this post was submitted on 28 Oct 2023
119 points (96.1% liked)
Privacy
32159 readers
599 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Wait, you tunnel queries to your upstream DNS through a VPN? Nice.
I'll try to take a look at Blocky when I have the time
I use Tailscale to do this and it works quite well. I also use it to keep my pihole always reachable from my devices so I can continue to use it as my DNS server even when my phone is on cell data, etc.
I run a secondary Pihole on an AWS host that is also linked by tailscale as a fallback
Thanks, this is a great idea.
Yes! I have a split DNS setup with technitium using advanced forwarding plugin. You can set different upstream based on client IP or subnet. So this way you can send to vpn DNS to prevent leaking.
Also you can have multiple piholes (poor mans setup) and have each configured filtering for dedicated VLAN. For instance be more strict for guest kids and less on adults net. Adguard can do that without having to have many instances but then Adguard can’t forward traffic based on origin IP. You can make any kind of logic and send different clients to different upstreams. As far as I know only BIND provides this functionality through views but it’s more complicated setup and no lovely GUI. You can always send all traffic through tunnel but then some results may be not ideal if you will be detected to be in different country and content will be served in other language. I think results will vary based on VPN endpoint. You don’t need to tunnel through vpn if you use DNS over https. It’s completely invisible to the ISP. VPN is more of a use case if you want to be consistent with your exit IP and DNS queries.
I was planning to use UnBound as my recursive resolver with Blocky behind it. As for filtering by IP, multiple instances with some simple Network ACLs should do the trick. Thanks for the idea.
The problem with UnBound is that it doesn't use TLS whilst connecting and communicating to root servers and the like. TBH your idea of using a VPN seems excellent with my use-case, and if I rotate my VPN server every now and then my ISP along with other trackers might just be lost trying to find and correlate my DNS queries to my identity. Thanks again, I need to think more about this.