Pihole Cloudflare DNS via HTTPS

If you are using Pihole and you want to keep having Pi-hole as your default DNS resolver on Turris but to upgrade your security to use Cloudflare’s DNS Over HTTPS keep reading…

All of this is tougher in Pihole because it uses dnsmasq as dns resolver. Dnsmasq is not yet capable of this magic unlike kresd.

At first some assumptions for easy progress:

  1. You are using Pi-hole in LXC
  2. Debian Stretch as operating system in LXC
  3. You are not a beginner with Linux
  4. You got your Pihole LXC starting up automaticaly every Turris reboot

How to make this working?

Start with reading this https://oliverhough.cloud/blog/configure-pihole-with-dns-over-https/

This manual worked for me but needed some tweaks.

There is no need to use tmux.
Start that cloudflared... command in the article with & at the end of command and then hit enter. This way it will run on the background.

Proceed with all the rest that the article is talking about.

Test if it works for you. In the end you have to edit cron to start that cloudflared command every startup of your LXC

Then you have to edit cron via crontab -e
add this:
@reboot cloudflared proxy-dns --port 54 --upstream --upstream &

Now you have your Pihole LXC upgraded, all your dns queries (if they are not local) are leaving your router encrypted via proxy that you have recently installed.


Thanks for sharing this.

So in terms of why I would want to do this, the encryption is the obvious advantage – and indeed it would be a nice thing to have all of one’s DNS queries encrypted right out of the router.

Also the learning experience in setting it up itself is valuable.

Are there any other not-so-obvious advantages to doing this?
(It’s OK if there aren’t – the encryption itself is enough.)

One question: will encrypting DNS queries this way slow things down at all?

There should be no to very small speed loss. It is using HTTP2.0 protocol so HTTPS on top of it is ussualy very fast.

Do not forget that thanks to CZ.NIC, the DNS recursive resolver of Cloudflare is the fastest implementation of such software, it is running on Knot. So this should be still fastest way of having your dns queries resolved just after using cloudflare without https.

1 Like

When talking about DNS encryption, I suppose you know that your ISP can still use tools like pakon and see the website names you visit over https, thanks to SNI…

Sure I know. Even though they likely have way and way stronger hardware for that than Turris Omnia. Because pakon is currently capable of cca 150mbit trafic. If they are doing this kind of monitoring they do have specific hardware for that as is often the case in ISPs.

Even though there is an interesting draft https://tools.ietf.org/html/draft-ietf-tls-sni-encryption-02

I just wanted to make sure there’s no false sense of security.

IETF standards are moving, so in time we will likely see improvements, but I’m afraid that the progress will be slower and the low-hanging fruit is gone. Adding TLS capability to authoritative DNS servers is also considered now (no RFC there at all yet AFAIK). Even if names get perfectly protected, the IPs themselves are often easy to map back to the names – there are even PTR queries in DNS for that :slight_smile:

1 Like

but if we just get back to SNI topic, PTR queries are not that effective when SNI is massively used.

1 Like

Hmm, there is no binary for armhf?

hey, armv6 worked fine