Is this a solution for running a DoH server in front of Pi-hole?

Just came across this: Building and running your own DNS-over-HTTPS Server, which kind of covers what I (and some others) meant.

Now, would it be possible to realise this without a full blown format i.e., is there a way to add the functionality as described on that site on a running Pi-Hole installation?
Also, does it look like something the devs would approve of? (in terms of 'quality')?

1 Like

What problem are you trying to solve?

IMHO, putting a DoH server in front of Pi-hole would only be a sensible choice if you were planning to access your Pi-hole remotely via public Internet, and likely not even then:
If you were using a VPN, that would already apply encryption - no need to encrpyt your DNS requests to Pi-hole via DoH on top of that.
A VPN would be the proper way to access a Pi-hole remotely anyway, and it would allow you to access other services of your home network as well, not just DNS.

Main reason would be to have Chrome, Firefox and the like recognize an existing DoH server (Pi-Hole!) and use it.
I know that currently, all options still allow for manual configuration (i.e. disabling the DoH selection) but in the near future, this might not necessarily be the case anymore and having an existing DoH server selected might avoid an override by apps/OSes to one of their preferred DoH providers.

(thinking about it, could/should this be a feature request?)

That's avoiding my question somehow. :wink:

Let's take a look at the current browser support for DoH.

Chrome/Chromium (click for more)

Chrome will switch to DoH if it decides your upstream OS level DNS supports DoH, or as Google themselves put it: "if your current DNS provider is known to support it."

That decision is based on (again quoting Google) "a list of DNS providers known to support DNS-over-HTTPS".

I think it's safe to assume your Pi-hole's name won't be on that list.

Chrome will thus "fall back to the regular DNS service", i.e. it will talk to your Pi-hole via plain port 53 DNS, regardless whether Pi-hole would support DoH or not.

On the other hand, Chrome may happily employ DoH to talk to alternate public DNS servers if it can access such a server that is on its list of DoH supporting providers.
This could be a public DNS server you may have configured as a fallback (against Pi-hole's advice to use only one), or your ISP's IPv6 DNS server offered by your router.
By using either of these, Chrome would bypass Pi-hole completely.


Firefox (click for more)

Firefox approach is different:
It allows users to configure a DoH provider of their choice, either by picking one from a list or by providing a custom one.

This may allow you to chose Pi-hole as DoH-Server, but it also poses a problem:
For nomadic devices like a laptop or a smartphone that you use at home as well as on the road, you'd have to manually switch your DoH provider any time you switch networks, on each such device.
You'll notice if you move from home to work soon enough, as lack of Pi-hole would mean no Internet fun.
But if you return home, public DNS providers would still work, and once you forget about this, your Firefox will bypass Pi-hole.

Unless you setup a canary domain (as Pi-hole does by default), which would prompt Firefox to automatically fall back to plain port 53 DNS regular DNS services, i.e. it will talk to your Pi-hole via plain port 53 DNS once again.


Alas, both approaches have in common that they fall back to plain port 53 DNS if they figure DoH is not available. So in theory they should coexist nicely with Pi-hole while still providing DoH resolution when away from home. (Personally, I think Firefox's approach to be a bit more user-friendly.)

As both browsers do fall back to plain DNS anyway, there would be no point in supporting DoH on Pi-hole, would there?

Which brings me back to my question:
What problem are you trying to solve by making Pi-hole resolve DoH?

Or to put it differently:
Why would you want to encrypt DNS requests in your home network?

To me, the main benefit of DoH would be safer DNS while on the road joining a public wlan, where third-party prying is most likely.

If keen, we could also encrypt our upstream DNS requests leaving our home networks (by any means, e.g. dnscrypt, DoT, DoH,...), but I doubt our DNS history is any more private than before.
It'll just be our DoH providers instead of our ISPs who are monetising on it. We might end up having to pay more for our Internet plans.

But the benefit of using DoH within a home network doesn't seem so evident to me.

1 Like

Agreed, I thought we could have Firefox, Chrome or whatever see Pi-Hole as a DoH provider but clearly they won't. Thanks for taking the time to clarify!

(I still share the concerns as voiced in this topic...)

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.