Implement DNS-over-TLS capability in Pi-hole

I'll add on to this thread late - if it needs to be elsewhere please redirect.

This is a question of "who do you trust least and why." I have configured various PiHoles with unbound as recursive local recursive resolver, and with cloudflared running DNS over HTTPS. One protects the integrity of my DNS lookups but the ISP can see them, the other hides only my DNS activity from my ISP but now I have to trust Cloudflare to get me the correct DNS and keep my searches private.

If i run my VPN I'm secure end to end for the most part, but how much do I trust my VPN provider? I use VPN only when I need to hide my actual IP and location (overseas TV and the like).

My simple questions:

(1) any significant performance differences between DNS over TLS and DNS over HTTPS?

(2) I know my ISP would have a commercial reason to monitor my online activity and perhaps shape my network traffic speeds. Is there any indication that Cloudflare is not on the up-and-up and that they would also have a commercial reason to sell my data?

Any opinions on what gives me the best overall privacy and security - running my own local recursive resolver (I see one of the developers does this with a cluster) and accepting that the ISP is either going to see the DNS requests and the https request; or going for greater DNS privacy only by going encrypted to a DNS third party provider (removing half the information that the ISP sees)?


So because this issue is marked closed, shall we presume DNS-over-TLS is not on the pihole roadmap?

It was more "out of scope." But, I think that is a fair assumption, for all the reasons discussed in the replies above.

I'm running my PiHole with DoH on
If anyone else is interested, I used this to set it up. Been running for a couple of weeks without any problems.
Securing DNS across all of my devices with Pi-Hole + DNS-over-HTTPS +

It's a little workaround till DOT (or similar) is implemented

1 Like

For me it's laziness. I already asked Scott why DOH and not DOT, but didn't get a reply sadly.

Yes and No.

Yes: The DNS server in FTL is based on dnsmasq and, as such, is a DNS proxy that can either reply from its internal cache or has to forward the request to somewhere else. In the case of DoT, pihole-FTL forwards the requests to a local proxy which itself forwards it to Cloudflare using an encrypted connection.

There are several complications when it comes to implementing this into pihole-FTL: There are different flavors of encrypted DNS traffic: DNS-over-TLS (DoT), DNS-over-HTTPS (DoH), dnscrypt and a few more. Implementing them would be a major task and nobody can ensure that it is bug-free*. Furthermore, all the different providers have a (slightly) different take on the standards and specifications such that an implementation often cannot be generic enough to cover all use cases.

*) While this is always true, it is a special problem when it comes to cryptography as even tiny implementation bugs can make the encryption itself vulnerable.

The current solution of having various specialized agents to talk to their respective providers.
IMHO this is the - by far - best approach as the providers themselves know their own specs best. Moreover, many small projects are much easier to be maintained than a monolithic pihole-FTL binary that tries to do everything.

No: We fully support DoT inside Pi-hole. You just need to realize it using a local proxy of your preferred DNS provider. See the "Yes" reply for further details.


It has been a while, but wanted to let you all know that I have added Cloudflare DoH (cloudflared) to my setup. It is fully explained in my Github repo here and the automated updates of it here.

1 Like

Can't this be merge in pihole as an out of the box available feature?
I can't believe how something like this is out of the scope.
DoH protects the privacy and it looks like Pi-hole is not concerned about the privacy of their users.

Yeah, that's it exactly.

Do you want DoH or DoT or dnscrypt. Should we use stubby or cloudflared? I'd think that a user concerned with privacy would want to use their preferred technology instead of one that is determined by the developers.

well if you would care about privacy you would have implemented a DNS Resolver to call root servers directly over a encrypted channel.

Not all the users that use pihole know how to install different "hacks" to make it work. Pi-hole has a huge public because is has a nice interface where you can configure many things.
Choose whatever you think fits better but make it easy so everyone can enjoy the benefits.

We do care about privacy and security, neither of which can be done with a shortcut or handholding. That's where you get in to dangerous territory of having someone else do it for you and giving control of your security and privacy to other parties. That is never a good thing.

The point still stands, you may have an encrypted response for your DNS to IP but visiting that IP over a bare, unencrypted connection just exposed all the information that you had hidden.

Dont you visit the IP over a https?
So DoH or DoT aren't better that nothing in any way considering security or privacy?

What about a DNS resolver? so you don't relay in an intermediate DNS server like cloudflare?

Your direct competitor already supports it

It can be that hard.

They aren't our direct competitor.

IP over https doesn't do anything to hide where you are going, which is what DNS is. It tells you where to go. TLS just protects the payload from that IP. Your ISP knows that you went to Amazon, but they don't know what you bought.

I know some people that have moved to adguard home.
But you are right this will probably end up eating most of your users, and it supports DoH.

I don't think so. nextdns is just an external service like Quad9, Cloudflare or Google. For me there is no difference between them, and also no advantage to use them.

Regarding privacy and performance for me the best solution is Pi-hole + local Unbound.

1 Like

There are quite a few features and advantages that has and pihole doesn't.
People is quite excited with it in social media let's see how it evolves, is something that fits to any user since it doesn't require hardware or any expertise like pihole.

I agree with you that the best would be to call directly the root servers with unbound but again is another feature that pihole doesn't support out of the box