With a self-hosted DNS internally, how do you handle fallback?
For example if the box with Adguard Home or pihole crashes, can you configure your router or your devices in a way that would instead go to say cloudflare or google DNS?
My router (Mikrotik Hex) redirects all DNS requests it receives to the Adguard server (with masquerade.) DHCP hands out the router for DNS.
A recurring script attempts to resolve a domain from Adguard every 30s, and if that fails, the NAT rules are disabled and the router would handle the DNS directly.
Downside to this approach is AG doesn't have client IPs, since they all come redirected by the router. I think DNS has a way to tag original IPs, but AG doesn't support it. I just use multiple DHCP configs to hand out AG directly to devices that are bad actors (and not critical), and critical stuff gets the method above.
I dealt with a less-than-ideally reliable pihole by configuring the pihole as the primary DNS, and an external DNS server as the secondary (most devices accept 2 or more IPs for DNS).
Honestly? Have two instances and point to both via your router dhcp dns. Very Client will use them and you are good to go. There are also solutions like adguardhome-sync to keep both installations in sync.
I believe this only works if your ad blocking DNS is configured to return 0.0.0.0 for all blocked domains rather than NXDOMAIN, since then services might try using the secondary DNS instead and that would result in nothing getting blocked. Ideally your secondary DNS should be a copy of the primary.
do you know if pihole or Adguard can configured to support confirming to the router or the client that resolution took place, rather than try the secondary DNS.
If i understand you correctly, if you have a blocking internal DNS running pihole or Adguard and an external general DNS such as google or cloudflare, unless what you described can be configured, the requests that come back "blocked" from pihole would then simply be resolved by google/cloudflare, thus negating the point of pihole.
AdGuard Home should by default be configured to return 0.0.0.0, you can check whether that's the case in Settings -> DNS Settings -> scroll down to Blocking Mode. I don't know about Pi Hole but it probably also has a similar setting.
There is no primary and secondary dns on windows. Both dns servers are queried, if one goes down you are fine but you won’t hit your local dns all the time.
For example if the box with Adguard Home or pihole crashes, can you configure your router or your devices in a way that would instead go to say cloudflare or google DNS?