If you are using Pihole and you want to keep having Pi-hole as your default DNS resolver on Turris but to upgrade your security to use Cloudflare’s DNS Over HTTPS keep reading…
All of this is tougher in Pihole because it uses dnsmasq as dns resolver. Dnsmasq is not yet capable of this magic unlike kresd.
At first some assumptions for easy progress:
You are using Pi-hole in LXC
Debian Stretch as operating system in LXC
You are not a beginner with Linux
You got your Pihole LXC starting up automaticaly every Turris reboot
There is no need to use tmux.
Start that cloudflared... command in the article with & at the end of command and then hit enter. This way it will run on the background.
Proceed with all the rest that the article is talking about.
Test if it works for you. In the end you have to edit cron to start that cloudflared command every startup of your LXC
Then you have to edit cron via crontab -e
add this: @reboot cloudflared proxy-dns --port 54 --upstream https://1.1.1.1/.well-known/dns-query --upstream https://1.0.0.1/.well-known/dns-query &
Now you have your Pihole LXC upgraded, all your dns queries (if they are not local) are leaving your router encrypted via proxy that you have recently installed. Congratulations.
So in terms of why I would want to do this, the encryption is the obvious advantage – and indeed it would be a nice thing to have all of one’s DNS queries encrypted right out of the router.
Also the learning experience in setting it up itself is valuable.
Are there any other not-so-obvious advantages to doing this?
(It’s OK if there aren’t – the encryption itself is enough.)
One question: will encrypting DNS queries this way slow things down at all?
There should be no to very small speed loss. It is using HTTP2.0 protocol so HTTPS on top of it is ussualy very fast.
Do not forget that thanks to CZ.NIC, the DNS recursive resolver of Cloudflare is the fastest implementation of such software, it is running on Knot. So this should be still fastest way of having your dns queries resolved just after using cloudflare without https.
When talking about DNS encryption, I suppose you know that your ISP can still use tools like pakon and see the website names you visit over https, thanks to SNI…
Sure I know. Even though they likely have way and way stronger hardware for that than Turris Omnia. Because pakon is currently capable of cca 150mbit trafic. If they are doing this kind of monitoring they do have specific hardware for that as is often the case in ISPs.
I just wanted to make sure there’s no false sense of security.
IETF standards are moving, so in time we will likely see improvements, but I’m afraid that the progress will be slower and the low-hanging fruit is gone. Adding TLS capability to authoritative DNS servers is also considered now (no RFC there at all yet AFAIK). Even if names get perfectly protected, the IPs themselves are often easy to map back to the names – there are even PTR queries in DNS for that