Implement DNS-over-TLS capability in Pi-hole

Do you want DoH or DoT or dnscrypt. Should we use stubby or cloudflared? I’d think that a user concerned with privacy would want to use their preferred technology instead of one that is determined by the developers.

well if you would care about privacy you would have implemented a DNS Resolver to call root servers directly over a encrypted channel.

Not all the users that use pihole know how to install different “hacks” to make it work. Pi-hole has a huge public because is has a nice interface where you can configure many things.
https://doh.defaultroutes.de/implementations.html
Choose whatever you think fits better but make it easy so everyone can enjoy the benefits.

We do care about privacy and security, neither of which can be done with a shortcut or handholding. That’s where you get in to dangerous territory of having someone else do it for you and giving control of your security and privacy to other parties. That is never a good thing.

The point still stands, you may have an encrypted response for your DNS to IP but visiting that IP over a bare, unencrypted connection just exposed all the information that you had hidden.

Dont you visit the IP over a https?
So DoH or DoT aren’t better that nothing in any way considering security or privacy?

What about a DNS resolver? so you don’t relay in an intermediate DNS server like cloudflare?

@DanSchaper
Your direct competitor already supports it

It can be that hard.

They aren’t our direct competitor.

IP over https doesn’t do anything to hide where you are going, which is what DNS is. It tells you where to go. TLS just protects the payload from that IP. Your ISP knows that you went to Amazon, but they don’t know what you bought.

I know some people that have moved to adguard home.
But you are right this https://www.nextdns.io/ will probably end up eating most of your users, and it supports DoH.

I don’t think so. nextdns is just an external service like Quad9, Cloudflare or Google. For me there is no difference between them, and also no advantage to use them.

Regarding privacy and performance for me the best solution is Pi-hole + local Unbound.

1 Like

There are quite a few features and advantages that nextdns.io has and pihole doesn’t.
People is quite excited with it in social media let’s see how it evolves, is something that fits to any user since it doesn’t require hardware or any expertise like pihole.

I agree with you that the best would be to call directly the root servers with unbound but again is another feature that pihole doesn’t support out of the box

How do they solve the privacy issue? Do you VPN all your traffic through them, or do they just obfuscate the DNS transaction and still leave you completely trackable and identifiable through your ISP and every server that handles your packets from your local workstation to the end server? (Hint, run a traceroute to the server your visiting sometime and look at every single router that knows where you’re going…)

Edit: And all the other “competitors” you’ve mentioned do nothing for privacy, they get all the data you’re trying to hide. And they require you to pay them for the experience. So shill them all you want, I’m not worried.

Which of the root servers support encrypted DNS queries?

You have to connect to the IP before the encryption begins. So, after the browser has the IP address for the domain it seeks, it requests that IP address in clear text from the ISP. After a connection is made to that IP, then the TLS handshake process begins and the encrypted connection is created.

DoH and DoT do nothing to increase your privacy (your ISP can see your IP requests, and a third party DNS service has your entire DNS history), but they do have the benefit of security, in that the DNS travels in an encrypted tunnel with protection from third parties modifying it. But, if you use DNSSEC you get the same security benefits.

Now DoH is standardized RFC8484. Major browsers firefox and chromium (chrome, opera, edge, brave, etc.) will add DoH with the next version (ETA end of October).

I think this be more like this because DOH avoids Pihole:
https://discourse.pi-hole.net/t/blocking-dns-over-https-doh/21359

A browser/application requests a DNS lookup from Pi-Hole, if it is on the block list it does not do anything with the request, if it is not on the blocklist, it forwards the request or responds from the cache. When it forwards the request Pi-Hole could forward that request, outside of your LAN, via DoH. I do exactly this by running the cloudflard daemon on the Pi-Hole machine so Pi-Hole forwards to that DNS service which forwards it over DoH.

The feature request is for the use of a DoH DNS service to be a builtin option within Pi-Hole.

If the Browser concerned is set to do DNS lookup over DoH (this is usually using a specific service), the the Pi-Hole will be bypassed. Effectively the application is deciding what DNS server to use and is not getting that info from the Network.

I scrolled to the top of this feature request and it is for DOT and not for DOH.

I can already use DOT through Unbound wich I have in front of Pi-hole.
Leave DOH with the browser for which it is developped.

1 Like

IP over https doesn’t do anything to hide where you are going, which is what DNS is. It tells you where to go. TLS just protects the payload from that IP. Your ISP knows that you went to Amazon, but they don’t know what you bought.

I understand the point you are making, but think that might be a little bit of an oversimplification. If you need true anonymity, only a VPN will help, and that is still only if you are careful. However, in the modern web where everything is behind a CDN, its not true that your ISP has a one-to-one map of your web history. SNI is a major data leak, but once ESNI becomes a normal thing then a lot of browser traffic will simply look like connections to these major CDN providers. Between Cloudflare, Imperva, CloudFront, Google Cloud CDN, and Azure CDN - a huge percentage of websites and services will be indiscernible between each other. And as far as ESNI becoming a thing - since so many services are behind these CDNs, its simply a matter of the CDNs enabling support for it (and broswers) - and not each individual website/service. Anyways, I understand the point you are making about the endpoint IP always being known to the ISP (unless you are on a VPN - in which its the VPN that always knows) - but just knowing the endpoint IP Address is not really enough anymore for a large portion of the internet. At least any server thats concerned about DDOS attacks and isn’t large enough to mitigate them using their own resources.

Those man-in-the-middle sites and CDN sites are a potential point of leaking private information. The TLS connections are setup with them and not with the original site.

TLS 1.3 should end ESNI info being visible if I remember that correctly.

I use Pi-hole+Unbound with qname-minimisation active which chops the information in pieces and that is going through a VPN. To me that is still the best way of protecting my DNS information.