I have been using Pihole on my home network for quite some time. Our android phones use the Private DNS option which makes sense when out of the house, but at home Private DNS means that the android phones bypass the Pi-hole with a DoT connection to Google DNS. I also use Fedora for my workstation and for a small raspberry cluster. The next version (F35) will default to 'opportunistic' DoT.
I would like to modify my home network DNS service (Pi-hole at the front end) to also offer opportunistic DoT to clients that request it. This is not because I am worried about someone intercepting the DNS traffic. Rather I want to maintain a default secure DNS configuration for mobile devices and also make sure that these devices use the home network DNS service when it is available. It seems to me that providing an opportunistic DoT as part of the DNS service should be possible without too much fuss, but I am not sure I am thinking about the correctly. Hence this post.
Current configuration. I host Pi-hole as a container container on a Synology NAS. The Pi-hole uses a DNS-over-HTTPS client which is also running in a container as the 'upstream' DNS service with the DOH client connecting to Google's DOH servers. The Pi-hole is configured as the DNS server in the Unifi network administration web interface.
Proposed configuration. I found the post at Pi-hole for DNS-over-TLS - the Simplest Way to be very informative. Is there a way to modify the pihole service (container in my case) to also provide opportunistic DoT? It seems that adding stunnel to the pihole docker image and extending the configuration so that stunnel is answering on port 853 while pihole continues to answer on port 53 would be a simple yet complete solution. I build container images for other projects but am not a DNS expert by any means. Am I missing something fundemental that would make this approach unworkable?
Again the goal is to extend Pi-hole to offer opportunistic DoT for clients like android so that my pihole is providing DNS and add blocking etc while connected to the home network but also maintain classic DNS service for all other clients. I am constantly amazed at how many network devices we have in our farm house.
thanks!