Implementing DNS-Over-TLS

General Customizing Pi-hole
8

I have found several discussions on the Pi-hole userspace for DoT including a link to a Cloudflare package that is way too complicated for most. This is a simple way to add DoT with Stubby/Pi-hole.
I have successfully done this procedure on a Pi3B+ with Rasbian Buster and Ubuntu 18.04 and 20.04 server images. For this I'll stick with Buster.

  1. Install Pi-hole on your system. When asked for an Upstream DNS Server choose anything you want. I entered a custom server with my router LAN IP address. This will be modified later. Make sure Pi-hole is working.
  2. Install Stubby and its dependencies.
    sudo apt install stubby
  3. Make a directory for the DNSSEC keys
    sudo mkdir /var/cache/stubby
  4. Make a backup of the default stubby.yml
    sudo cp /etc/stubby/stubby.yml /etc/stubby/stubby.yml.bak
  5. Edit stubby.yml
    sudo nano /etc/stubby/stubby.yml
    Here is an example of my stubby.yml

resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
- GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
round_robin_upstreams: 1
idle_timeout: 10000
tls_connection_retries: 5
tls_ca_path: "/etc/ssl/certs/"
listen_addresses:
- 127.0.0.1@5453
- ::1@5453
dnssec: GETDNS_EXTENSION_TRUE
appdata_dir: "/var/cache/stubby"
upstream_recursive_servers:
- address_data: 9.9.9.9
tls_auth_name: "dns.quad9.net"
- address_data: 149.112.112.112
tls_auth_name: "dns.quad9.net"

  1. In the Pi-hole Admin Console - Settings - DNS - remove any prior entries.
    In Custom 1 (IPV4) enter 127.0.0.1#5453
    If you use IPV6 in Custom 3 (IPV6) enter ::1#5453
    Note: You can use any loopback port you want but I would avoid port 53.
  2. Restart Stubby
    sudo service stubby restart

You can check that stubby is working by watching it after entering:
stubby -l
Cancel logging with CTRL c

The stubby.yml example is set to use Quad9. Other upstream resolvers are avaliable. See the stubby.yml.bak file.
This example has DNSSEC via stubby enabled. If you test with the 1.1.1.1 help page DoT will show as failed. This is a known issue when DNSSEC is enabled and is a Cloudflare problem.
Be careful with the stubby.yml as mistakes in the file will cause problems.

2 Likes