I have been successfully running several iterations of the pi-hole solution on my home LAN, and it works GREAT.
I have since graduated to running a pi-hole (skyhole) in the cloud with a hosted provider. It also (mostly) works for many of my clients. I didn't want to run a VPN back to my home LAN for multiple reasons.
My iOS and other devices can use the skyhole-based pi-hole without issue. My issue comes in specifically with Android 10 devices. They seem to not only require custom DNS servers which use FQDN names, but also require DNS over TLS. If that is not present, they cannot be used to resolve hosts.
Therefore, my question is what approach needs to be implemented here? I have seen tutorials for DNS over TLS with pi-hole, but those tutorials seem to be geared to using DNS via TLS for the upstream queries. I need for my DNS server to accept incoming DNS over TLS queries on the front end.
AFAIA, DNS over TLS is an option in Android 10 (more specifically, available since Android 9 "Pie"), not a requirement. Since DoT is not very wide spread atm, it would lock out a substantial number of users if it would be mandatory.
Unfortunately, I don't have a matching device to confirm and provide you with instructions on how to disable this.
Still, disabling on-device DoT might prove easier than setting up server-side DoT in your private cloud.
Thank you, I appreciate someone willing to engage in discourse regarding this.
I have not found a way around/ability to disable the requirement for DoT in Android 10 if you want to specify your own DNS server, and I do in order to use pi-hole. Google seems to require it.
I wonder whether network specific DNS settings (as mentioned for Android <=8 in the article) would still be available on higher versions.
I doubt the custom DNS changer apps mentioned towards the end of the article will work in your configuration, as they utilize a VPN to change their settings. This could cut you off from using your own VPN to connect to your Pi-hole in the cloud.
Alternatively, you may consider using Blokada (also available through F-Droid ) on your Android mobiles.
While it employs a VPN as well, it also supplies device-bound, network-independent DNS-based filtering at the same time, much as Pi-hole does network-wide but also network-bound.