I have been using pi-hole for a while, and its been great. I have it running on a Rasberry pi 3b (I also have a second pihole running on ubuntu server). I use the standard blocklist and also added those from the Firebog. The Pi is running on raspberry pi OS. I update regularly, both the pi and pihole, I am on V5.18.3, FTL V5.25.2 and Web interface v5.21.
I have synology kit around the house mainly, specifically I use a Vigor 130 ADSL/VDSL modem, before a Synology RT2600ac router (I then have an additional 2600 and 2200 units running a mesh wifi network). My network, and Pi are connected via ethernet.
On the Pi itself, I have cloudflare (DNSSEC) set as IPv4 with both boxes ticked. IPv6 is unchecked. I have Allow only local requests ticked, along with all three DNS advanced DNS settings checked.
I generally access the pi via the web-browser (firefox and Edge), and update over SSH.
I have multiple PCs, PS5, phones tablets all using the network.
I am interested in having DNS-over-HTTPS to improve my privacy, however I have not used before. I can enable a checkbox on ths router to enable dns-over-https but I don't think this is then compatible with the pihole.
So I was wondering about using one of the guides (cloudflared (DoH) - Pi-hole documentation), however I am not sure if this is worth doing, I am a home user with limited knowledge and I don't want to cause network issues which might negatively effect the use of the network at home. Is this worth doing?
In general, DoH would offer the most benefit for machine's connecting to an untrusted network, e.g. when using a laptop away from home.
DNS requests would then be hidden in HTTPS traffic from that network, and in addition, they would be encrypted so that only the targeted DNS server would be able to decrypt and read them.
Note, however, that a third-party intruder could still observe which IP addresses you are connecting to.
Regardless whether you'd use DNS-over-HTTPS, DNS-over-TCP or plain DNS, the target DNS server would always have your complete DNS history.
All of that would imply that adding DoH to your home network would not add much benefit, especially if you'd still be targeting your ISP's DNS servers, as it would still be your ISP that has your DNS history.
If you plan to switch to non-ISP DoH servers, that would mean that you'd betrust them with your DNS history instead of your ISP, but you'd still have to trust someone.
A privacy alternative would be using unbound as upstream, which would query authoritative DNS servers directly, so no one DNS server would have your complete DNS history.
That said, if your router offers DoH support, you should be able to take advantage of upstream DoH resolution by implementing the following DNS resolution chain:
client -> Pi-hole -> router -> DoH Upstream
If that can be configured, it would spare you from installing and maintaining any additional software like cloudflared.
This is for a home network, so I initially thought perhaps not.
I am semi-aware of this, I need to read a bit more.
I think my current chain is client->router->pihole, but I am unsure about the next step. The router points to my 'preferred DNS server' which is my rpi3b, which now has Quad9 (filtered, DNSSEC) selected under IP4 (but nothing under IP6). My 'alternative DNS server' IP on the router points at pihole on my ubuntu server. If I check my DNS on https://www.dnsleaktest.com/results.html it returns 'woodynet' which I think is quad9. If I then go to the advanced setting on my router, I can 'enable doh' and cloudflare is an option (I think I might be able to add an IP address if I wanted to use another dns service). If I then check again on https://www.dnsleaktest.com/results.html it now reports 'cloudflare'. I am not sure of the of the exact chain though, I don't know if the router is still using the pihole first, or is it reverting straight to cloudflare and ignoring the pihole completely - this last one is what I suspect is happening. Is there anyway to check?