-holes isn't running.
 
  • Like
Reactions: banksiaboy
Dunuin said:
Did you read the documentation on how to install Unbound on the Pi-hole LXC?: https://docs.pi-hole.net/guides/dns/unbound/

Here Pi-hole listens on port 53 and Unbound on port 5353. You could tell your LXC to use 127.0.0.1:5353 as DNS server, then it would always use Unbound and updating Pi-hole should work.

And again, you should setup two Pi-holes for redundancy. Would be no problem then to update a Pi-hole, as DNS resolution still would be working even if one of the Pi-holes isn't running.
Click to expand...
/etc/resolv.conf does not support using other port than 53, is how the internet works, no Linux and BSD support it, only exception is OpenBSD, as far I know, since 53 is the Well Known Port assigned to DNS by the IANA - all DNS servers everywhere operate on that port.
For use other port than 53 is needed to do a port redirection using iptables.
 
Last edited:
You must log in or register to reply here.
Top Bottom