Version 5 DNS over https any solutions?

Hello. All the tutorials on using dns over https with pihole fail on my standard install. I'm thinking that they are written for < version 5. Would anyone know if version 5 could have issues with the standard tutorials on implementing dns over https on pihole, or alternatively, are there any tutorials on using dns over https with Version 5 anywhere?

Thanks

Nothing has changed in V5 that would require a change in setting up an independent DoH server.

Thanks, that's good to know. Any known issues with Firefox vs other browsers when setting up DNS over https in pihole? I know that firefox has the ability to do do DNS over Https but I'm running into difficulties such that deactivating DoH in Firefox and using the DNS over HTTPS settings as provided by cloudflared going to 1.1.1.1 never shows DoH working.

That test website is known to be buggy.

I get very consistent results except when trying to use DoH

See attached tech-note from:


whose tutorial doesn't work for me and references firefox issues with DoH and pihole.

lord_pihole_config

This was written in Nov 2019. On Feb 25, 2020 Pi-hole 4.4 was released that correctly implements the canary domain.

Despite the claims of the first article, encrypted DNS does little, if anything, to improve your privacy.

Interesting. Can you elaborate on why encrypted DNS doesn't improve privacy? I guess you mean that somewhere, somehow along the digital request there is a record of the requested domain and that's the "gotcha!.

You encrypt your DNS traffic. Hidden from ISP. After you obtain the IP, you immediately ask your ISP to fetch that IP, in clear text. They can figure out where you are browsing with not much effort. Meantime, your upstream DNS provider has your complete DNS history,to do with it what they please.

A better privacy solution, in my opinion, is running your own recursive resolver and eliminating the third party DNS service entirely. You are in control of your own resolver, no filtering, no redirecting, and you keep your history local.

https://docs.pi-hole.net/guides/unbound/

1 Like

This is great! I setup the recursive unbound and it's working great - I just can't get to discourse.pi-hole.net. Get message 502 bad gateway

That was not an unbound problem. Technical difficulty at our end.

Hello jfb,

Regarding the unbound setup - the instructions here:

https://docs.pi-hole.net/guides/unbound/

when using unbound on raspberry pi ONLY the custom 1 box should be checked?

When I do that and then visit dnsleaktest.com my dns server(s) are listed as spectrum, which I thought this was supposed to bypass. . .

If I ALSO click cloudflare on the pihole dns settings page then I'll see cloudflare as my dns servers at dnsleaktest.com.

Is that normal behavior? Sounds like the querries are going to either my isp provider if nothing is checked and if I check an option then the dns querries are going there, which defeats the purpose of having unbound locally, no?

It is normal to see your own IP as the DNS server running unbound. You are the DNS server.

If you provide more than one upstream DNS server, they will all be used.

Yes

Correction: with unbound running and only the custom box checked I get NO response from dnsleaktest.com I guess it can't find my raspberry pi.

However, as I'm also on a wide area network using a mesh network, when I connect to that network and only the custom box is checked, I will see the dns servers that the wide area mesh network uses.

Is that normal behavoir?

From the Pi terminal, what is the output of:

dig dnsleaktest.com

dig dnsleaktest.com @127.0.0.1 -p5335

dig dnsleaktest.com

; <<>> DiG 9.11.5-P4-5.1+deb10u1-Raspbian <<>> dnsleaktest.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45353
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;dnsleaktest.com. IN A

;; ANSWER SECTION:
dnsleaktest.com. 300 IN A 23.239.16.110

;; Query time: 31 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jun 22 03:33:29 BST 2020
;; MSG SIZE rcvd: 60

dig dnsleaktest.com @127.0.0.1 -p5335

; <<>> DiG 9.11.5-P4-5.1+deb10u1-Raspbian <<>> dnsleaktest.com @127.0.0.1 -p5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27407
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;dnsleaktest.com. IN A

;; ANSWER SECTION:
dnsleaktest.com. 258 IN A 23.239.16.110

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Mon Jun 22 03:34:11 BST 2020
;; MSG SIZE rcvd: 60

FYI: I did a rebuild of the raspberry pi 3 b+ with a new install of pihole about 3 hours ago. Installed unbound. everything was working normally. Now, for no reason at all, ads are showing up again on sites where the pihole was succesfully blocking.

You may have created a new problem. Please generate a new debug log, upload it and post the new token.

https://tricorder.pi-hole.net/uuw3hdsphi

This looks curious in the debug:

Jun 22 03:27:49 dnsmasq[2646]: failed to load names from /etc/pihole/custom.list: No such file or directory