Suggestions for DOH & DOT

dac9 · March 13, 2025, 11:24pm

Hey All,

I want to setup DOH & DOT with Pihole & Unbuond.

Does anyone have a guide or script with best practices that runs you through this process?

--
DC

Bucking_Horn · March 13, 2025, 11:29pm

Using both next to each other doesn't make sense.
You should opt for either DoH or DoT.

What's the intended use case?

dac9 · March 13, 2025, 11:32pm

I wanted to increase security and add my pihole dns server to my android phone. Android Private DNS supports both apparently.

Do you have a suggestion for one over the other?

smurf · March 13, 2025, 11:38pm

I have both unbound and DoH using dnscryp-proxy compliment of the Pi-hole team here Issue installing dnscrypt-proxy - Help - Pi-hole Userspace

Bucking_Horn · March 13, 2025, 11:40pm

That sounds as if you would want your Android phone to use DoH/DoT to connect to your Pi-hole?

dac9 · March 13, 2025, 11:46pm

Yes that's right.

Bucking_Horn · March 13, 2025, 11:55pm

(Smurf's post won't help you here, as that is about Pi-hole forwarding to a DoT/DoH proxy that takes plain DNS requests from Pi-hole to encrypt and forward them to public DoT/DoH servers.)

You would need a DoT or DoH server in front of Pi-hole in that case, accepting and decrypting DoT/DoH requests and forward plain DNS to P-hole.

But that won't offer much of a benefit in your home network.

Do you intend to access Pi-hole remotely, connecting via public Internet?

dac9 · March 14, 2025, 12:05am

Yes.

I plan on accessing this pihole server over the internet using tailscale to keep in private.

DanSchaper · March 14, 2025, 12:10am

I'd go for something like dnsdist as a front end to provide you with DoT when you are away from your LAN connection.

There are other options like stubby or even nginx but I like dnsdist personally.

Bucking_Horn · March 14, 2025, 12:19am

If you are using tailscale, you are already using an encrypted connection into your home network, so again not much benefit from installing DoT/DoH in front of Pi-hole.

dac9 · March 14, 2025, 12:19am

Do you have a guide for a great config for DNSDist?

dac9 · March 14, 2025, 12:19am

Yeah but I have to have one or the other for android. It no longer lets you use DNS that is not either DOH or DOT.

Bucking_Horn · March 14, 2025, 12:26am

As far as I am aware of, Android's Private DNS feature is employing DoT exclusively.

What Android version are you using?

dac9 · March 14, 2025, 12:33am

I'm using Android 15.

DNSDist looks like a good option. What do you think Bucking_Horn?

Bucking_Horn · March 14, 2025, 1:04am

Since you are using tailscale already, I'd leave Android's Private DNS feature on automatic (or off, if automatic would fail to determine that your current network propagate's Pi-hole for DNS and DoT shouldn't be used).

dac9 · March 14, 2025, 1:25am

OK Thanks.

Ladrien · March 14, 2025, 1:30am

Tailscale already handles the encryption for you, setting up DoH/DoT over a vpn is redundant, ie. you are already secured through tailscale.

dac9 · March 14, 2025, 2:15am

Thanks.

system · April 4, 2025, 2:15am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.