No internet with Pi-Hole when using Android's Private DNS feature

aoude · August 18, 2024, 6:33pm

The issue I am facing:
I have setup a Pi-hole instance in docker with a subdomain but when I point devices to pihole.domain.dev I have no internet access. I was expecting to people to set this up on a per device basis (ex. Android device set the Private DNS Mode's Private DNS provider hostname to pihole.domain.dev).

Details about my system:
I have a docker setup using jwilder/nginx-proxy and nginxproxy/acme-companion to provide a proxy with certificates for my subdomains. My pihole is setup using pihole/pihole:latest and has a config like so:

version: '3'

services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    networks:
      - cloud
    environment:
      - TZ='America/Boston'
      - VIRTUAL_HOST=pihole.${DOMAIN}
      - LETSENCRYPT_HOST=pihole.${DOMAIN}
      - PIHOLE_DOMAIN=pihole.${DOMAIN}
      - WEBPASSWORD=${PASSWORD}
      - SERVER_IP=${SERVER_IP}
    volumes:
      - './etc-pihole:/etc/pihole'
      - './etc-dnsmasq.d:/etc/dnsmasq.d'
    restart: unless-stopped

networks:
  cloud:
    external:
      name: cloud

What I have changed since installing Pi-hole:
Nothing, just using the default settings after creating a container using the above docker-compose.yml

I may be misunderstanding something fundamental about setting up Pi-hole, but my intention was to use the subdomain to set things up on a per device basis (not interested in setting it up on my LAN for DHCP at this moment until I use it a bit more).

Bucking_Horn · August 18, 2024, 7:40pm

Pi-hole is intended to run as a filtering DNS resolver within the bounds of a private network. As such, it listens on the standard DNS port 53.

Android's Private DNS employs DNS over TLS to talk to a public resolver over an encrypted connection via port 853.

If you want to use Android's Private DNS feature with Pi-hole, you'd need a DoT proxy that would accept and decrypt requests on port 853 and then forward them to Pi-hole on port 53.

aoude · August 18, 2024, 10:15pm

Thanks for your reply. I'm looking into setting up DoT with adguard/dnsproxy, can you tell me or point me in the direction of how I might forward requests to Pi-hole? I understand setting the custom DNS option in the admin panel but that would be Pi-hole forwarding to a DNS rather than the DoT proxy forwarding requests to Pi-hole, right?

Bucking_Horn · August 19, 2024, 5:53am

As Pi-hole is indifferent to clients requests by default, it would not require any additional configuration. Your chosen DoT proxy would just be another client, probably its only one.

For your DoT proxy software, you'd have to make sure that Pi-hole would be its only upstream, lest it may be by-passed via any alternative.
For details on how to configure that with your chosen DoT proxy, you'd have to consult that specific software's documentation and support.

aoude · August 20, 2024, 1:34am

Thanks for your reply again, I was able to setup a compose file that did as you said. Posting here in case it's helpful for others. I also have a separate compose file using the cloud network that contains my nginx-proxy and letsencrypt certificate management.

version: '3'

services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    networks:
      - cloud
    environment:
      - TZ='America/Boston'
      - VIRTUAL_HOST=pihole.${DOMAIN}
      - LETSENCRYPT_HOST=pihole.${DOMAIN}
      - PIHOLE_DOMAIN=pihole.${DOMAIN}
      - WEBPASSWORD=${PASSWORD}
      - SERVER_IP=${SERVER_IP}
    volumes:
      - ~/docker_pihole/etc-pihole:/etc/pihole
      - ~/docker_pihole/etc-dnsmasq.d:/etc/dnsmasq.d
    restart: unless-stopped
  dnsproxy:
    container_name: dnsproxy
    image: adguard/dnsproxy
    networks:
      - cloud
    ports:
      - "853:853/tcp"
      - "853:853/udp"
    environment:
      - VIRTUAL_HOST=dns.${DOMAIN}
      - LETSENCRYPT_HOST=dns.${DOMAIN}
    entrypoint: sh -c "/opt/dnsproxy/dnsproxy -b $$(getent hosts pihole | awk '{ print $$1 }') --upstream $$(getent hosts pihole | awk '{ print $$1 }') --tls-port=853 --tls-crt='/certs/fullchain.pem' --tls-key=/certs/key.pem -l 0.0.0.0"
    volumes:
      - ~/docker_dnsproxy/dnsproxy_config.yaml:/opt/dnsproxy/config.yaml:ro
      - ~/docker_nginx_letsencrypt/certs/dns.${DOMAIN}:/certs/:ro

networks:
  cloud:
    external:
      name: cloud

system · September 10, 2024, 1:34am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.