This feature request improves on the GitHub Pull Request #2315 which is blocking SVCB _dns.resolver.arpa and returning NODATA by default now to prevent clients from upgrading to public DoH from Pi-hole. (See the feature request: Implement _dns.resolver.arpa as a special domain or add BLOCK_SVCB as a configuration option)
I would like to request a feature to have an option from the configuration files of Pi-hole to customize the SVCB _dns.resolver.arpa record to allow setting custom local DoH server available for upgrade from the plaintext DNS using Discovery of Network-designated Resolvers (DNR). (As of now Pi-hole allows setting custom A/AAAA/CNAME records from web interface under Settings -> Local DNS Settings.)
You might be wondering if allowing SVCB to specify a custom DoH server would defeat the purpose of using Pi-hole. However, it is possible to provide a DoH server that uses Pi-hole as its upstream resolver.
How Discovery of Network-designated Resolvers (DNR) works:
- A client gets a DNS resolver IP via DHCP Option 6 (IPv4) or Option 23 (IPv6) [Which will be the Pi-hole IP]
- The client performs a reverse DNS lookup on
_dns.resolver.arpaandSVCBrecord tell the client where the DoH/DoT endpoints are. - If valid records exist, the client automatically upgrades to encrypted DNS.