Running Pi-hole or AdGuard Home provides great network-wide ad blocking, but creates a single point of failure. When your DNS server crashes or needs maintenance, your entire network loses DNS resolution. I had this problem and thus far had chosen to do a sub-optimal solution of using both AdGuard DNS as well as an upstream Google DNS server in my internet gateway. dnsmasq running on the gateway that manages DNS requests from all the clients in my network has no concept of a failover DNS server, or server priorities. It dispatches requests to all the servers it has configured, and ideally should honor whichever servers responds first.

This worked, sort of, but I often had requests leaking through to upstream servers. I recently found out about dnsdist and used that to fix it.

We will use dnsdist as a DNS load balance to create a failover setup. It will:

  • Route DNS queries to your primary ad-blocking DNS server
  • Automatically failover to backup DNS server if the primary fails
  • Switch back once the primary recovers

Requirements:

  • Pi-hole/AdGuard Home already set up
  • A device to run dnsdist (Raspberry Pi or any Linux system, but it should be different than the one running Pi-hole/AdGuard Home)
  • Basic command line knowledge

Steps:

  1. Install dnsdist (Below command assumes debian or derivatives. Use corresponding command for other distros)
sudo apt update && sudo apt install dnsdist
  1. Create a minimal config file at /etc/dnsdist/dnsdist.conf
-- Define DNS servers
newServer({address="192.168.1.10:53", name="primary"})     -- Pi-hole/AdGuard
newServer({address="9.9.9.9:53", name="quad9"})           -- Backup DNS 1
newServer({address="1.1.1.1:53", name="cloudflare"})      -- Backup DNS 2

-- Basic settings
setLocal("0.0.0.0:53")           -- Listen on all interfaces
setACL({'0.0.0.0/0'})           -- Allow queries from anywhere

-- Health checking
setServerPolicy(firstAvailable)  -- Use first available server

2a. There are a lot of optional settings available to further customize things like health check interval, what kind of checks to use, how to determine a failover scenario, etc. You can check dnsdist man page for more details.

  1. Enable dnsdist service
sudo systemctl enable --now dnsdist
  1. Update your router’s DHCP settings to use the dnsdist server IP as the primary DNS, and the pi-hole/AdGuard DNS as the secondary DNS. Now, as long as both of them don’t go down at the same time, you will have a working DNS setup.