this post was submitted on 26 Jul 2023
29 points (91.4% liked)

Selfhosted

39435 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Hello, friends.

So I've had my Pi-Hole setup for awhile now and it's great. I'd like to get Wireguard working with it, too, so I could browse the internet without loads of ads and trackers on the go.

However, small issue. All DNS traffic is forcibly routed to my ISP. If you need some details, I made this post on the Pi-Hole userspace.

I'm in America and my ISP is Spectrum. I was wondering if there's a way I could convince technical support to allow me to use a recursive DNS for privacy/security (more-so the second of the two) purposes, or if it is even possible to convince them to do this. I don't know if there's a specific number I should contact, email I should email to, or if I just have to endure the nightmare of getting passed around by customer service one Saturday. Any recommendations would be great.

An interesting note for anyone who's ISP is Spectrum, their DNS service, at least for me, uses OpenDNS with dnsmasq-2.57. That version of dnsmasq is over 10 years old. You see if this is the case for you with

dig CHAOS TXT version.bind @192.33.4.12 +short
dig CHAOS TXT version.bind @198.97.190.53 +short

Or something similar if those IP addresses are different for you. You can see that running those commands were a part of the steps I was asked to take in that Pi-Hole userspace post.

EDIT 1:

For those interested, here's some Github gist I found that shows how to use unbound + stubby for have a recursive DNS + DNS-over-HTTPS. There's also this from the DNS Privacy Project.

EDIT 2:

I seems that initial answer from the Pi-Hole forums was correct. There's probably something that was set in the firmware for the Netgear router that prevents me from setting up my own DNS servers. However, I notice on the router there's a "router mode" option that's on, which I can probably turn off, plug in my Pi to the Netgear device and have the Pi act as my router, thus letting me be able to use it as my DNS server as well. That or just suck it up and buy only a modem, not a router + modem combo.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 10 points 1 year ago (2 children)

Another option you can have, install the cloudflared service on your pihole and use that as a DNS server. Cloudflared can take DNS requests from your clients and then proxy those requests over DoT to an upstream server which supports DNS over TLS. I have used Google in the past for this. I had great success with this solution inside a corporate environment which blocked port 53 to all outside the network.

[–] [email protected] 1 points 1 year ago

I know there's a way to do a recursive DNS with DNS-over-HTTPS. I believe there's a guide out there on how to do this with unbound and stubby on OpenBSD.

[–] [email protected] 1 points 1 year ago (2 children)

Could you elaborate on this please? Isn't cloudflared a tunnel INTO the machine running a service? Can you use the same tunnel for outbound traffic as well?? Where does the traffic end up? How does this work?

[–] [email protected] 2 points 1 year ago

It was a while ago, so I can't remember exactly but there is a good article here The cloudflared daemon is setup to run a standard DNS server over TCP/UDP port 53 as normal. You configure the upstream DNS to be DoT based. The clients then send DNS requests as normal to the cloudflared service and then they convert them to DoT upstream and the response is then sent back to the client as a normal DNS response.

[–] [email protected] 2 points 1 year ago (1 children)
[–] [email protected] 1 points 1 year ago

Oh, I like that! Awesome, thank you!