What is the correct pi-hole configuration file needed to enable DNS over TLS?

General
1

I would like to enable TLS so I can do DNS over TLS using pi-hole + unbound. Is there an updated pi-hole configuration file to support this? The only configuration I’ve been able to locate that adds to the pi-hole configuration file is the following:

tcp-upstream: yes

tls-upstream: yes

tls-cert-bundle: “/etc/ssl/certs/ca-certificates.crt”

forward-zone:

name: “.”

forward-tls-upstream: yes

forward-addr: 8.8.8.8@853#dns.google

When I added the above to my pi-hole configuration and then performed a wireshark capture, I didn’t see where unbound was communicating with google over TLS.

2

How did you add it exactly? What generally works is a dedicated config like this:

cat << '_EOF_' > /etc/unbound/unbound.conf.d/dot.conf
# Adding DNS-over-TLS support
server:
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
forward-zone:
name: "."
forward-tls-upstream: yes
## Cloudflare
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
## Quad9
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
_EOF_

Looks pretty much the same as your's, just without tcp-upstream: yes and tls-upstream: yes, and more importantly, it is added to the server: section. Assure that is the case for you case well. tcp-upstream: yes and tls-upstream: yes are at least redundant, since the forward-zone: applies to all queries and enforces DoT already. But it should not break things either.

1 Like
3

I added by logging into my pi-hole and performing the following:

  1. Confirming that my ca-certificates.crt file was included within /etc/ssl/certs.
  2. Modifing my pi-hole.conf file located within /etc/unbound/unbound.conf.d with the additional configuration information I posted in my post.
4

Also, I confirmed that it is added under the server section. Does it matter the format of the additional configuration in terms of if something needs to be left indented or not?

5

I updated my configuration file. Here’s how it looks now. Formatting OK?

image
image586×137 3.18 KB

6

Doing a quick follow-up…

7

Sorry for the late reply. So if you added it to the end of /etc/unbound/unbound.conf.d/pi-hole.conf, that should be all fine. Indentation/spacing does not even matter, but of course for oneself it looks cleaner if all directives of one block are intended.

And you restarted Unbound systemctl restart unbound, and still do not see any TLS-encrypted traffic to 1.1.1.1 in Wireshark or similar? Do you see requests from Pi-hole to this Unbound? And where sends Unbound requests to instead?

8

Well, I’m now having a little trouble with unbound not wanting to restart, so I'm trying to resolve that issue…

image
image1492×168 90 KB

9

I’m closing this topic as the error was resolved after some pain-staking research on Google using the following steps:

  1. sudo unbound-checkconf to ensure no errors were present in the pi-hole.conf file when I added the block to enable DNS over TLS, which errors were present
  2. sudo service unbound restart after my configuration file was good to go
  3. netstat -an | grep :853 to see either TIME_WAIT state or ESTABLISHED state between Unbound and the forwarded entity, which in this case is 1.1.1.1 or 1.0.0.1

image

Therefore, based on my research, I believe I’m now performing DNS over TLS. A check I will do for good measures is a tcpdump on my Pi-hole to capture the traffic for port 853.

1 Like
10

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.