Pi-hole for DNS-over-TLS - the Simplest Way

General Customizing Pi-hole
1

If you are trying to use pihole as a DNS-over-TLS endpoint, here is how I did it, in the lightest weight way possible. Using stunnel. Why stunnel? Because it is the simplest, lightest weight solution that purely acts as a SSL/TLS termination layer and from there on it is just a TCP proxy. That means it is much more lightweight than a full blown web server like nginx which is commonly used for this.

stunnel terminates incoming TLS connection, and forwards TCP to FTL, presumably running on localhost:53. You can then point your various devices at it (e.g. Android 9+ supports DoT as "private DNS" under advanced settings.

# cat /etc/stunnel/dot.conf 
pid = /var/run/stunnel-dot.pid

[dot]
accept = 853
sslVersion = TLSv1.2
connect = 127.0.0.1:53
cert = /etc/letsencrypt/live/pihole.my.domain/fullchain.pem
key = /etc/letsencrypt/live/pihole.my.domain/privkey.pem
CAfile = /etc/pki/tls/certs/ca-bundle.crt
CApath = /etc/pki/tls/certs
5 Likes
3

Thank you!

That conf worked almost out of the box on my Linux Mint 20.1.
After removing the bottom two lines about CA, setting the pid to be in /var/run/stunnel4/ and choosing to add the host to the accept line (so it doesn't run on all interfaces), everything ran fine.

I used this tool to verify that the DoT worked.
Didn't want to switch my phone over till I knew it was working. :slight_smile:

Seems stunnel doesn't log anything to its own file, and only to var/log/syslog.

Ah, found that one has to set it in the conf!
output = /var/log/stunnel4/stunnel.log

Also, disabling duplicate logging to syslog.
syslog = no