Private DNS Hostname

#1

I have not uploaded a debut token as I don’t reckon Pi-Hole systems I’ve deployed is broken. I am trying to deploy Pi-Hole as a “private DNS hostname” for Android devices at my home. Google released Private DNS Hostname with Android P. You can read more at : https://blog.cloudflare.com/enable-private-dns-with-1-1-1-1-on-android-9-pie/ or https://android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html

I own a personal domain - let us call it domainiown.com. I have created DNS entries (A records only) with the registrar pointing to my home IP address (static, will inbound ports open). If I do nslookup to this, I can see queries in Pi-Hole.

However, when I enter this into private DNS of phone it fails. I reckon this is a problem with DNS over TLS as opposed to standard DNS resolving on port 53.

Can someone guide me on how to enable DNS over TLS or RFC 7858. I did find a post here - https://docs.pi-hole.net/guides/dns-over-https/. However, I am looking to enable DNS over TLS. Any ideas for that?

0 Likes

#2

Pihole only provides plain DNS. If you want to use secure then you have to add a program between pihole and external access.
I would advise against have pihole being accessable from the internet (public) because ISP really don’t like to see that being the case. (DDOS)

0 Likes

#3

Thank you for the heads up regarding DNS servers being run by customers and ISPs disliking it.

Is there a way to still impliment what I want? I want DNS traffic to be addressed by Pi-Hole. Currently
I do it via PiVPN on devices forcing only Pi-Hole as the DNS server.

I have tried to follow this article but is redirecting queries in a loop. Could you please check and guide.
https://bartonbytes.com/posts/configure-pi-hole-for-dns-over-tls/

0 Likes

#4

I read the article and it is the standard unbound config (a bit outdated but it should still work) siting in front of the pihole. I use such a config myself and it a upstream config.

If you are coming from outside you a have to make the requests to pihole and that upsteams that request unbound which upstreams that again to public DNS servers over a secure connection.

So it is more a U-turn that you make.

ps. the listening port of unbound is 5353 and the 853 port is the port on the upstream public servers. So pihole contacts unbound on 5353.

0 Likes

#5

Hi, thank for taking the time to go through the thread. Following is the configuration I have done but it is not working.

With thehosting service providers, I’ve created following records to point to my ISP assigned static IP address.

  1. dns.domainiown.com --> A record --> @ record --> TXT Record --> point to my IP address.

On my home ISP router, I have created inbound NAT for the requests

  1. WAN port: 53 & 853, protocol: TCP and UDP; LAN IP: Pi-Hole IP address.

Pi-Hole has UFW running, which I’ve disabled for the testing.

On the Pi-Hole, I have DNSSEC enabled pointing to an upstream server, that always get the DNS resolution as - “INSECURE”.

When I put this configuration, I can see requests being forwarded to 127.0.0.1 in a loop at times but my phone shows no internet.

I enter dns.domainiown.com in the private DNS server’s settings.

What am I doing wrong and how do I rectify?

Below attached printscreen is normal traffic as I see it without the above mentioned configuration. When I do tail of the logs, I see a loop of requests.

0 Likes

#6

Do you have port 53 and 853 open to the Internet? Unbound uses port 853 to reach the upstream server you have set in unbound. You don’t provide port 853 because need a certificate and much more knowledge.

The best isto first close the ports you enabled because it dangerous.
Then test and complete pihole+unbound so that is working.
Then only go over a VPN from the outside to your pi-hole.

0 Likes

#7

Thank you for that. I have closed inbound ports (removed NAT rules).

  1. Even when I follow the article fully, the dig request @127.0.0.1 on port 5353 as per the configurations fails.

  2. I can get a letsencrypt certificate for dns.domainiown.com if need be. Pi-Hole anyway has a web server built in.

  3. My final implementation needs to have private DNS name as described here - https://android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html to be working over an android phone.

Could you kindly guide me on that.

I have set up Pi-Hole and PiVPN and they work seamlessly. So when I am on VPN I see DNS requests to Pi-Hole however even after disabling DNS requests to 8.8.8.8 (Fallback to Google DNS is disabled as part of OpenVPN application settings on the phone, I see DNS requests going to Google. Hence to achieve my end result of not having DNS leakage, I will need to set this up. :slight_smile:

0 Likes

#8

So what is your ultimate functional (not technical) goal here?

Do you want to have secure, encrypted DNS requests from your devices on your home network (and/or cellular network)?

Is your Pihole already deployed on your home network?

0 Likes

#9

Yes my ultimate goal is to use DNS over TLS for all devices, served through Pi-Hole. When my devices are not connected to home network, I would want to use Androids feature (private hostname based DNS) to route all DNS queries to Pi-Hole to ensure I log and filter them.

Thank you very much.

Yes Pi-hole is deployed on home network. I have my home router that is the gateway, routing all DNS to Pi-Hole.

For PiVPN all connections route DNS to Pi-Hole directly.

The functional goal would be to log, filter and review DNS entries of all personal devices, irrespective of their network location.

0 Likes

#10

I’m not an Android person, but I don’t think you can use this “Private DNS” feature to do what you want, as Pihole doesn’t respond to DNS over TLS (or HTTPS). If you use “Private DNS” to connect to a public DNS provider with TLS, you’ll lose your Pihole blocking as a result.

However, Pihole can work with an additional component to secure your DNS traffic. For example, on my home network, DNS requests flow like this:

My Device – Pihole – Unbound – Cloudflare DNS over TLS

192.168.1.100 – 192.168.1.3:53 – 192.168.1.3:5354 – 1.1.1.1:853

(Unbound is serving a similar purpose as cloudflared in the Pihole DNS-over-HTTPS docs.)

On Pihole, my “Upstream DNS Server” is set to “192.168.1.3#5354”. Disable “Use DNSSEC” under “Advanced DNS Settings”. On your home network, set your device’s DNS server to the Pihole IP (manually or via DHCP) and ignore Android’s “Private DNS” feature. On a cellular network, use a VPN to avoid your cellular provider’s DNS and use your Pihole instead.

Get the basic flow working on your home network before moving on to the cellular side. :slight_smile:

0 Likes

#11

Sure, I will work on this. Any guide for Unbound? Also, does the DNSSEC feature not help? I tested using link in Pi-Hole and DNSSEC was working correctly as per the test? I understand how DNSSEC is fully different from DNS over TLS but before I try altering the configuration I wanted to be sure.

0 Likes

#12

Using my example above, DNSSEC is redundant and unnecessary. My Pihole would be using DNSSEC only as far as my Unbound server. My Unbound server could use DNSSEC with an upstream DNS provider, but I’m already protected by using DNS over TLS between Unbound and Cloudflare.

Of course, I have to trust Cloudflare’s responses as accurate and correct, as I would for any upstream provider, but since they are encrypted by TLS, I can be fairly confident they haven’t been manipulated or altered by a third party while in transit.

0 Likes

#13

Perfect, I am going to work on Unbound tonight. Any guides to help me start?

0 Likes

#14

I compared the given config for unbound an my own and I have changed it:

## DNS Over TLS, Simple ENCRYPTED recursive caching DNS, TCP port 853
## unbound.conf – original at https://calomel.org/unbound_dns.html
# edited by bartonbytes.com
server:
access-control: 127.0.0.0/8 allow
cache-max-ttl: 14400
cache-min-ttl: 600
do-tcp: yes
hide-identity: yes
hide-version: yes
interface: 127.0.0.1
minimal-responses: yes
prefetch: yes
qname-minimisation: yes
rrset-roundrobin: yes
use-caps-for-id: yes
verbosity: 1
port: 5353
#
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 9.9.9.9@853#dns.quad9.net

Removed the SSL line and added the TLS line. Also the domain metnioned in the certificate has be stated.

**forward-tls-upstream: yes**
**forward-addr: 9.9.9.9@853#dns.quad9.net**

DNSSEC is a protection against spoofing of the returned IP address when you request to the upstream DNS. If you have it available then I advise to use it also.

0 Likes

#15

Perfect, I will try and let you know.

0 Likes

#16

I am sorry, I did not grasp this. How do I configure this?

0 Likes

#17

https://www.nlnetlabs.nl/documentation/unbound/howto-anchor/

I think that is enabled in default config and you have set the time on your device it s running to the correct time (local).

But first get the pihole working through unbound and then by step extending it.

0 Likes

#18

I am carrying out the changes right now, should I use your configuration as is or is there requirement to mention the certificate somewhere (I did not grasp that one either).

Also I am using https://bartonbytes.com/posts/configure-pi-hole-for-dns-over-tls/ to install and create the configuration. I hope that is OK?

Thank you.

0 Likes

#19

You’re are mixing things up. Unbound is not the DNS that you want approach from the outside.

I have taken the bartonbytes config and updated it so you have good change that it will work.
You are still learning and you expect to start and arrive at the finish at the same time. So first get it working with are DNS not over a secured connection. If thats work then you take the next step and not two or three at the same time. You would then not know which step did break the workings.

0 Likes

#20

Thank you very much. I have slowed down and I will do more research before moving ahead. I will read why I am doing these changes. once I’m done, I will let you know.

Once again, thank you for helping me out.

0 Likes