this post was submitted on 28 Oct 2023
119 points (96.1% liked)

Privacy

32159 readers
599 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

I use Pi-Hole and works great. I've heard about AdGuard and seems the same thing as PiHole, but you have to install an app/extension. Everyone in this community recommend NextDNS. Whats the difference between them?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 3 points 1 year ago (2 children)

Wait, you tunnel queries to your upstream DNS through a VPN? Nice.

I'll try to take a look at Blocky when I have the time

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago) (1 children)

Wait, you tunnel queries to your upstream DNS through a VPN?

I use Tailscale to do this and it works quite well. I also use it to keep my pihole always reachable from my devices so I can continue to use it as my DNS server even when my phone is on cell data, etc.

I run a secondary Pihole on an AWS host that is also linked by tailscale as a fallback

[–] [email protected] 2 points 1 year ago

Thanks, this is a great idea.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

Yes! I have a split DNS setup with technitium using advanced forwarding plugin. You can set different upstream based on client IP or subnet. So this way you can send to vpn DNS to prevent leaking.

Also you can have multiple piholes (poor mans setup) and have each configured filtering for dedicated VLAN. For instance be more strict for guest kids and less on adults net. Adguard can do that without having to have many instances but then Adguard can’t forward traffic based on origin IP. You can make any kind of logic and send different clients to different upstreams. As far as I know only BIND provides this functionality through views but it’s more complicated setup and no lovely GUI. You can always send all traffic through tunnel but then some results may be not ideal if you will be detected to be in different country and content will be served in other language. I think results will vary based on VPN endpoint. You don’t need to tunnel through vpn if you use DNS over https. It’s completely invisible to the ISP. VPN is more of a use case if you want to be consistent with your exit IP and DNS queries.

[–] [email protected] 2 points 1 year ago

I was planning to use UnBound as my recursive resolver with Blocky behind it. As for filtering by IP, multiple instances with some simple Network ACLs should do the trick. Thanks for the idea.

The problem with UnBound is that it doesn't use TLS whilst connecting and communicating to root servers and the like. TBH your idea of using a VPN seems excellent with my use-case, and if I rotate my VPN server every now and then my ISP along with other trackers might just be lost trying to find and correlate my DNS queries to my identity. Thanks again, I need to think more about this.