Google Chrome slow to load websites with Pi Hole

Forums › Desktop computing › Google Chrome slow to load websites with Pi Hole - Secure DNS not supported?

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#303775 8-Mar-2023 17:26

I use PiHole for DNS to reduce advertising, and it's also my DCHP server to hand out static IPs. I've noticed lately my web browser is a little slow to load websites I haven't been to in a while.

I went into the Chrome security settings ( chrome://settings/security ) and turned off secure DNS. Websites suddenly load a LOT faster. A quick look on Google suggests that Pi Hole doesn't support DNS over https / tls. I know Chrome can talk directly to CloudFlare 1.1.1.1 / Google DNS but then I'll get a bunch of advertising.

Any thoughts on whether DNS over https has value? Should I just leave the "secure DNS" feature of Chrome turned off, or is there a way to get the best of both worlds, reduced advertising and fast performance?

Update with more info, copied from below.

By default secure DNS was enabled, browsing to new websites found using Google Search in Chrome was a bit slow. When I turn secure DNS off it was much quicker. I suspect Google Chrome is trying to talk DNS over https to the pi hole, timing out, then using standard dns. I can probably work as a way to validate that but my quick experiment suggests that's what's happening.

Second Update

Later in the evening I repeated the tests and found secure DNS worked fine, at the same speed as unencrypted. Hmmm.

1 | 2 | 3

1571 posts

Uber Geek

#3047540 8-Mar-2023 17:30

Im not sure its going to be your pihole.

I too run a pihole at home. I use Chrome on my work PC and it works fine. Not noticed any issues at all.

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#3047548 8-Mar-2023 17:38

nzkc

1571 posts

Uber Geek

#3047553 8-Mar-2023 17:52

I notice no difference between it being on or off.

dfnt

1511 posts

Uber Geek

Lifetime subscriber

#3047622 8-Mar-2023 19:43

No difference here either, running pihole

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#3047625 8-Mar-2023 19:49

Hmmm, weird. Disabling secure dns definitely seems to speed things up. I'll try again later, or see if I can work out how to benchmark it accurately.

michaelmurfy

meow
13240 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#3047627 8-Mar-2023 19:54

Have a look at https://nextdns.io - I personally use PiHole only as a caching DNS resolver on the network blocking only a small amount of things but hand over the heavy work to NextDNS. Very good project and works well.

I personally don’t use Chrome but Secure DNS will 100% avoid your PiHole and instead use Google DNS. Instead, you should look at using Edge or Firefox over Chrome.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

gbwelly

1243 posts

Uber Geek

#3047637 8-Mar-2023 20:15

timmmay:

Any thoughts on whether DNS over https has value? Should I just leave the "secure DNS" feature of Chrome turned off

My thoughts on DNS over https are that I have a financial (non advertising revenue) relationship with my ISP, who are subject to NZ privacy laws. If my ISP doesn't support DNS over https then I would rather use unsecure DNS than hand it all over to Google or Cloudflare.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#3047689 8-Mar-2023 20:43

I tried with and without secure DNS again, this time I found things worked just as fast with and without secure DNS. Weird. I'll see how things go over the next few days.

michaelmurfy: Have a look at https://nextdns.io - I personally use PiHole only as a caching DNS resolver on the network blocking only a small amount of things but hand over the heavy work to NextDNS. Very good project and works well.

I personally don’t use Chrome but Secure DNS will 100% avoid your PiHole and instead use Google DNS. Instead, you should look at using Edge or Firefox over Chrome.

Thanks @michaelmurfy, NextDNS looks interesting! Do you stay within the 300K personal plan DNS queries per month? Pi Hole is saying I've done 41K DNS queries, but I don't know since when, and I've turned off the logging /stats.

Is there any particular method to configure PiHole as just a proxy to NextDNS? I know I would point it at their DNS servers, and disable Pi Hole ad blocking. I use PiHole DCHP to allocate static IPs, which I could move back to my router if I needed to, but I'm not sure I can be bothered.

Chrome seems to have options to let you choose how it does DNS, including what looks like using your system DNS settings. Why do you think it falls back to Google DNS rather than unencrypted DNS? Either is plausible, but I can't find information one way or another.

michaelmurfy

meow
13240 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#3047703 8-Mar-2023 22:06

Yeah with the PiHole it'll be unencrypted (port 53) within your LAN.

Best way of doing it - don't you use a Fritz!Box? That supports Encrypted DNS (DNS over TLS) out of the box then you don't even need the PiHole:

I've had this configured with NextDNS with my parents router for over a year now and it has been rock solid. If you add Router-aslkdma.dns.nextdns.io it'll also show in your logs:

Lastly, when you're ready to register an account they do have a referral - I am not in it to make anything (I just really like NextDNS as a service) but feel free to use it: https://nextdns.io/?from=4f6vmry3 - I personally use the pro (yearly) plan as it is actually really cheap but I also have a large network and do a huge amount of queries. You'll note with NextDNS you can have different networks too even if you only have one external IP.

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#3048086 9-Mar-2023 13:58

Thanks Michael, I'll give it a whirl and see how I like it, maybe just on my main browser and Android phone for now. I'm not sure I'll give up on PiHole, I use a couple of nice features like not having ads blocked on my wifes devices - it blocked something she wanted to use once and she doesn't want to mess with whitelists.

I'm not sure quite how, but I've done 2173 DNS queries in the past 30 minutes, which is 104K DNS queries per day, or 3M per month. I'll blow through the free plan in 3 days!

michaelmurfy

meow
13240 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#3048087 9-Mar-2023 14:03

For your Wifes phone you could just create another NextDNS profile just for her and load the profile on her devices perhaps with only privacy lists enabled.

One common complaint about PiHole and network based block lists is it'll block Affiliate links - with NextDNS you can allow these (and it is quite reliable):

I just have these enabled on my networks.

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#3048092 9-Mar-2023 14:29

Good idea, thanks @michaelmurfy :) Does that mean creating a whole second account for her, or can you do profiles within the same account?

Update - I found profiles, the docs suck (can't find them on profiles) but seems simple enough.

Bewildered

106 posts

Master Geek

#3049806 14-Mar-2023 07:34

So I've literally been working on this for the past couple of days after work and have found the same thing. In my case the slow down was because my original DHCP scope for my clients still referred to 1.1.1.1 and 8.8.8.8 as the third/fourth DNS servers as 'backup DNS' if Pi-Hole went down....but instead clients seemed to prefer these, were trying them, timing out, and only then asking Pi-Hole. Hence every site was lagged, and then once it loaded the site was fine because by then it had received the DNS data required.

Once I removed these extra DNS servers everything went back to normal speed. I have multiple subnets and vLANs but in essence my set up now is as follows:

DNS server (Pi Hole) on 192.168.1.5. It has DNS SEC enabled and connects to the DNS SEC enabled Cloudflare and Open DNS services (both IP v4/6).

On my pfSense firewall I have:
- Configured DNS (under General Setup) to access 192.168.1.5, 1.1.1.1, and 8.8.8.8 so pfSense will use Pi-Hole, and if it gets no luck, use other DNS servers.
- Configured the DHCP scope for LAN clients such that the only two DNS options are 192.168.1.5 (Pi-Hole) and 192.168.1.1 (pfSense).
- A FW 'port' alias for DNS Ports (53, 443, 853) - this covers DNS, DNS over HTTPS, and DNS over TLS (alias name DNS_Ports)
- A FW 'URL Table (IPs)' alias for Public DNS servers using https://public-dns.info/nameservers-all.txt as a source, updating every 7 days (alias name Public_DNS)
- A FW 'host' alias for my Pi Hole - not needed but allows for a quick change of the IP, or adding a Pi Hole as backup with no rule changes (alias name Pi_Hole)
- A FW rule on my LAN interface to PASS the alias host Pi_Hole to access 'any' - this allows the Pi Hole to exit the LAN to go and fetch DNS stuff.....
- A FW rule (directly underneath - because order matters and one should always logically group rules) on my LAN interface to BLOCK 'any' access to Public_DNS on ports DNS_Ports

I thoroughly recommend you use DHCP as much as possible as it makes network changes much easier - but do set DHCP reservations for everything to all your devices come up on predictable and consistent addresses (you don't want a wild west).

On my side it now works this way:

DHCP instructs the clients to use Pi Hole, or pfSense, but ofcourse pfSense defaults to Pi Hole if it is available.
Clients cannot do their own DNS, including Chrome via DNS-over-HTTPS, as the FW drops the traffic.

Ideally I'd *only* use Pi-Hole but for that I'd want redundancy - I don't want to lose everything because the SD Card in the Pi died and at present I do not have a second Pi or tiny host on which to run pi Hole - so for now pfSense is the backup. The NextDNS is interesting - I might take a look as it may be a better fallback (via pfSense) than 1.1.1.1 or 8.8.8.8 such that if Pi-Hole goes down, or clients somehow end up using pfSense and it in turn prefers 1.1.1.1, I will instead be sending them to NextDNS....in that configuration on spillover will got to NextDNS and a free plan might go some way...plus if might provide useful reporting to show me how much traffic is 'leaking' past Pi-Hole.... I'm not seeing any entries in the pfSense DNS Resolver log aside form the FW aliases, but I'm not sure it is actually logging everything.... :-)

ripdog

548 posts

Ultimate Geek
Inactive user

#3049821 14-Mar-2023 09:00

Not sure why nobody has mentioned this yet, but DNS-over-HTTPS offers no benefit if you're just tunnelling to a DNS server on your LAN. Feel free to leave it off.

I'd highly recommend you remain with self-hosted infrastructure like Pi-Hole. You can be sure that you're blocking what you want to block, and you can be sure you won't suddenly lose your filtering because you went over a quota. 300k requests a month is very small, and I can't personally see the value in paying for NextDNS when all it is is a fancy UI on top of a filtered DNS solution.

You should absolutely be using DoH to tunnel from the Pi-Hole to your resolver, in order to protect from potential man-in-the-middle attacks. AFAIK it will not do that natively, so you'd have to use a seperate tunnelling program to accomplish that. The UX on that sucks, so I recommend replacing Pi-hole with Adblock Home, which is what I use.

https://github.com/AdguardTeam/AdGuardHome#getting-started

It's a really nice all-in-one program which can handle filtered DNS and DHCP, and will forward queries using DoH/T natively, which Pi-hole doesn't do.

michaelmurfy

meow
13240 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#3049825 14-Mar-2023 09:13

ripdog: I'd highly recommend you remain with self-hosted infrastructure like Pi-Hole. You can be sure that you're blocking what you want to block, and you can be sure you won't suddenly lose your filtering because you went over a quota. 300k requests a month is very small, and I can't personally see the value in paying for NextDNS when all it is is a fancy UI on top of a filtered DNS solution.

Well, no... There is quite a but of advantage to using a solution like NextDNS as they do quite a bit more than PiHole can do. I run both, but my PiHole runs a limited list (mainly there for local domains) and uses DOH to communicate back to NextDNS. It is not at all a "Fancy UI on top of a filtered DNS solution..."

300k requests per month is small, yes, not everything in this world is totally free but $34.90NZD/yr is also incredibly cheap for what you get. How about testing it out? You don't even need to sign up an account to do so.

But why I mainly recommended this as a solution is if you have a router with DNS over TLS support like the Fritz!Box it is often a better solution than self-hosting. You also can also use it on your devices while away from home etc. There has been a tonne of work put into this platform which is why I have no issues at all paying for it even though I can self host a solution myself. Sometimes running and managing your own solution isn't the best for everyone.

1 | 2 | 3