DNS encryption, Internal network

General
1

I have set up pihole with dnscrypt in my home network a couple of days ago. The DNS of my router points to it, so all the hosts on the network use pihole.
Everything is working fine. The DNS traffic is indeed encrypted thanks to dnscrypt, and I am still able to block all the add domains that pihole has in its blacklists.

Something that I did not think of was DNS encryption within the internal network. Since dnscrypt is bounded to the loopback interface(127.0.0.1) of the host where pihole is running, all the DNS requests of the clients to pihole are sent in plain text, hence it is easy to sniff traffic, make MIM attacks, and I think that if the ISP has access to the router it could even check which packets travel around the internal network, including the DNS requests that are not encrypted. The DNS requests are only encrypted when pihole actually sends them to dnscrypt running on 127.0.0.1, the responses from pihole are, again, not encrypted.

I was wondering if there is an effective and simple way to encrypt the DNS traffic between pihole and the clients on the internal network, either using TLS, HTTPS, or other encryption protocol.

Please note that, using DNS over HTTPS or DNS over TLS with pihole will not help, as the very same problem occurs, because the traffic between clients and pihole is not encrypted, it is only encrypted when pihole is making the DNS request.

3

I do not believe one should "trust" anything at all in the security field. There are several malwares that can sniff not encrypted DNS traffic to malicious purposes. If one of my home users gets infected, I could be affected without them even knowing. For me, it is not a question of trust, it is a question of avoiding unnecessary attacking vectors.

The DNSs I use, are logging free. Of course, they claim to be, there is no real way to know, but the dnscrypt project keeps a list of updated and trusted dnscrypt servers[1]

Thank you for your suggestion. SSH could be indeed an idea, but that would required several additional configurations in all the devices that use pihole, which is not very suitable in my opinion.

Unfortunately, I would have to conclude that pihole does not provide the security level I require.

[1] DNSCrypt - List of public DoH and DNSCrypt servers

5

What did you do for security prior to using Pi-Hole?