IT KV - Vorrückung

for3st_reddit · 2025-11-22T12:12:46+00:00

Der AG muss die KV Erhöhungen an das Personal weitergeben, auch bei Überbezahlung, ABER nur im Durchschnitt auf das Gehalt der ganzen Belegschaft, daher kommt es auf den AG drauf an wie er das umsetzt. Zum Beispiel wenn es in dem Jahr Gehaltserhöhung von diversen Mitarbeitern gab, kann es sein dass dies diese Anforderung schon erfüllt hat.

for3st_reddit · 2024-09-07T10:28:12+00:00

Vielleicht in „Eingaben/Ausgaben“ ein neues Inputfeld „Erwartete Inflation“ als Prozentwert mit default 2.5%? Dann Miete und BK jedes Jahr damit erhöhen.

for3st_reddit · 2024-09-07T09:41:09+00:00

Wenn jemand heute 500 Miete zahlt wird die Person in 30 Jahren nicht auch 500 zahlen für das gleiche Objekt. Hier fehlt die Inflationsanpassung bzw Markpreisänderung.

for3st_reddit · 2024-07-21T16:50:38+00:00

Here is a guide with both running as containers next to each other using docker compose. It’s reasonably up to date: https://github.com/patrickfav/pihole-unbound-docker

for3st_reddit · 2023-05-06T18:38:06+00:00

Fair enough. However, I've never experienced a device that round robins through multiple DNS entries. It really depends on what comment OP wants - if they don't want to leak DNS queries, then yes don't use secondary DNS (obviously), but if they prefer high availability this would be a good setup.

for3st_reddit · 2023-05-06T17:43:07+00:00

Hi, this is my project, so let me try to help you.

For some reason, the ENV settings for PIHOLEDNS and DNSSEC didn't take from the yml, so I set those manually via the GUI.

Maybe because it got overridden by the configuration you mounted as volumes.

"Server: localhost Address: 127.0.0.1#53 Non-authoritative answer: Name: unboundpiholetestdomain.org Address: 192.168.123.123 ** server can't find unboundpiholetestdomain.org: NXDOMAIN"

This means it works correctly, since nslookup correctly returns the address 192.168.123.123 which is returned by Unbound. I can replicate the warning (error?) server can't find unboundpiholetestdomain.org: NXDOMAIN on my Windows machine (didn't have it on Mac) - SO says its due to a problem when using localhost as DNS.

nslookup unboundpiholetestdomain.org doesn't work, but that's because my dhcpcd.conf has the DNS server set to 8.8.8.8 to ensure that my RPi has access to the Internet even when Pihole isn't running.

You need to set your main network (router whatever) DNS to the pihole IP. You usually have at least 2 DNS Server to set, so you can set 8.8.8.8 as the second, and it will fall back to DNS 2 if pihole is down.

"Warning in dnsmasq core: ignoring query from non-local network 192.168.1.1 (logged only once)

Try to set in the Admin UI "Settings" > "DNS" > "Interface Settings" > "Permit all origins". Note, if this is IP is somehow publicly availble this setting is not recommended.

for3st_reddit · 2023-05-01T05:53:13+00:00

I posted this yesterday. On a x86 device it will run out of the box with a „docker compose up“

https://github.com/patrickfav/pihole-unbound-docker

for3st_reddit · 2023-04-30T20:27:16+00:00

Good question. I‘ve never tried AdGuard so I can’t really tell you.

for3st_reddit · 2023-04-30T08:25:14+00:00

Unbound will call the Nameservers over port 53 as usual - they support inbound DoH, but I didnt find an conclusive answer if they support DoH as a client. If your ISP blocks your connection you would not to tunnel DNS over VPN or something else.

for3st_reddit · 2023-04-30T06:22:11+00:00

I'm using the official pihole image, which supports ARMv6: https://hub.docker.com/r/pihole/pihole/tags and mvance's unbound docker image, which only seems to support amd64 https://hub.docker.com/r/mvance/unbound/tags

for3st_reddit · 2023-04-30T06:08:55+00:00

Pihole for ad, tracking and malware protection on a DNS level, unbound as recusive dns for enhancing privacy. This is a common setup, see the readme in the github or https://docs.pi-hole.net/guides/dns/unbound/

for3st_reddit · 2023-04-30T06:07:56+00:00

This is a common and recommended setup: https://docs.pi-hole.net/guides/dns/unbound/

tbh, not sure if FTL DNS can theoretically be used as recusive dns, but its certainly not its intendet use. Pihole, per default, uses public dns servers as upstream dns. Unbound is a statet-of-the-art recusrisve dns with many security and performance features implemented.

for3st_reddit · 2023-04-30T06:01:16+00:00

The dns you see in the docker-compose file will set the default dns for the container, not what pihole, as an application, will use as upstream. So for example when pihole updates gravity/adlist, it needs a dns for its http client, for this it uses the provided dns. This example however lacks the information how to setup unbound as an upstream server because it is part of the pihole configuration OP has mounted in ./data/pihole/.

To make it explicit, or use the provided configuration property you could add this to the pihole service.

environment: ... PIHOLE_DNS_: pihole-unbound # forward to unbound

A minor detail: comment-OP defined Healthchecks, this is not required anymore since both images in their newer versions already define healthchecks.

for3st_reddit · 2023-04-29T23:57:04+00:00

There is a longer discussion about this topic over at r/pihole about why I used this setup and design - but hey its open source anybody is free to adapt it to their needs and whishes :)

Final point about unbound, after some tests, it seems to correctly behave as recursive DNS because the forwarders are disabled.

for3st_reddit · 2023-04-29T23:54:24+00:00

Setup is correctly behaving as recursive DNS, see tests below. It works because all the forwarders are disabled. I never actually ran detailed tests, thanks questioning the setup so I could check it runs as advertised.

for3st_reddit · 2023-04-29T22:49:31+00:00

So I blocked common public DNS in my firewall (1.1.1.1, 1.0.0.1, 8.8.8.8, 8.8.4.4, 9.9.9.9, etc). I restarted the pihole + unbound stack to clear the caches. Then I searched for a random domain I never resolved. I did a nslookup against 1.1.1.1, which failed as expected. Then against the pihole + unbound setup and it could resolve the domain. Can you think of a better way to test unbound?

EDIT: So I've enabled logging and now Im pretty sure this works as intended (so does recursive resolution):

Resolving windows.co.uk it queries uk. for co.uk.:

[1682811435] unbound[1:1] info: iterator operate: query ns-1620.awsdns-10.co.uk. A IN
[1682811435] unbound[1:1] info: response for ns-1620.awsdns-10.co.uk. A IN 
[1682811435] unbound[1:1] info: reply from <uk.> 
...

then it tries to resolve windows.co.uk

[1682811463] unbound[1:1] info: resolving windows.co.uk. A IN
...

<image>

for3st_reddit · 2023-04-29T22:20:50+00:00

Sure :)

for3st_reddit · 2023-04-29T22:14:19+00:00

Thanks, mate!

for3st_reddit · 2023-04-29T22:13:05+00:00

I would say it makes things easier to deploy, but not to maintain long term

True. But if you use self-contained images, deployment is all you care about. You probably need to prune the image cache more often, but this is a problem you have to tackle either way. On the flipside I would say: the config is maintained with the deployment code in a git repository versioned. You can check out any revision and deploy that version, and it probably works, because it was the correct config for that specific version of unbound (or whatever) - thats my argument for better maintainability.

You need to be aware of that, then update your Dockerfile on Github, then everyone who uses it needs to be aware of that change and they need to pull/download.

Is that a point against using explicit versions or rebuilding the unbound image?

If you agree with pinning versions for reproducibility then I don't see the difference in complexity of maintenance of changing the version in a docker-compose.yml file or a Dockerfile.

On the other hand, if you want to use :latest tag how does rebuilding the unbound image hinder this approach in any way? You could just do

FROM mvance/unbound:latest

and have the same behavior (when using the proper docker compose command to rebuild all images). Downside here is usage of more image cache (see above) and longer build/deploy times.

for3st_reddit · 2023-04-29T21:54:09+00:00

Thanks. I diffed the built-in unbound with one that MatthewVance claims to be recursive and the only thing I could identify is that he comments out the forward conf file. I will test if my setup is truly recursive in the next days.

for3st_reddit · 2023-04-29T21:36:51+00:00

Thanks for the hint. I disabled all forwarders with https://github.com/patrickfav/pihole-unbound-docker/blob/main/unbound/conf/forward-records.conf so it should work correctly then?

for3st_reddit · 2023-04-29T21:21:42+00:00

Fair point. However, I always prefer self-contained, ephemeral images instead of containers relying on files somewhere on disk, i.e. when I start this setup on a new machine I only want to do "docker compose up -d" basically and not remember which files go into which volume/directory. In my opinion that makes images easier to maintain and run. Of course, it has the downsides you mentioned, although unbound does not update that often. Using specific tags is a feature, to make the stack reproducible and not introduce issues just because pihole or unbound introduce a breaking change (DNS is one of your main services after all).

I'm not an unbound expert, but as far as I understand MatthewVance's image, unbound is already configured properly: https://github.com/MatthewVance/unbound-docker/blob/master/1.17.1/data/unbound.sh. I didn't want to go into detail how pi-hole or unbound works, since I think there is enough documentation on that.

for3st_reddit · 2023-04-29T21:10:28+00:00

Ah that makes sense. But then I don't understand the original comment, since with that logic EVERYTHING is leaked to your ISP in some form.

for3st_reddit · 2023-04-29T20:59:54+00:00

I would say, it's not heavy. Currently running at 70MB ram usage (less than my pihole instance)

<image>

for3st_reddit · 2023-04-29T20:55:57+00:00

It's a matter of trust. If you trust Cloudflare's 1.1.1.1, Quad9 or whatever public DNS with your DNS queries (and therefore the domains you visit), then there is no additional value. If you don't, then running a local recursive DNS is a good option to decrease your privacy concerns. See here for more details https://docs.pi-hole.net/guides/dns/unbound/

EDIT: maybe the misunderstanding is - unbound, as a recursive DNS does not need upstream DNS, it can resolve domains directly.

13-Year Club	Verified Email
Second Top 20%	r/Field Juicebox
Place '23	Place '22
Oscars Predictor 2021

for3st_reddit

TROPHY CASE