DNS Black-holing w/ DNS over TLS - Personal Privacy Part 1
DNS Black-holing w/ DNS over TLS - Personal Privacy Part 1
So DNS Black-holing is not new obviously, and what stands out as the go to solution? Pihole probably... and yeah thats what im using because hey its a popular choice. Though I am running it in docker. Combining that with Unbound (also in docker), and configuring outbound DNS to use DNS over TLS, with a few additional minor tweaks, but otherwise mostly standard configuration on both.
Wondering what you guys might be using, and if you are using Pihole and/or Unbound if you have any tips on configuration.
Happy to share my config if there is interest.
I got two PiHoles running on my network via Docker Compose, I tried setting up Unbound in Docker-Compose and that fell flat, from my understanding DNSSEC was preventing DNS resolution outright.
Also tried OpenSense + Unbound which led to the same thing.
Eventually got tired of having my network cutting in and out over minor changes so I just stuck with Quad9 for my upstream needs.
happy to share my docker-compose with pihole and unbound. im not the original author its a compilation of a few peoples. no issues. normal DNS inside the house DoT outside.
If you don't mind DM'ing me or dropping it in a comment here it would be greatly appreciated! The docker engine isn't something entirely new to me so i'm a bit skeptical into thinking that i missed something but always happy to compare with others, actually Docker is what pushed me to switch fully to Linux on my personal computers.
Snippet from my docker-compose.yml:
pihole: container_name: pihole hostname: pihole image: pihole/pihole:latest networks: main: ipv4_address: 172.18.0.25 # For DHCP it is recommended to remove these ports and instead add: network_mode: "host" ports: - "53:53/tcp" - "53:53/udp" - "127.0.0.1:67:67/udp" # Only required if you are using Pi-hole as your DHCP server - "127.0.0.1:85:80/tcp" - "127.0.0.1:7643:443" environment: TZ: 'America/Vancouver' FTLCONF_webserver_api_password: 'insert-password-here' FTLCONF_dns_listeningMode: 'all' # Volumes store your data between container upgrades volumes: - './config/pihole/etc-pihole:/etc/pihole' - './config/pihole/etc-dnsmasq.d:/etc/dnsmasq.d' - '/etc/hosts:/etc/hosts:ro' # https://github.com/pi-hole/docker-pi-hole#note-on-capabilities cap_add: - NET_ADMIN # Required if you are using Pi-hole as your DHCP server, else not needed - CAP_SYS_TIME - CAP_SYS_NICE - CAP_CHOWN - CAP_NET_BIND_SERVICE - CAP_NET_RAW - CAP_NET_ADMIN restart: unless-stopped labels: - "traefik.enable=true" - "traefik.http.routers.pihole.rule=Host(`pihole.my.domain`)" - "traefik.http.routers.pihole.entrypoints=https" - "traefik.http.routers.pihole.tls=true" - "traefik.http.services.pihole.loadbalancer.server.port=80" - "traefik.http.routers.pihole.middlewares=fail2ban@file" unbound: image: alpinelinux/unbound container_name: unbound hostname: unbound networks: main: ipv4_address: 172.18.0.26 ports: - "127.0.0.1:5334:5335" volumes: - ./config/unbound/:/var/lib/unbound/ - ./config/unbound/unbound.conf:/etc/unbound/unbound.conf - ./config/unbound/unbound.conf.d/:/etc/unbound/unbound.conf.d/ - ./config/unbound/log/unbound.log:/var/log/unbound/unbound.log restart: unless-stoppedEdit: After re-reading the Unbound github and their documentation it seems i may have missed some volume mounts that are key to the function of Unbound, i'll definitely have to dive deeper into it.
I'm using a service called Control D, which has 4 levels of free DNS. One is no blocking at all. One is only blocking malware. One is blocking malware and ads, and the other one is blocking malware, ads, and social media, like Facebook.
Out of curiosity, why did you decide on DoT instead of DoH (DNS over HTTPS)?
totally arbitrary, lol. Im used to DNSSEC, saw DoT and DoH about the same time, think I saw a write up that used DoT and just went for it. Havent even compared DoT vs DoH, but DoH reminds me of Homer Simpson cuz im old XD
Dammit i read it as DOH in a homer simpson voice in my head aswell!!
Unbound on the router which connects upstream with DNS over TLS. Ports 53 and 853 are NATed to the phiole and several other DNS servers like Google's are blocked so devices can't bypass the pihole very easily. This is only on my primary VLAN. Other VLANs are given the Unbound DNS by default but are allowed to bypass if they insist. I have one VLAN for guests and one for trusted devices in addition to the primary one.
In my particular setup, I have an additional constraint and that is that my network has to be designed for portability and travel. Not that it affects your design per say. Thank you for the response. Just something that occurred to me that I hadnt mentioned.
I am living a transient life at the moment. So lots of virtualization and lack of control concerning the WAP and such.
I do like your set up btw.
I use cloudflared to translate DNS into DNS over TLS instead of Unbound to make it into recursive DNS. Just never really seen the need to switch it. I'm happy with nextDNS + Cloudflare resolving DNS upstream.
The main thing I wanted to note is port 53 outbound is blocked at the router to prevent devices from using external/unencrypted DNS. If a LAN device wants DNS resolution they MUST use the LAN DNS servers they were given via DHCP, or use their own DoT config, as plain DNS won't make it out of the network.
It's because of this block/enforcement that I run two local DNS servers: pihole on an RPI and a mirror on my main server tower, with Galaxy-Sync keeping them identical. If I tinker with/update one, the other picks up the slack so connectivity/resolution isn't disrupted.
Yeah, I am pretty close to that, the pihole to unbound, unbound DoT to cloudflare. What I am doing at this point is bypassing the DNS to ISP, but as I stated in my response above, not yet blocking everything on the net from using the regular stuff. Just feasibility testing at the moment.
Love the dual setup for DNS. I set my primary to this and my secondary to just cloudflare at them moment for when I bork my primary DNS will fidgeting with it, haha.