Facilitating Secure Access to Pi-hole On the Go: Implementing DNS over TLS and DNS over HTTPS for Clients

General
1

Hello Pi-hole Community,

I'd like to initiate a discussion on the possibility of making secure access to Pi-hole outside the home more seamless by exploring the implementation of DNS over TLS (DoT) and DNS over HTTPS (DoH) for specific clients, such as Private DNS on Android or Secure DNS settings in Mozilla Firefox and Google Chrome.

Context:

Pi-hole has proven to be a powerful tool for ad-blocking at the network level, providing a cleaner browsing experience. However, ensuring privacy and security in DNS queries becomes crucial when users are outside their homes. Integrating support for DoT and DoH on clients can be an effective solution.

Benefits:

  1. Privacy on the Go: By implementing DoT and DoH on clients, such as private DNS apps on Android or secure DNS settings in browsers, users can ensure privacy even when on external networks.
  2. Enhanced Security: DNS traffic encryption provides an additional layer of security when accessing Pi-hole remotely, reducing the risk of data interception on public or potentially insecure networks.
  3. Reliable Access to Pi-hole On the Go: Users can securely access their private DNS hosted on Pi-hole, ensuring that the benefits of ad and tracker blocking extend beyond the home network.
  4. Flexible Configuration: Direct implementation on clients allows for flexible configuration, enabling users to choose which devices and applications should utilize DoT or DoH, adapting to their specific needs.

Potential Challenges:

  1. User Awareness: Ensuring users are aware of the benefits of implementation on their devices and how to configure these options effectively.
  2. Compatibility with Different Clients: Considering the variety of clients and operating systems to ensure a smooth and compatible implementation across different platforms.

Community Questions:

  1. How do you perceive the implementation of DoT and DoH on clients as a valuable extension for Pi-hole?
  2. What are the most significant benefits of allowing users to securely access their Pi-hole outside the home?
  3. Have you configured secure DNS on your devices and browsers? What were your experiences?
  4. What challenges do you anticipate in the implementation, and how can these challenges be effectively overcome?

Let's share insights on how we can enhance the accessibility and security of Pi-hole, especially when we're away from our home network! Additionally, considering the challenges of adapting the Nginx server on ARMHF hardware, such as the Raspberry Pi 1, due to the lack of updates in this architecture, integrating these features directly into the Pi-hole construction becomes even more compelling. This can offer a more straightforward solution for users, especially those dealing with older hardware limitations.

2

Just so you are aware, Pi-hole can be accessed via a VPN when travelling, providing the security and privacy benefits without the challenges of managing a bespoke DNS layer.

Wireguard is a good choice, since it is lean and flexible and well supported, and there is an official guide.

1 Like
3

Even so, it would be interesting for the Pi-hole development team to embed a DNS over TLS and DNS over HTTPS service in the installation, listening on ports 853 and 443. Adapting this to an Nginx proxy and dealing with self-signed certificates can be difficult and time-consuming. This way, we would have more privacy within local networks, including situations where someone could sniff regular DNS traffic between Pi-hole and the client.
Especially when using older hardware like the Raspberry Pi 1, where the network speed is only 100 Mbps and it's not suitable for VPN to handle all traffic, serving as a DNS-only server and utilizing the security of DoH and DoT can be interesting.

4

Out of interest who or what would be doing this? If such a thing is happening then it ought to be identified and removed rather than trying to hide a tiny number of clients from it.

The guide linked earlier routes just the DNS traffic over the VPN. I think 100 Mbps ethernet is adequate for that, I've not tried it though.

5

A lot of what you wrote is over my head, but the nice thing about Pi-hole is that you are part of the "development team." You seem very interested in this feature and have ideas about its implementation--put in a pull request.

6

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.