Implementing DNS-Over-TLS

Hi. I wonder how I can implement DNS-Over-TLS together with Pi-Hole. Are there any tutorials / recipes for doing this? I have Pi-Hole installed on a RPi device. With DoT set up will this encrypt all DNS requests from within my network?

Note that this would also require your upstream DNS resolvers to support DoT. While becoming more and more common, you still want to verify that your chosen DNS resolver does support DoT.

You might want to search the forums for this.
There are a few topics around that deal with DoT and its implications for Pi-hole (e.g. Implement DNS-over-TLS capability in Pi-hole has a vivid discussion why DoT won’t become an integral part of Pi-hole soon, and Pi-hole for DNS-over-TLS - the Simplest Way has a short example for using a third party package).

The easiest way to enable DoT in a standard Pi-hole setup would be if your router supports DoT:
Set your router as upstream DNS for Pi-hole, and let your router handle DoT traffic to its upstream DNS servers.

Yes, my goal is actually to have a local recursive DNS server (like Unbound), but for now I wanted first to try to implement a DoT connection to Cloudflare for instance. As I understand they support DoT. However, with regards to DoT encryption there is something I have not quite understood; is the encryption only between the local resolver inside your network and the recursive DNS server (in which case would one need DoT as long as the recursive DNS server was also inside the local network?) or is it also between the recursive DNS server and the root-, TLD-, and authoritative DNS servers?

Thanks for your input. I’ll check out the threads you suggested :slight_smile:

Yes. And typically only if the recursive DNS resolver is somewhere on the internet. If the recursive resolver is on your network, encryption to that resolver serves little purpose.

No - see above.

No. Traffic to/from the nameservers is not encrypted.

What is your goal with encrypted DNS. Security, privacy, etc.?

Another question related to this; I have now read several threads about implementation of Unbound as a recursive DNS server, but in many of these setups the Unbound is also configured to forward DNS requests upstream to Google/Cloudflare. What would be the purpose of this? Isn’t the whole point of setting up Unbound as a local recursive server to “cut out” the external recursive resolver? Am I missing something?

These users want to use encrypted DNS, instead of running unbound in recursive mode. There is a difference of opinion regarding whether encrypted DNS increases privacy - I contend that it does not and encrypting your DNS traffic to an upstream resolver who gathers all your DNS history requires you to trust that upstream service. In return, you gain no privacy since your ISP can see the plain-text request for any IP acquired through an encrpted DNS tunnel.

In my opinion, yes. Encrypted DNS provides less privacy, in my opinion. In addition, you get unfiltered replies - you are getting the IP address from the authoritative phone book of the internet, with no intermediaries to filter anything. You are in complete control and only have to trust yourself.