I followed the instructions in HMN76V's post for setting up DNS-over-HTTPS with a PiHole.
It works (except pi.hole doesn't resolve over DoH; I assume fixable, but NBD - I can just use its IP). However, "as expected," DNS requests that go through the local doh-proxy on the raspberry pi, and then into pihole itself are each identified as being from the localhost
client.
Clients that connect directly to PiHole unencrypted, are correctly-identified.
How can I fix this?
I want to use DoH on my network, but I also want to be able to use the grouping features to apply wider or narrower filters to various sets of devices (i.e. work computers maybe get some leeway, "smart" devices get aggressively filtered).
If PiHole supported DoH natively (all I could find was a closed, undiscussed feature request from 2021), this wouldn't be a problem since DoH requests could terminate directly in PiHole and it would get the correct IP for each client....
Can this even be done with additional software on a pihole server, or will I have to have native DoH support in the PiHole to be able to identify DoH clients?
Since "DNS queries (unlike http) don't have a notion of 'forwarded for' headers," achieving this with additional software around PiHole is actually impossible, right?
Please help me end my wild goose-chase in either success, or closure!
PiHole Info:
- pihole has a static IP lease in DHCP pool of router; router is the LAN's DHCP server
- pihole is set as sole DNS in router's DHCP config
- lighttpd forwards DoH queries on
<pihole IP>:443
to doh-server onlocalhost:3000
- doh-server terminates SSL & forwards unencrypted DNS queries to pihole-FTL on
localhost:53
- (upstream DNS is a local unbound on
localhost:5335
but I don't think that's relevant to my DoH identification issues)
EDIT: After some progress, I realized that I don't just need A DoH server, I need a DoH server that can ensure there is EDNS client subnet information for pihole to consume.