I own a personal domain - let us call it domainiown.com. I have created DNS entries (A records only) with the registrar pointing to my home IP address (static, will inbound ports open). If I do nslookup to this, I can see queries in Pi-Hole.
However, when I enter this into private DNS of phone it fails. I reckon this is a problem with DNS over TLS as opposed to standard DNS resolving on port 53.
Can someone guide me on how to enable DNS over TLS or RFC 7858. I did find a post here - Redirecting.... However, I am looking to enable DNS over TLS. Any ideas for that?
Thank you for the heads up regarding DNS servers being run by customers and ISPs disliking it.
Is there a way to still impliment what I want? I want DNS traffic to be addressed by Pi-Hole. Currently
I do it via PiVPN on devices forcing only Pi-Hole as the DNS server.
Hi, thank for taking the time to go through the thread. Following is the configuration I have done but it is not working.
With thehosting service providers, I've created following records to point to my ISP assigned static IP address.
dns.domainiown.com --> A record --> @ record --> TXT Record --> point to my IP address.
On my home ISP router, I have created inbound NAT for the requests
WAN port: 53 & 853, protocol: TCP and UDP; LAN IP: Pi-Hole IP address.
Pi-Hole has UFW running, which I've disabled for the testing.
On the Pi-Hole, I have DNSSEC enabled pointing to an upstream server, that always get the DNS resolution as - "INSECURE".
When I put this configuration, I can see requests being forwarded to 127.0.0.1 in a loop at times but my phone shows no internet.
I enter dns.domainiown.com in the private DNS server's settings.
What am I doing wrong and how do I rectify?
Below attached printscreen is normal traffic as I see it without the above mentioned configuration. When I do tail of the logs, I see a loop of requests.
I have set up Pi-Hole and PiVPN and they work seamlessly. So when I am on VPN I see DNS requests to Pi-Hole however even after disabling DNS requests to 8.8.8.8 (Fallback to Google DNS is disabled as part of OpenVPN application settings on the phone, I see DNS requests going to Google. Hence to achieve my end result of not having DNS leakage, I will need to set this up.
Yes my ultimate goal is to use DNS over TLS for all devices, served through Pi-Hole. When my devices are not connected to home network, I would want to use Androids feature (private hostname based DNS) to route all DNS queries to Pi-Hole to ensure I log and filter them.
Thank you very much.
Yes Pi-hole is deployed on home network. I have my home router that is the gateway, routing all DNS to Pi-Hole.
For PiVPN all connections route DNS to Pi-Hole directly.
The functional goal would be to log, filter and review DNS entries of all personal devices, irrespective of their network location.
I'm not an Android person, but I don't think you can use this "Private DNS" feature to do what you want, as Pihole doesn't respond to DNS over TLS (or HTTPS). If you use "Private DNS" to connect to a public DNS provider with TLS, you'll lose your Pihole blocking as a result.
However, Pihole can work with an additional component to secure your DNS traffic. For example, on my home network, DNS requests flow like this:
My Device -- Pihole -- Unbound -- Cloudflare DNS over TLS
(Unbound is serving a similar purpose as cloudflared in the Pihole DNS-over-HTTPS docs.)
On Pihole, my "Upstream DNS Server" is set to "192.168.1.3#5354". Disable "Use DNSSEC" under "Advanced DNS Settings". On your home network, set your device's DNS server to the Pihole IP (manually or via DHCP) and ignore Android's "Private DNS" feature. On a cellular network, use a VPN to avoid your cellular provider's DNS and use your Pihole instead.
Get the basic flow working on your home network before moving on to the cellular side.
Sure, I will work on this. Any guide for Unbound? Also, does the DNSSEC feature not help? I tested using link in Pi-Hole and DNSSEC was working correctly as per the test? I understand how DNSSEC is fully different from DNS over TLS but before I try altering the configuration I wanted to be sure.
Using my example above, DNSSEC is redundant and unnecessary. My Pihole would be using DNSSEC only as far as my Unbound server. My Unbound server could use DNSSEC with an upstream DNS provider, but I'm already protected by using DNS over TLS between Unbound and Cloudflare.
Of course, I have to trust Cloudflare's responses as accurate and correct, as I would for any upstream provider, but since they are encrypted by TLS, I can be fairly confident they haven't been manipulated or altered by a third party while in transit.
I am carrying out the changes right now, should I use your configuration as is or is there requirement to mention the certificate somewhere (I did not grasp that one either).
Thank you very much. I have slowed down and I will do more research before moving ahead. I will read why I am doing these changes. once I'm done, I will let you know.
Hi, I have finally managed to try this out. I carried out the installation from: Configure Pi Hole for DNS Over TLS and used your configuration in the /etc/unbound/unbound.conf.d/pi-hole.conf. After putting the required confirmation i am unable to carry out the test command using "dig"
dig @127.0.0.1 cloud.maniarfamily.com -p 5353
which returns
; <<>> DiG 9.10.3-P4-Raspbian <<>> @127.0.0.1 cloud.maniarfamily.com -p 5353
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
I have retried by disabling UFW (Firewall) and also putting a space in the line before # sign:
There is nothing inside unbound.conf except a line to include everything from /etc/unabound/unbound.d/*.conf .. Give me few minutes, I will send its output too.
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include: "/etc/unbound/unbound.conf.d/*.conf"
Here is the output of pi-hole.conf under /unbound.d
