Skip to content

DNS over TLS Setup

DNS over TLS (DoT) is a protocol that encrypts your DNS queries, preventing them from being intercepted or read by third parties such as your ISP. This ensures greater privacy and security by protecting your browsing habits and reducing the risk of DNS-based attacks.

You might have guessed it, but this will cover configuring DoT using a Pi-hole. Then we will set up the Pi-hole to forward DNS queries using Quad9, a privacy-focused DNS provider known for its awesome filtering of malicious domains.

1. Install and Configure Unbound

Unbound acts as a local DNS resolver for Pi-hole.

Install Unbound

Run the following commands to install Unbound:

sudo apt update
sudo apt install unbound

Configure Unbound

Edit or create the file /etc/unbound/unbound.conf.d/pi-hole.conf with the following content:

pi-hole.conf
server:
    verbosity: 1
    interface: 127.0.0.1
    port: 5353
    do-ip4: yes
    do-udp: yes
    do-tcp: yes
    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
    forward-zone:
        name: "."
        forward-tls-upstream: yes
        forward-addr: 9.9.9.9@853
        forward-addr: 149.112.112.112@853

Test the Unbound Configuration

Check for errors in the configuration:

sudo unbound-checkconf

Restart the Unbound service:

sudo systemctl restart unbound

Verify that Unbound is working:

dig @127.0.0.1 -p 5353 google.com

2. Configure Pi-hole to Use Unbound

  1. Open the Pi-hole admin interface in your browser: http://<pihole ip>/admin.
  2. Go to Settings > DNS.
  3. Uncheck any existing upstream DNS servers.
  4. In the "Custom 1 (IPv4)" field, enter: 127.0.0.1#5353
  5. Save your changes.

3. Optional Pi-hole DNS Settings

Adjust advanced DNS settings in the Pi-hole admin interface under Settings > DNS:

  • Never Forward Non-FQDN A and AAAA Queries: Enable this to block short-name queries (e.g., mydevice).
  • Never Forward Reverse Lookups for Private IP Ranges: Enable this to block reverse lookups for private IPs.
  • Use DNSSEC: Disable this, as Unbound already handles DNSSEC validation.
  • Conditional Forwarding: Enable this if you want Pi-hole to resolve local hostnames through your router.

4. Configure Windows to Use Pi-hole

To point a Windows machine to Pi-hole for DNS resolution:

  1. Open Network Settings.
  2. Set the Preferred DNS to your Pi-hole's IP address (e.g., 192.168.1.148).
  3. Leave DNS over HTTPS set to "Off".

Flush the DNS cache on your Windows machine:

ipconfig /flushdns

Verify that DNS queries go through Pi-hole:

nslookup google.com

What DNS over TLS Can and Can't Do

While DNS over TLS enhances your privacy and security by encrypting your DNS queries, it is important to understand its limitations:

Can Do:

  • Encrypt your DNS queries, preventing them from being intercepted by your ISP or network attackers.
  • Protect against DNS manipulation or spoofing by authenticating the responses from your DNS provider.
  • Stop your ISP from easily logging the domain names you visit.

Can't Do:

  • Hide the IP addresses of the websites you visit. Your ISP can still see the IPs you're connecting to, even if the DNS query is encrypted.
  • Provide full anonymity. Additional tools like VPNs or Tor are needed to mask all traffic and browsing activity.
  • Encrypt your browsing content. Only the DNS queries are encrypted; your web traffic relies on HTTPS for encryption.

Think of DNS over TLS as one piece of a larger strategy for improving online security and privacy. While it doesn't make you anonymous, it does prevent unnecessary exposure of your DNS traffic, making it a meaningful and practical improvement for everyday internet use.