Shannon's Recent Take: The best Public DNS Servers for BOTH Unifi & Pi-Hole
- Shannon
- 4 minutes ago
- 3 min read
If you're running a Pi-hole on your network or managing internet traffic through Ubiquiti's UniFi gear like the Dream Machine or UDM Pro, you're already thinking like an enterprise architect (yes, even at home, y'all). You're filtering DNS, blocking ads, and managing devices...all while trying to protect your network's speed and security.
But here's a question that often gets overlooked:
Which public DNS servers should you trust upstream?
I recently started getting errors on Google's secondary IP, so I decided to dig in and came back with a bit different results after many years of simply using Google's DNS servers. Figured this might make for a good educational update (because tech is constantly evolving).
The Best Public DNS Resolvers for Privacy, Speed & Security
Provider | Primary IP | Secondary IP | What It's Best For |
Cloudflare | 1.1.1.1 | 1.0.0.1 | Fast, no logs, supports DNS-over-HTTPS/TLS, now blocks unwanted AI scrapers |
Quad9 | 9.9.9.9 | 149.112.112.112 | Blocks malicious domains, DNSSEC enabled, privacy-focused |
NextDNS | Custom DoH | N/A | Fully customizable blocking rules and metrics, privacy-first |
OpenDNS | 208.67.222.222 | 208.67.220.220 | Cisco-powered filtering and optional logging |
Google DNS | 8.8.8.8 | 8.8.4.4 | Reliable fallback, but less private than others |
So turns out Google DNS hasn't remained the steadfast choice all these years since I first started using their servers. #themoreyouknow
Now, how do you integrate these public DNS servers with both Unifi and Pi-Hole? Figured I'd do a quick breakdown to assist!
How to Integrate with Pi‑hole and UniFi
In Pi-hole:
Go to Settings → DNS
Uncheck default upstreams
Add:
1.1.1.1 (Cloudflare)
9.9.9.9 (Quad9)
Enable DNSSEC if you're using providers that support it
Want encryption? Use:
cloudflared for DNS-over-HTTPS
stubby for DNS-over-TLS
unbound for recursive, local resolution
In UniFi (Dream Machine / UDM Pro):
Go to Settings → Networks → LAN
Under DHCP Name Server, enter your Pi-hole IP address
This ensures all clients resolve through Pi-hole, which then uses secure upstreams
For environments with Active Directory, make sure:
Clients → use AD-integrated DNS
AD DNS → forwards to Pi-hole or directly to Cloudflare/Quad9 for external queries
Cloudflare Just Changed the Internet: AI Crawlers, Blocked by Default
In a move that affects nearly every website running on its infrastructure, Cloudflare announced that it will now block known AI crawlers by default — including bots from OpenAI, Anthropic, and others.
This change:
Automatically protects new websites using Cloudflare
Shifts the burden of permission to the AI companies, not the site owners
Aligns DNS + edge security with publisher consent and content ownership
The Verge sums it up:
“Cloudflare is taking a bold step toward letting website owners control how their content is scraped, used, and monetized by AI companies.”
Enter: Pay‑Per‑Crawl — Monetizing AI Access
To go a step further, Cloudflare also launched a "Pay‑Per‑Crawl" platform, allowing publishers to charge AI bots for access to their sites using the long-unused HTTP 402 Payment Required response.
From Reuters:
“Major publishers like Stack Overflow, The Atlantic, and Reddit are working with Cloudflare to set prices and conditions for AI access.”
This matters for DNS users because:
You’re not just routing DNS traffic...you’re now part of how the open web is protected and monetized
Choosing resolvers like Cloudflare ensures you’re aligned with ethical data practices at the DNS layer
Why This Matters for Pi‑hole and UniFi Users
Choosing an upstream resolver is no longer just about speed or malware blocking. With changes like Cloudflare’s, your DNS resolver plays a role in:
Upholding digital rights (blocking unauthorized AI crawlers)
Stopping content scraping at the edge
Enforcing publisher rules through DNS + HTTP policy coordination
Respecting regional and privacy regulations
Final Recommendations for a Future‑Proof DNS Setup
Layer | Recommendation |
DNS Filtering | Pi-hole (network-wide) or NextDNS (cloud-based) |
Upstream DNS | Cloudflare (1.1.1.1) + Quad9 (9.9.9.9) |
Encryption | Enable DNS-over-HTTPS with cloudflared or run unbound for full recursion |
Router Setup | DHCP hands out Pi-hole as default DNS via UniFi LAN settings |
AD Scenarios | Internal DNS → forwarders to Pi-hole or directly to upstream resolvers |
Shannon's TL;DR
Want DNS that's secure, ethical, fast, and future-proof? Use Pi-hole + Cloudflare + Quad9, and benefit from new protections like AI bot blocking...automatically.
You’ll not only enjoy faster lookups and fewer ads, but also help shape a more respectful internet that protects content creators from being scraped by LLMs without permission.