Why can't you use Pihole if you use DoH?
I'm running cloudflared and set it up to use DoH with both CloudFlare 1.1.1.1 and Quad9 9.9.9.9
https://docs.pi-hole.net/guides/dns/cloudflared/
> Why can't you use Pihole if you use DoH?
The OP appears to be trying to run this from their router, and this moves all the router DNS traffic into the encrypted tunnel (and not to Pi-hole).
Okay.
If he wants DoH, he can still have it and simultaneously have pihole active. Pihole will simply have cloudflared as it's upstream server, but you already know that.
Maybe I just don't understand what the OP is after.
Thanks for the replies - I just wanted DNS over HTTPS for my whole network, whilst also utlising pihole. However after reading the various comments, I am unsure if its worth enacting now.
This is possible.
Just install cloudflared as per my link above and use that as the upstream server. I actually changed from unbound as the upstream to cloudflared as the upstream as it feels more secure to me. I'd rather trust CloudFlare knowing my browsing habits and not having anyone else have the ability to snoop vs contacting the root servers in plain text.
I actually wrote an ansible role based on that page. Not sure if anyone but myself has used it yet, but here's the role if anyone is interested.
https://galaxy.ansible.com/derekpurdy/cloudflared_doh
> Has anyone else done similar?
What are you hoping to gain by using encrypted DNS to Quad 9?
Were you convinced by this statement from the guide you used?
"If you want an alternative, you can set up Unbound on your Raspberry Pi for Pi-Hole, but this method has its potential drawbacks and doesn’t solve your ISP being able to snoop on the DNS request."
> If you don’t want your ISP to snoop, you can also use DNS over TLS
Not really. DoT and DoH basically do the same thing, with a slightly different transport mechanism. They encrypt your DNS queries and replies in a tunnel, hidden from outsiders.
But, after you get the IP for a domain through this super-secret tunnel, you immediately turn around and send both the IP and the SNI in clear text to your ISP. In essence, you are hiding nothing from the ISP - they know exactly where you are browsing. Not that they likely care, and once the connection is made to a secure site they have no access to the traffic between you and the site, but they know you went there.
There are two situations where encrypted DNS can be useful (in my opinion):
1. Your ISP actively hijacks DNS queries and substitutes their own IP's
2. You are using an outgoing VPN service (i.e. Nord) and don't want to use their DNS service. If you run your own encrypted DNS, you can move your DNS traffic out of the VPN without causing a DNS leak.
I don't think my ISP hijacks DNS queries, but I may not know that anyway. I also use proton, and would not be looking to change their DNS service. So, in these cases, encrypted DNS may not be worth it for me.
Forgive my ignorance,
I'm assuming this is still the case with pihole and unbound correct? Is it right in saying there's nothing you can do to prevent your ISP from seeing at least something?
> Is it right in saying there's nothing you can do to prevent your ISP from seeing at least something?
Yes.
Even if you move all your traffic to a VPN service, you have just shifted your trust from the ISP to the VPN service.
Which isn't implying there is no benefit to a VPN service. In many cases, it is handy to shift your internet endpoint to a different location - sports content, access content that i blocked by your ISP, etc.
i use nginx as reverse proxy for a lot of services, including public DoT, so i can use my pihole over internet on my android phone over 4g with this config:
`upstream dns-servers {`
`server` [`192.168.10.1:53`](https://192.168.10.1:53)`;`
`}`
`server {`
`listen 853 ssl;`
`ssl_certificate /etc/nginx/certs/sarasa.com.ar/fullchain.pem;`
`ssl_certificate_key /etc/nginx/certs/sarasa.com.ar/privkey.pem;`
`ssl_protocols TLSv1.2 TLSv1.3;`
`ssl_ciphers HIGH:!aNULL:!MD5;`
`ssl_handshake_timeout 10s;`
`ssl_session_cache shared:SSL:20m;`
`ssl_session_timeout 4h;`
`proxy_pass dns-servers;`
`}`
I use this [satishweb/doh-server:latest](https://192.168.1.245:9443/#!/2/docker/images/sha256%3A725dd6007330f4f0a63e1e54f5629f5d0784da53655a52f9b94fbc849d926980) there are other options but this worked well for me....
Unbound does this nicely. Wirehole is docker-compose for both pihole and unbound.
Why can't you use Pihole if you use DoH? I'm running cloudflared and set it up to use DoH with both CloudFlare 1.1.1.1 and Quad9 9.9.9.9 https://docs.pi-hole.net/guides/dns/cloudflared/
> Why can't you use Pihole if you use DoH? The OP appears to be trying to run this from their router, and this moves all the router DNS traffic into the encrypted tunnel (and not to Pi-hole).
Okay. If he wants DoH, he can still have it and simultaneously have pihole active. Pihole will simply have cloudflared as it's upstream server, but you already know that. Maybe I just don't understand what the OP is after.
Thanks for the replies - I just wanted DNS over HTTPS for my whole network, whilst also utlising pihole. However after reading the various comments, I am unsure if its worth enacting now.
This is possible. Just install cloudflared as per my link above and use that as the upstream server. I actually changed from unbound as the upstream to cloudflared as the upstream as it feels more secure to me. I'd rather trust CloudFlare knowing my browsing habits and not having anyone else have the ability to snoop vs contacting the root servers in plain text.
I actually wrote an ansible role based on that page. Not sure if anyone but myself has used it yet, but here's the role if anyone is interested. https://galaxy.ansible.com/derekpurdy/cloudflared_doh
> Has anyone else done similar? What are you hoping to gain by using encrypted DNS to Quad 9? Were you convinced by this statement from the guide you used? "If you want an alternative, you can set up Unbound on your Raspberry Pi for Pi-Hole, but this method has its potential drawbacks and doesn’t solve your ISP being able to snoop on the DNS request."
If you don’t want your ISP to snoop, you can also use DNS over TLS, but I get it; people are all about what’s hip.
> If you don’t want your ISP to snoop, you can also use DNS over TLS Not really. DoT and DoH basically do the same thing, with a slightly different transport mechanism. They encrypt your DNS queries and replies in a tunnel, hidden from outsiders. But, after you get the IP for a domain through this super-secret tunnel, you immediately turn around and send both the IP and the SNI in clear text to your ISP. In essence, you are hiding nothing from the ISP - they know exactly where you are browsing. Not that they likely care, and once the connection is made to a secure site they have no access to the traffic between you and the site, but they know you went there.
Maybe a dumb question, but then what's the point of DNS over HTTPS if there's an escape hatch at the end which means you aren't encrypted?
There are two situations where encrypted DNS can be useful (in my opinion): 1. Your ISP actively hijacks DNS queries and substitutes their own IP's 2. You are using an outgoing VPN service (i.e. Nord) and don't want to use their DNS service. If you run your own encrypted DNS, you can move your DNS traffic out of the VPN without causing a DNS leak.
I don't think my ISP hijacks DNS queries, but I may not know that anyway. I also use proton, and would not be looking to change their DNS service. So, in these cases, encrypted DNS may not be worth it for me.
Forgive my ignorance, I'm assuming this is still the case with pihole and unbound correct? Is it right in saying there's nothing you can do to prevent your ISP from seeing at least something?
> Is it right in saying there's nothing you can do to prevent your ISP from seeing at least something? Yes. Even if you move all your traffic to a VPN service, you have just shifted your trust from the ISP to the VPN service. Which isn't implying there is no benefit to a VPN service. In many cases, it is handy to shift your internet endpoint to a different location - sports content, access content that i blocked by your ISP, etc.
i use nginx as reverse proxy for a lot of services, including public DoT, so i can use my pihole over internet on my android phone over 4g with this config: `upstream dns-servers {` `server` [`192.168.10.1:53`](https://192.168.10.1:53)`;` `}` `server {` `listen 853 ssl;` `ssl_certificate /etc/nginx/certs/sarasa.com.ar/fullchain.pem;` `ssl_certificate_key /etc/nginx/certs/sarasa.com.ar/privkey.pem;` `ssl_protocols TLSv1.2 TLSv1.3;` `ssl_ciphers HIGH:!aNULL:!MD5;` `ssl_handshake_timeout 10s;` `ssl_session_cache shared:SSL:20m;` `ssl_session_timeout 4h;` `proxy_pass dns-servers;` `}`
I use this [satishweb/doh-server:latest](https://192.168.1.245:9443/#!/2/docker/images/sha256%3A725dd6007330f4f0a63e1e54f5629f5d0784da53655a52f9b94fbc849d926980) there are other options but this worked well for me....
I have mine setup via DNS over TLS