Home Network DNS - Opportunitstic DoT for Android and Linux?

bgsmith · October 30, 2021, 7:48pm

I have been using Pihole on my home network for quite some time. Our android phones use the Private DNS option which makes sense when out of the house, but at home Private DNS means that the android phones bypass the Pi-hole with a DoT connection to Google DNS. I also use Fedora for my workstation and for a small raspberry cluster. The next version (F35) will default to 'opportunistic' DoT.

I would like to modify my home network DNS service (Pi-hole at the front end) to also offer opportunistic DoT to clients that request it. This is not because I am worried about someone intercepting the DNS traffic. Rather I want to maintain a default secure DNS configuration for mobile devices and also make sure that these devices use the home network DNS service when it is available. It seems to me that providing an opportunistic DoT as part of the DNS service should be possible without too much fuss, but I am not sure I am thinking about the correctly. Hence this post.

Current configuration. I host Pi-hole as a container container on a Synology NAS. The Pi-hole uses a DNS-over-HTTPS client which is also running in a container as the 'upstream' DNS service with the DOH client connecting to Google's DOH servers. The Pi-hole is configured as the DNS server in the Unifi network administration web interface.

Proposed configuration. I found the post at Pi-hole for DNS-over-TLS - the Simplest Way to be very informative. Is there a way to modify the pihole service (container in my case) to also provide opportunistic DoT? It seems that adding stunnel to the pihole docker image and extending the configuration so that stunnel is answering on port 853 while pihole continues to answer on port 53 would be a simple yet complete solution. I build container images for other projects but am not a DNS expert by any means. Am I missing something fundemental that would make this approach unworkable?

Again the goal is to extend Pi-hole to offer opportunistic DoT for clients like android so that my pihole is providing DNS and add blocking etc while connected to the home network but also maintain classic DNS service for all other clients. I am constantly amazed at how many network devices we have in our farm house.

thanks!

jfb · October 30, 2021, 7:54pm

Your best approach here is to set up an incoming VPN service for your Pi-hole. Clients will connect securely and privately to your local Pi-hole while off your home network. We offer several guides.

https://docs.pi-hole.net/guides/vpn/wireguard/overview/

https://docs.pi-hole.net/guides/vpn/openvpn/overview/

What is your goal in encrypting your DNS traffic between you and Google? Google still has a complete record of your DNS traffic and is free to do with it what they wish.

bgsmith · October 30, 2021, 8:19pm

Blockquote Your best approach here is to set up an incoming VPN service for your Pi-hole. Clients will connect securely and privately to your local Pi-hole while off your home network. We offer several guides.

Thanks. I have not thought about a VPN service. We live in a rural location with a low bandwidth wireless connection from our ISP. We are also double NAT'ed although the ISP does offer a public IP for additional cost. I will give some thought to a VPN and review your links.

My primary goal with the DoH connection is minimize snooping by any and all ISPs between my home network and the world at large. Google already knows a lot about me so I am not too concerned with their monetizing that information.

thanks

Brad

system · November 6, 2021, 8:19pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.