Pi-hole for DNS-over-TLS - the Simplest Way

If you are trying to use pihole as a DNS-over-TLS endpoint, here is how I did it, in the lightest weight way possible. Using stunnel. Why stunnel? Because it is the simplest, lightest weight solution that purely acts as a SSL/TLS termination layer and from there on it is just a TCP proxy. That means it is much more lightweight than a full blown web server like nginx which is commonly used for this.

stunnel terminates incoming TLS connection, and forwards TCP to FTL, presumably running on localhost:53. You can then point your various devices at it (e.g. Android 9+ supports DoT as “private DNS” under advanced settings.

# cat /etc/stunnel/dot.conf 
pid = /var/run/stunnel-dot.pid

[dot]
accept = 853
sslVersion = TLSv1.2
connect = 127.0.0.1:53
cert = /etc/letsencrypt/live/pihole.my.domain/fullchain.pem
key = /etc/letsencrypt/live/pihole.my.domain/privkey.pem
CAfile = /etc/pki/tls/certs/ca-bundle.crt
CApath = /etc/pki/tls/certs
2 Likes

Stunnel brings back old memories and helped my a lot of times.

I still have try this package:

https://securesocketfunneling.github.io/ssf/#how-to-browse-privately