At the time of asking my original question, I didn't realize that I needed both
- to configure pihole to consider EDNS Client Subnet, and - specifically in the case of DNS-over-HTTPS,
- a DoH gateway that could attach Client Subnet information.
You can see me realizing this in my follow-up posts.
I believe the below part of my eventual solution answers my actual problem even though my very first post hadn't fully crystallized it yet. I think this answer belongs with my question:
What Worked for Me
Short answer is that dnsdist can attach a mask of the client IP as a client subnet, which pihole will pick up when EDNS0_ECS=true in the pi-hole config to allow DNS-over-HTTPS queries into pihole to be correctly associated with the local client that made the query.
Assuming
- pihole IP of
192.168.1.254 /usr/local/ssl/crtcontains an SSL cert & key for the pihole,
Then the below config will work for dnsdist to expose a DNS-over-HTTPS server on the default SSL port that forwards requests to the pihole with the full client IP attached, allowing identification of the clients as I originally wanted.
-- listen for DNS-over-HTTPs queries on 443, authenticated by our pihole cert
addDOHLocal(
'192.168.1.254:443',
'/usr/local/ssl/crt/pi.hole.crt',
'/usr/local/ssl/crt/pi.hole.key'
)
-- prepare to forward DNS queries to pihole w/ client subnet info
pihole = newServer({
address="192.168.1.254:53",
name="pihole",
useClientSubnet=true
})
pihole:setUp()
-- send full client IP as subnet
setECSSourcePrefixV4(32)
NOTE: do not use 127.0.0.1 for the newServer; while this will work to resolve DNS queries, it will cause the pihole to respond with that localhost IP for pi.hole lookups and you won't be able to browse the web admin at pi.hole!
NOTE: pihole:setUp() disables dnsdist's health-check queries to pihole. In this setup there is no alternative to pihole, and it's not dnsdist's job to solve pihole being down - queries should always go to pihole and if pihole's down they just won't resolve!
NOTE: Probably several DoH servers would work in place of dnsdist when exposed directly on a port. However, my larger task that led to this question was to do this on the same default HTTPS port (443), while also serving the pihole web admin on the same port, which meant something in-between the client and the DoH server, and the need to preserve and/or attach new client subnet information so that dnsdist had something to forward to pihole! My full solution to that is documented in a different post, "Run a DNS-over-HTTPS (DoH) server & pihole’s web admin on the same (default) SSL port while still identifying DoH clients".