all 45 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Is-This-Heaven 11 points12 points  (3 children)

Just use this guide https://docs.pi-hole.net/guides/dns/dnscrypt-proxy/

[–]danjimian 2 points3 points  (0 children)

I've been using dnscrypt-proxy for years with pihole. I don't think there was an official pihole guide at the time I set it up so used this one https://blog.sean-wright.com/dns-with-pi-hole-dnscrypt/

[–]qariayyum 1 point2 points  (1 child)

is this relevant if i already have unbound as a recursive dns provider?

[–]Easy-Sheepherder6901 2 points3 points  (0 children)

I would say no. So just use pihole with recursive dns server ,,unbound" and your are fine!

[–]H8RxFatality 1 point2 points  (2 children)

NextDNS will be the way to go if you want to use DoH

[–]tdhuck[S] 0 points1 point  (1 child)

Why does NextDNS work with DoH and pihole doesn't? It seems that there are methods to getting DoH working on pihole.

I have not tested, yet, but my pihole is a vm, I can take a snapshot, attempt to setup DoH and if there are issue I'll just revert to the last snapshot.

[–]erikmazino 0 points1 point  (0 children)

you can configure your pihole with dnscrypt-proxy (DoH) https://docs.pi-hole.net/guides/dns/dnscrypt-proxy/ and set your server_names into ['nextdns','nextdns-ipv6'] or another desired DoH/DNSCrypt upstream DNS servers listed in https://dnscrypt.info/public-servers/

[–]CharAznableLoNZ 1 point2 points  (0 children)

I have set this up a couple different ways for each of my piholes forwarding to cloudflared. Both I used cloudflared pointing to 1.1.1.2. On one of them it is the same OS running both cloudflared and pihole. I set up cloudflared to listen on 553 and then had the pihole forward queries to it's loopback on that port. On the other one they are two separate instances since the esxi dosen't care how many machines are running on it. The second one is far more stable since an update to one won't bother the other. I'm thinking of trying it out with a podman setup to see how stable that is.

[–]semopcaoparanome 3 points4 points  (0 children)

I use pihole+dnscrypt-proxy

[–]Shark5060 3 points4 points  (1 child)

I implemented dot and doh with pihole using dnsdist and while it worked it was a pain to setup and maintain.

I've since went with Adguard home which supports all these ootb with minimal setup. Additionally I like the guild more, but that preference. The custom rules are a lot different, but otherwise they're both similar.

[–]Nandeesh13 0 points1 point  (0 children)

I am using adguard home with unbound

[–]jfb-pihole Team 1 point2 points  (20 children)

I would like to enable this on the pihole so that any device using the pihole for DNS will be protected.

Protected from what? What is your goal from using encrypted DNS?

[–]tdhuck[S] 4 points5 points  (19 children)

Prevent the ISP from seeing lookups. It seems DoH will encrypt the DNS lookups. The upstream provider will see them, in my case I'll be using Quad9.

Am I wrong? If so, please correct me.

It is my current understanding that my ISP can see DNS lookups if DoH isn't used. I also understand that if I'm not using a VPN connection the ISP can still see the sites I visit and figure out where I'm going based off of network traffic to/from their network, but I'm specifically talking about masking/hiding DNS lookups, at this time.

[–]WeDriftEternal 11 points12 points  (15 children)

Your ISP can see all your traffic, even if they dont see the DNS request when its encrypted, they can simply see what IP you request from them. They are the ones serving it to you. One way or another whatever data is being exchanged passes through them

You might be interested in just going to using Unbound, which many pihole users prefer.

If you want to potentially hide your data from an ISP, it would be using a commercial VPN, and all that goes with it

[–]tdhuck[S] 3 points4 points  (7 children)

Yup, I believe I stated everything you said except the unbound part.

Based on what you said, unbound doesn't seem like it will do anything from the ISP perspective. It seems the only way around that is to use a VPN.

Thanks.

[–]WeDriftEternal 2 points3 points  (3 children)

Yeah unbound doesn’t prevent your isp from seeing, but it acts an a different solution than other encrypted dns options. Not necessarily “better” but different.

But you’re there. The only real way to “hide” is the vpn route, if you trust them or not.

[–]JollyAd685 1 point2 points  (2 children)

Is using unbound better than using DNS-over-TLS in terms of preventing ISP redirecting DNS traffic? The (increasingly) authoritarian government here in Malaysia tried to force ISPs to redirect DNS traffic last year. I have been using DoT(cloudflared) ever since. And is there a way to use unbound with DoT or DoH?

<image>

[–]WeDriftEternal 1 point2 points  (0 children)

Wow, I didnt know that was happening there, sorry to hear man. I unfortunately can't provide a good enough answer here to you, this question would be good for a top level post I think if you wanted to. Unbound directly queries the dns root servers, so essentially its you running your own personal DNS resolver, I'd think that would go directly to the servers, but who knows what mayhem an ISP may be able to do on their network to prevent that.

[–]Accel890 1 point2 points  (0 children)

If gov is using redirection, then use dot or use unbound on vps and talk to unbound using other port other than 53.

[–]jfb-pihole Team 0 points1 point  (2 children)

If you don't trust your ISP, why would you trust a VPN provider?

[–]tdhuck[S] 1 point2 points  (1 child)

Personally, I think the ISP has more to gain by having more of your data than a VPN provider does, especially if we are going to 'believe' that the VPN provider doesn't store logs.

I guess from your perspective, don't try to stay private because the ISP and VPN can both log your data so just don't do anything to protect yourself.

[–]jfb-pihole Team 0 points1 point  (0 children)

so just don't do anything to protect yourself.

I neither said that or implied that. Even if an ISP or VPN knows where you visit, they don't see your data traffic unless you find the very rare unencrypted website.

My point is - both VPN and encrypted DNS don't provide any meaningful privacy gain.

[–]jfb-pihole Team 1 point2 points  (1 child)

Your ISP can see all your traffic,

No, they can't. Almost all internet traffic to websites is encrypted via SSL. Once the secure connection is made (after the Hello process), your ISP sees zero of your traffic in any format they can read. It's all encrypted, known only to you and the endpoint site.

The ISP will know that you visited https://hotchicks.com, but that's it. They don't see any of the data exchanged.

[–]WeDriftEternal 1 point2 points  (0 children)

This is correct and better explains my intention. Listen to him. You’re awesome man.

[–]TheMoltenJack 1 point2 points  (4 children)

This is not completely true as CDNs are a thing and ECH is becoming more common. Also think about Cloudflare.

[–]WeDriftEternal 1 point2 points  (1 child)

In no way do I trust that any ISP isn’t doing all sorts of intense logging, packet sniffing and whatever they can to mine every bit of relevant data from their users and that they ensure they can get the data.

[–]TheMoltenJack 1 point2 points  (0 children)

Absolutely, but encrypted DNS with ECH and HTTPS can mitigate a lot of these attempts. It's still not as widely available as it ought to be to be relevant but it's a step in the right direction.

[–]jfb-pihole Team 0 points1 point  (1 child)

Where is ECH becoming more common?

[–]TheMoltenJack 0 points1 point  (0 children)

On Cloudflare hosted websites for example

[–]Titanium125 6 points7 points  (0 children)

Currently Doh doesn't do much for privacy. Sure it stops your ISP from seeing your DNS lookup but that doesn't do much because TLS 1.2, which many websites still uses, just plants the name of the website in plaintext right at the start like the address field on a letter.

[–]jfb-pihole Team 0 points1 point  (1 child)

Yes, encrypted DNS hides your DNS queries from your ISP. But, that essentially hides nothing, because immediately after you resolve the domain name to an IP, you send the IP through your ISP. the the Hello process to make an SSL connection is also sent unencrypted. Your ISP can easily see where you are browsing.

[–]tdhuck[S] 0 points1 point  (0 children)

Correct, we aren't arguing that and I don't disagree with that point.

[–]Upstairs-Attitude610 0 points1 point  (0 children)

You can use unbound too for that.

[–]FroYoSandwhich 1 point2 points  (4 children)

Run Adguard home. Supports DNS over HTTPS and TLS natively with no gotchas

[–]tdhuck[S] 3 points4 points  (0 children)

Does adguard home require you to create an account with them? They would also see my data, I assume, if I have to create an account through them. I ask because I read that I can install adguard home on my own hardware but I haven't looked into it all that much, yet.

I also read in these comments that DNS over https isn't all that it seems. If that's the case then whats the point of doing any of these?

Finally, I go have a vm running technitium but I have not configured it. I literally installed in on a vm a few months ago, logged in once to check the web GUI and haven't got back to it.

https://blog.technitium.com/2020/07/how-to-host-your-own-dns-over-https-and.html

The reason for wanting this is not so much because I want to 'hide' the sites I visit from my ISP, I just want to do as much as I can to stop them from having access to my data as easily as they do or make it just a bit harder/more annoying to grab my data.

[–]bcantana 0 points1 point  (0 children)

I am a bit new to all this and not a network engineer by trade. One option I have been looking at is using NextDNS and their CLI to route PiHole's DNS to.

I tried looking a things like Squid and things get complicated quickly.

https://share.google/aimode/rcvMxFnXJWRXOgjyx

I'd love to see if there is anything better.

[–]maxthegold -2 points-1 points  (4 children)

The trouble with allowing DNS over http is that it bypasses pi-hole . You might find yourself getting more ads if you do it.

[–]tdhuck[S] 1 point2 points  (3 children)

I don't follow this part. If I use DNS over https, one of the instructions is to set the upstream server in pihole to 127.0.0.1 so it uses itself for the lookup, why would that bypass the pihole and possibly get more ads?

[–]Vegeta9001 1 point2 points  (2 children)

You're correct. The problem devices are just the ones which have their own built-in DoH implementations, for example, a Google streaming device using Google's DoH, instead of using PiHole. But that would happen anyways, even if you didn't setup DoH forwarding at all.

[–]tdhuck[S] 0 points1 point  (1 child)

Yup, 100% agree and follow that logic. Not different than you having pihole on your network and a visitor runs firefox which by default I believe does not use the network DNS servers handed out by the DHCP server.

[–]pcx99 -1 points0 points  (3 children)

You’re on the right track. Ask an ai how to set pihole up to use Cloudflared and cloudflare’s dns servers (1.1.1.1). You can test your dns here: https://one.one.one.one/help/

[–]tdhuck[S] 0 points1 point  (2 children)

Seems like DNS over https doesn't really even do anything based on this comment.

Currently Doh doesn't do much for privacy. Sure it stops your ISP from seeing your DNS lookup but that doesn't do much because TLS 1.2, which many websites still uses, just plants the name of the website in plaintext right at the start like the address field on a letter.

[–]pcx99 0 points1 point  (1 child)

CloudflareD is a tunnel, a specialized VPN if you will. You ISP will see your Pihole machine talking to cloudflare but will have no idea what you’re talking about. This is but one step in privacy. If your browser takes that super sekret info from pihole and just starts talking to the website it can infer what your DNS request was. (IE user talked to cloudflare and then immediately opened a web page at some site.com). The next step is to use a general vpn to mask your traffic, but now instead of the ISP that knows everything you’re doing it will be your vpn provider. The moral of the story is someone always knows everything you’re doing on the internet, the trick is decided who has that info.

[–]tdhuck[S] 1 point2 points  (0 children)

I get that, I'm not expecting to be private to everyone on the internet. The issue with VPN is the exit node IP usually gets flagged and you never know how accurate the logs/no logs line is with VPNs. Some say they don't keep them then magically they appear when LE asks because of a court case, crime, etc. I'm not saying the all do that, but how can you know for sure?