DNS Black-holing w/ DNS over TLS - Personal Privacy Part 1 (lemmy.ml)

submitted 5 days ago by relic4322@lemmy.ml to c/privacy@lemmy.ml

15 comments fedilink hide all child comments

So DNS Black-holing is not new obviously, and what stands out as the go to solution? Pihole probably... and yeah thats what im using because hey its a popular choice. Though I am running it in docker. Combining that with Unbound (also in docker), and configuring outbound DNS to use DNS over TLS, with a few additional minor tweaks, but otherwise mostly standard configuration on both.

Wondering what you guys might be using, and if you are using Pihole and/or Unbound if you have any tips on configuration.

Happy to share my config if there is interest.

top 15 comments

sorted by: hot top controversial new old

[-] ohshit604@sh.itjust.works 3 points 3 days ago* (last edited 3 days ago)

I got two PiHoles running on my network via Docker Compose, I tried setting up Unbound in Docker-Compose and that fell flat, from my understanding DNSSEC was preventing DNS resolution outright.

Also tried OpenSense + Unbound which led to the same thing.

Eventually got tired of having my network cutting in and out over minor changes so I just stuck with Quad9 for my upstream needs.

[-] relic4322@lemmy.ml 1 points 3 days ago

happy to share my docker-compose with pihole and unbound. im not the original author its a compilation of a few peoples. no issues. normal DNS inside the house DoT outside.

[-] ohshit604@sh.itjust.works 1 points 3 days ago* (last edited 3 days ago)

If you don't mind DM'ing me or dropping it in a comment here it would be greatly appreciated! The docker engine isn't something entirely new to me so i'm a bit skeptical into thinking that i missed something but always happy to compare with others, actually Docker is what pushed me to switch fully to Linux on my personal computers.

Snippet from my docker-compose.yml:

  pihole:
    container_name: pihole
    hostname: pihole
    image: pihole/pihole:latest
    networks:
      main:
        ipv4_address: 172.18.0.25
    # For DHCP it is recommended to remove these ports and instead add: network_mode: "host"
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "127.0.0.1:67:67/udp" # Only required if you are using Pi-hole as your DHCP server
      - "127.0.0.1:85:80/tcp"
      - "127.0.0.1:7643:443"
    environment:
      TZ: 'America/Vancouver'
      FTLCONF_webserver_api_password: 'insert-password-here'
      FTLCONF_dns_listeningMode: 'all'
    # Volumes store your data between container upgrades
    volumes:
      - './config/pihole/etc-pihole:/etc/pihole'
      - './config/pihole/etc-dnsmasq.d:/etc/dnsmasq.d'
      - '/etc/hosts:/etc/hosts:ro'
  #   https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
    cap_add:
      - NET_ADMIN # Required if you are using Pi-hole as your DHCP server, else not needed
      - CAP_SYS_TIME
      - CAP_SYS_NICE
      - CAP_CHOWN
      - CAP_NET_BIND_SERVICE
      - CAP_NET_RAW
      - CAP_NET_ADMIN
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.pihole.rule=Host(`pihole.my.domain`)"
      - "traefik.http.routers.pihole.entrypoints=https"
      - "traefik.http.routers.pihole.tls=true"
      - "traefik.http.services.pihole.loadbalancer.server.port=80"
      - "traefik.http.routers.pihole.middlewares=fail2ban@file"
 unbound:
   image: alpinelinux/unbound
   container_name: unbound
   hostname: unbound
    networks:
      main:
        ipv4_address: 172.18.0.26
   ports:
     - "127.0.0.1:5334:5335"
   volumes:
     - ./config/unbound/:/var/lib/unbound/
     - ./config/unbound/unbound.conf:/etc/unbound/unbound.conf
     - ./config/unbound/unbound.conf.d/:/etc/unbound/unbound.conf.d/
     - ./config/unbound/log/unbound.log:/var/log/unbound/unbound.log
   restart: unless-stopped

Edit: After re-reading the Unbound github and their documentation it seems i may have missed some volume mounts that are key to the function of Unbound, i'll definitely have to dive deeper into it.

[-] relic4322@lemmy.ml 1 points 3 days ago

sure thing, here you are

services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    ports:
      # DNS Ports
      - "53:53/tcp"
      - "53:53/udp"
      # Default HTTP Port
      - "8082:80/tcp"
      # Default HTTPs Port. FTL will generate a self-signed certificate
      - "8443:443/tcp"
      # Uncomment the below if using Pi-hole as your DHCP Server
      #- "67:67/udp"
      # Uncomment the line below if you are using Pi-hole as your NTP server
      #- "123:123/udp"
    environment:
      # Set the appropriate timezone for your location from
      # https://en.wikipedia.org/wiki/List_of_tz_database_time_zones, e.g:
      TZ: 'America/New_York'
      # Set a password to access the web interface. Not setting one will result in a random password being assigned
      FTLCONF_webserver_api_password: 'false cat call cup'
      # If using Docker's default `bridge` network setting the dns listening mode should be set to 'all'
      FTLCONF_dns_listeningMode: 'all'
      FTLCONF_dns_upstreams: '127.0.0.1#5335' # Unbound
    # Volumes store your data between container upgrades
    volumes:
      # For persisting Pi-hole's databases and common configuration file
      - './etc-pihole:/etc/pihole'
      # Uncomment the below if you have custom dnsmasq config files that you want to persist. Not needed for most starting fresh with Pi-hole v6. If you're upgrading from v5 you and have used this directory before, you should keep it enabled for the first v6 container start to allow for a complete migration. It can be removed afterwards. Needs environment variable FTLCONF_misc_etc_dnsmasq_d: 'true'
      #- './etc-dnsmasq.d:/etc/dnsmasq.d'
    cap_add:
      # See https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
      # Required if you are using Pi-hole as your DHCP server, else not needed
      - NET_ADMIN
      # Required if you are using Pi-hole as your NTP client to be able to set the host's system time
      - SYS_TIME
      # Optional, if Pi-hole should get some more processing time
      - SYS_NICE
    restart: unless-stopped
  unbound:
    container_name: unbound
    image: mvance/unbound:latest # Change to use 'mvance/unbound-rpi:latest' on raspberry pi
    # use pihole network stack
    network_mode: service:pihole
    volumes:
      # main config
      - ./unbound-config/unbound.conf:/opt/unbound/etc/unbound/unbound.conf:ro
      # custom config (unbound.conf.d/your-config.conf). unbound.conf includes these via wilcard include
      - ./unbound-config/unbound.conf.d:/opt/unbound/etc/unbound/unbound.conf.d:ro
      # log file
      - /srv/docker/pihole-unbound/unbound/etc-unbound/unbound.log:/opt/unbound/etc/unbound/unbound.log
    restart: unless-stopped

I am relatively new to docker as well tbh. I did a lot with virtualization and a lot with linux and never bothered, but I totally get the use case now ha. just an FYI, if you use docker on Windows it runs slower as it has to leverage the Windows subsystem Linux (WSL) and a slightly different docker engine (forget which one). So linux is your best bet. If you do want to use a full VM I found Qemu to be the best option for least resource usage.

[-] relic4322@lemmy.ml 1 points 2 days ago* (last edited 2 days ago)

They aren't open. But yes. It would be if they were. The are open within my VPN. :)

[-] ScoffingLizard@lemmy.dbzer0.com 1 points 3 days ago

Dumb question, but is it not a security issue to list your open ports?

[-] Jakeroxs@sh.itjust.works 2 points 3 days ago

If they use a reverse proxy, not really since they're not actually open

[-] shortwavesurfer@lemmy.zip 2 points 3 days ago

I'm using a service called Control D, which has 4 levels of free DNS. One is no blocking at all. One is only blocking malware. One is blocking malware and ads, and the other one is blocking malware, ads, and social media, like Facebook.

[-] upstroke4448@lemmy.dbzer0.com 5 points 4 days ago

Out of curiosity, why did you decide on DoT instead of DoH (DNS over HTTPS)?

[-] relic4322@lemmy.ml 5 points 4 days ago

totally arbitrary, lol. Im used to DNSSEC, saw DoT and DoH about the same time, think I saw a write up that used DoT and just went for it. Havent even compared DoT vs DoH, but DoH reminds me of Homer Simpson cuz im old XD

[-] Steamymoomilk@sh.itjust.works 5 points 4 days ago

Dammit i read it as DOH in a homer simpson voice in my head aswell!!

[-] irotsoma 4 points 4 days ago* (last edited 4 days ago)

Unbound on the router which connects upstream with DNS over TLS. Ports 53 and 853 are NATed to the phiole and several other DNS servers like Google's are blocked so devices can't bypass the pihole very easily. This is only on my primary VLAN. Other VLANs are given the Unbound DNS by default but are allowed to bypass if they insist. I have one VLAN for guests and one for trusted devices in addition to the primary one.

[-] relic4322@lemmy.ml 2 points 4 days ago

In my particular setup, I have an additional constraint and that is that my network has to be designed for portability and travel. Not that it affects your design per say. Thank you for the response. Just something that occurred to me that I hadnt mentioned.

I am living a transient life at the moment. So lots of virtualization and lack of control concerning the WAP and such.

I do like your set up btw.

[-] Darkassassin07@lemmy.ca 3 points 4 days ago

I use cloudflared to translate DNS into DNS over TLS instead of Unbound to make it into recursive DNS. Just never really seen the need to switch it. I'm happy with nextDNS + Cloudflare resolving DNS upstream.

The main thing I wanted to note is port 53 outbound is blocked at the router to prevent devices from using external/unencrypted DNS. If a LAN device wants DNS resolution they MUST use the LAN DNS servers they were given via DHCP, or use their own DoT config, as plain DNS won't make it out of the network.

It's because of this block/enforcement that I run two local DNS servers: pihole on an RPI and a mirror on my main server tower, with Galaxy-Sync keeping them identical. If I tinker with/update one, the other picks up the slack so connectivity/resolution isn't disrupted.

[-] relic4322@lemmy.ml 2 points 4 days ago

Yeah, I am pretty close to that, the pihole to unbound, unbound DoT to cloudflare. What I am doing at this point is bypassing the DNS to ISP, but as I stated in my response above, not yet blocking everything on the net from using the regular stuff. Just feasibility testing at the moment.

Love the dual setup for DNS. I set my primary to this and my secondary to just cloudflare at them moment for when I bork my primary DNS will fidgeting with it, haha.

this post was submitted on 22 Jun 2025

68 points (100.0% liked)

Privacy

39239 readers

521 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS