I have a Pi-Hole + PiVPN (WireGuard) + CloudFlare DoH setup and it was pretty easy to do. Most of this stuff installs itself! To be honest, the real challenge was to figure out the additional measures to ensure my home devices could only use my Pi-Hole DNS. A couple of firewall rules did it in the end.
The one thing I need to find a solution for, however... a Raspberry Pi is not quite powerful enough to handle a gigabit connection. I need to look into a more powerful device to replace it with. That would also mean I can add that RPi to my miniature cluster.
> a Raspberry Pi is not quite powerful enough to handle a gigabit connection
To clarify, you're referring pretty much exclusively to the PiVPN part here, correct? I have a 3B doing lots of other things and it's serving Pi-Hole duty as well w/o a hitch.
Oh yeah, Pi-Hole itself almost doesn't cause any CPU load. But connecting to the PiVPN slows things down considerably. I probably need to do some benchmarks to see exactly what's slowing things down, now that I think about it.
Using nginx seems like a bad fit for DoT? I can see it for DoH where maybe there's enough HTTP stuff you can re-use but for DoT essentially all you want is the TLS stack right?
One of the things any of these approaches will need is a mechanism to get trustworthy certificates†. But since you're a DNS server I think it likely makes sense to do DNS proof of control (so dns-01 under Let's Encrypt or another ACME service) rather than spin up other services.
† If you don't have this, your resolver clients can't be sure it's you they're talking to, if you don't care about that then you didn't need DNS privacy anyway.
nginx works very nicely as a DNS-over-TLS to DNS-over-TCP proxy, but yes you might want to choose stunnel instead if you don’t also want DoH.
(I have run DoH and DoT in production since 2018, using OpenResty, i.e. nginx plus LuaJIT, with the DoH protocol conversion written by me in Lua, and DoT using basic nginx as described in TFA.)
>† If you don't have this, your resolver clients can't be sure it's you they're talking to, if you don't care about that then you didn't need DNS privacy anyway.
Sure, I do not anticipate most home users will want this or should attempt it. You can see why Cloudflare wanted 1.1.1.1 but https://[2001:8b0:fbb0:1247:1b24:1c24:1d23:714]/ doesn't exactly trip off the tongue.
For your home network DNS: a server with dnsmasq -> stubby -> DNS over TLS -> NextDNS works quite well. Fast with dnsmasq caching and reasonably secure, plus NextDNS can block unwanted domains (ads, malware, etc.)
What still puzzles me about the Pi-Hole is that it appears to be based on a (slightly modified version of) a program many/most OpenWRT users^1 are already running: dnsmasq.
What is it that makes it infeasible to accomplish DIY DNS-based blocking on an OpenWRT router, without the need for an RPi. It makes me wonder if the modified dnsmasq Pi-Hole uses requires more resources that the un-modified version one normally finds on OpenWRT routers.
With respect to what this person is trying to accomplish, third party VPN is OK, but is it really necessary if one has a publicly reachable IP at home. OpenWRT routers often come with Wireguard pre-configured, and if not it can usually be installed no problem.
(Of course you could run OpenWRT on the RPi but is this a popular choice, given the specs of the earlier models.)
For experimenting with DoH at home, I am using dnsdist from PowerDNS.
1. For examlpe, users who prefer to run their own OpenWRT router at home, either in place of or in addition to one provided by an ISP.
Flashing routers and running custom firmware on them is harder or sometimes even not possible with people’s hardware. In Germany you get pretty nice router hardware (FRITZ!Box) loaned from an ISP.
Setting up a 30 EUR pi with pi-hole is way easier and probably cheaper than getting another router and configure it for a lot of people.
Incidentally, one of the biggest advantages of using an OpenWRT router over a PiHole is the ability to respond to all DNS requests (sent via udp port 53), as opposed to just those that use the DHCP-discovered resolver, which allows you to police devices that use a hardcoded external DNS resolver (e.g. 8.8.8.8 or 1.1.1.1).
You are fighting a losing battle here. Many hardcoded devices and malware are switching to using DNS over HTTPS to bypass DNS redirection. Guests on your network can also bypass DNS redirection using DNS over HTTPS with recent browsers.
If your main goal is adblocking (or, generally, filtering requests by domain name), the adblock software package has a config option to "force local DNS".
Otherwise you'll need to set up a firewall rule to redirect all DNS requests.
According to a sibling commenter, that alternative is also possible through Pi-Hole, although it looks like you need to configure a router to rewrite said traffic to point at it. (potentially also requiring the purchase of a $250 piece of additional hardware, at which point, why not just buy a router that supports OpenWRT?)
Yeah I've got a pihole and an openwrt router (Nanopi R4S is amazing bang per buck btw) configured to point to the pihole.
Yet some stuff is leaking past it (mainly iphone) hence my interest in forcing things. I suspect its connected to the fact that ipv6 resolves faster than ipv4 for me somehow but can't quite place what's wrong...because it is catching some ipv6 traffic so its not like the ipv6 pihole is broken broken.
>Otherwise you'll need to set up a firewall rule to redirect all DNS requests.
Yes...the whole chain concept openwrt has going is something I haven't wrapped my head around yet so no rule writing for now
I believe the comment was highlighting the advantage of a router vs a local DNS service rather than asserting the openwrt implementation has features beyond vs the pihole implementation.
The advantage is the router itself is literally routing all the traffic and thus even hostile clients (e.g. smart tv) that ignore the (dhcp provided) pihole DNS still have to pass their traffic through the router and thus it always has an opportunity to take action on the packets.
As was mentioned in a sibling comment, even with just a pihole and a non-openwrt router you can still configure your network to force all DNS traffic through the pihole but it is more config and more error prone vs the single openwrt router network.
the web UI, logging, graphs, top blocked sites/queries are all really nice to have and are great for diagnosing badly behaving apps/clients/websites.
i am sure that this is all possible using some slick openWRT command line/LUA magic/plugins/god knows what, but my time isn't free, and i'm not interested in hacking that all together on the same device that provides internet access.
Sure! Go install "Apple Configurator 2" on your mac and start exploring the different profiles/configs you can push to your iDevice. Anything an MDM provider can do to an iDevice, you can do yourself as well. There are even GUI tools for most profile configurations. The author could have also pushed the profile via configurator instead of going through the "email and download" process. Here is the complete list of profile configurations you can set: https://developer.apple.com/business/documentation/Configura...
Don't know if it's a trick but I'm using NextDNS profile on iOS and macOS when not at home with Pi-Hole: https://apple.nextdns.io/ (I prefer it than expose my Pi-Hole)
Why is this better than, say, putting wireguard on the same pi and getting secure VPN tunneling back home _and_ pi-hole at the same time no matter where you are?
I'm no expert but does this have the same risks as an open resolver? Are there ways of running a pihole openly for others to the internet without needing a VPN?
The one thing I need to find a solution for, however... a Raspberry Pi is not quite powerful enough to handle a gigabit connection. I need to look into a more powerful device to replace it with. That would also mean I can add that RPi to my miniature cluster.