This is my attempt at understanding the intricacies of DNS, primarily based on what I’ve learned while setting up Pi-hole, and hopefully figuring how to achieve an even better setup. Hopefully, this isn’t too far off the mark but where inaccuracies occur please do point them out.
The goals in having a Raspberry Pi 3+ running Pi-hole for me, and I assume for most, are:
Adblocking on devices (particularly phones) when away from home
Enhance DNS and general privacy – as few as possible should be able to monitor your DNS and your internet activity
Enhance DNS and general security – nobody should be able to tamper with your DNS request.
PH pretty much achieves 1) by its default setup, and with some tinkering it’s possible to run OpenVPN on the Raspberry and connect to it remotely, thereby achieving 2). To me, it seems like there isn’t that much to raffle about so far. However, due to the nature of DNS, figuring out the best way to optimize 3) and 4) is a bit tricky. Specifically, I’m thinking of the ability to hijack DNS and its unencrypted nature, which allows surveillance and logging of your internet history by your ISP (particularly if you are using their DNS server) and others (insert various 3-letter-agencies here).
To quote the pi-hole documentation:
With standard DNS, requests are sent in plain-text, with no method to detect tampering or misbehavior. This means that not only can a malicious actor look at all the DNS requests you are making (and therefore what websites you are visiting), they can also tamper with the response and redirect your device to resources in their control (such as a fake login page for internet banking).
Assuming a ‘basic’ setup that is running an OpenVPN server on a Raspberry Pi that your phone is connected to, the phone’s traffic would be encrypted on its way to the Raspberry Pi but the DNS lookups sent from the Raspberry Pi to the upstream DNS server, operated by your ISP, would be in plain-text and you can’t be sure of the integrity of the replies you receive.
There are various ways of trying to deal with the mess:
Change the DNS server from which your Pi-hole asks for info – how this helps depends a lot on who you decide to ask, e.g. it’s probably not a good idea to ask Google to optimize 3). Neither does this help with 4). https://docs.pi-hole.net/guides/upstream-dns-providers/
- Make PI a recursive DNS server – this way, no single entity like Google, your ISP or Cloudflare will see your DNS activity. This helps with 3) but not 4). But we can combine it with DNSSEC which does help with 4)…https://docs.pi-hole.net/guides/unbound/
DNSSEC – you can be sure you’re actually ending up on the website you wanted to visit, not some sketchy website that wants to make you mine cryptocurrency for them, i.e. it helps with 4). However, it doesn’t encrypt your DNS traffic so 3) is still an issue and depending on where your Pi-hole is getting its info from, e.g. Google or Cloudflare would know everything you’re looking up. https://docs.pi-hole.net/guides/unbound/
So it seems that we just need to add encryption between the Pi-hole and upstream DNS servers which is actually possible!
- DNS over HTTPS – The DNS traffic is sent via HTTPS and is as such encrypted. Neither your ISP nor Google can see what’s going on and no sketchy types can tamper with where you end up. So we’ve reached 3) and 4) and can close down the shop (or browser)? Sadly, no. While 4 has been obtained 3) isn’t looking too great. DNS Over HTTPS isn’t supported many places (see https://en.wikipedia.org/wiki/Public_recursive_name_server) and the setup as described by pi-hole docs requires that we lock ourselves into one particular upstream DNS, Cloudflare, which means the whole ‘making your PH a recursive DNS server’-thing, isn’t an option anymore. Since a single entity like Cloudflare would be getting all your DNS traffic, this is not a solution to me as it goes against 3).
This is pretty much where I have stranded myself right now, currently having my PH configured as a recursive DNS server with DNSSEC enabled, looking for a way to further enhance my privacy (further). I have not mentioned DNS over TLS since it’s not in the Pi-hole docs and seems to result in the same issues as DNS over HTTPS.
You can, of course, use a VPN provider and connect to them from your devices, assuming you trust the VPN (if you don’t, it doesn’t seem to make sense to use one) this would solve 3) and 4), but then we’ve moved away from the whole point: 1). Unless you configure the VPN to use your PH as DNS server, but this is not possible if you want 2) and as far as I can tell, you wouldn’t really be much better off than you were in the first place in regards to 3) and 4), since you want to encrypt the bloody DNS traffic.
The only solution that I can think of is to change my configuration to DNS over HTTPS but preventing Cloudflare from knowing my identity by having all of my network traffic run through a VPN service so that the VPN provider appears as the source of the DNS traffic from Cloudflare’s point of view.
My question finally then is if this is this possible, or is there a simpler/better way to achieve the same result?
Is it possible to both achieve both DNS security (your DNS traffic can’t be tampered with) and privacy (only you have complete knowledge of your DNS traffic) while running an OpenVPN server on your Raspberry Pi, which runs Pi-hole. If so, how?