Simple DNS over HTTPS with dnscrypt-proxy-pihole and Raspberry Pi

I want to share dnscrypt-proxy-pihole
It is a debian package for Raspberry Pi which installs dnscrypt-proxy configured for DNS over HTTPS with Cloudflare DNS servers and Pi-hole.

More info here:

Isp can still see what domains you go to :roll_eyes:


@Tntdruid no only https://blabla.cloudflare.blabla is visible to your ISP

@mapi68 Encrypted traffic in a encrypted tunnel is not needed here.

@msatter Why?

@mapi68 What do you gain? Your ISP not knowing which DNS provider you use?

@msatter Traditionally, DNS queries are sent in plaintext. Anyone listening on the Internet can see which websites you are connecting to. To ensure your DNS queries remain private, you should use a resolver that supports secure DNS transport such as DNS over HTTPS (DoH) or DNS over TLS (DoT).

After you get the encrypted DNS transaction completed and have the IP in hand, you immediately send that IP to your ISP in clear text and request that they connect you. It is not difficult for the ISP to figure out where you are browsing.

If you use a VPN service they see the same.

They know to which webserver you are going but these days with all those cloud services they need to inspect the SNI to know exactly which domain are surfing.

Doing qname (authorative) through a VPN is still the best solution in my world. Surfing also through a VPN allows only the VPN provider, knows both.

Tricky is to use Cloudflare and the visit sites that also being 'virtual' hosted on Cloudflare.

They have it to inspect.

hi. when you suggest 'use vpn' do you (anyone please) mean something like this:

also, i suscribe to a vpn service which i can code into my router (open vpn client) w/ ovpn files, etc. from my vpn provider.

anyway, the merlin firnware router has policy rules for how you might like to route traffic thruogh the vpn.


so just wondering, if i want to encrypt my pihole and unbound activity properly through the vpn that is, would i use that?

that is, in the 'source' if i add my pihole ip, add the destination ip as lface set to vpn...