on
dns
technitium
ubuntu
- Get link
- X
- Other Apps
Pi-hole is an ad-blocker software that can filter DNS query for better security and privacy. To further enhance the security and privacy of the Pi-hole's setup, you can utilize DNS over HTTPS (DoH) and DNSSEC.
Public DNS like Google, Quad9 and Cloudflare support DNSSEC by default and can be enable in Pi-hole's web admin. You can also have your own DNS service with DNSSEC enable using unbound.
DoH is still consider new in DNS security and work by creating a DNS connection/tunnel via HTTPS between local client to upstream hence made your DNS connection secure. As of now, Pi-hole do not support DoH by default but can use 3rd party software like Cloudflared or DNSCrypy-proxy as the local client.
Since Pi-hole already have a guide to use cloudflared as the DoH client, i will try to use DNSCrypt-proxy instead.
1. Install dnscrypt-proxy in your pi-hole setup. I install my pi-hole with ubuntu 20.04 so I will use apt/apt-get.
sudo apt-get install dnscrypt-proxy nano2. Edit /lib/systemd/system/dnscrypt-proxy.socket to change the default port to anything beside 53 as pi-hole already use port 53 by FTLDNS.
3. Edit /etc/dnscrypt-proxy/dnscrypt-proxy.toml and choose your prefer DoH upstream server. You can refer to public-resolvers.md for the upstream server list. I choose cloudflare as it seem to work out of the box.
4. Enable and autostart dnscrypt-proxy service at boot time.
sudo systemctl enable dnscrypt-proxy.service
sudo systemctl enable dnscrypt-proxy.socket
sudo systemctl start dnscrypt-proxy.service
sudo systemctl start dnscrypt-proxy.socket5. Run dig to test your dnscrypt-proxy is working.
6. Configure to use your local dnscrypt-proxy as your upstream DNS server in pi-hole.
7. Use below website to verify DoH with cloudflare is working.
https://www.cloudflare.com/ssl/encrypted-sni/
Comments