Pi-hole DNS solution

[Tim Casey 3]

This has been around for a few years, but I learned about it this week from a youtube video. DNS is important to security and most routers and firewalls don't give you as much visibility as this solution.

https://pi-hole.net/2017/05/12/seven-things-you-may-not-know-about-pi-hole/

Turns out you don't need a Pi to get it running.

Now if someone could integrate this into OpenWRT that would be cool. 😉

[james mckinlay 110]

did you watch that before or after it was posted to the home firewall thread on the 24th ? 🙂

[Sean Wright 2]

You can also use Pi-Hole along with Cloudflare DNS to have DOH. Scott has a great writeup how to do this: https://scotthelme.co.uk/securing-dns-across-all-of-my-devices-with-pihole-dns-over-https-1-1-1-1/

[Steve Lord 9]

15 hours ago, Sean Wright said:

You can also use Pi-Hole along with Cloudflare DNS to have DOH. Scott has a great writeup how to do this: https://scotthelme.co.uk/securing-dns-across-all-of-my-devices-with-pihole-dns-over-https-1-1-1-1/

It's certainly feasible, but DoH is pure cancer. DoT is better, but still dependent on the web of trust. DNSCurve is probably still the best option from a technical and ideological purity perspective.

Although of course, end users may not care in the end, but we should avoid solutions that have the potential to make things worse in the long run.

[Adam Pankow 0]

I'm curious how often you guys have found DNS blocking (Pi-hole or otherwise) ends up breaking site functionality? I've seen various instances where it would be too much work to track down all the things that are being blocked and instead just switch to an unfiltered DNS server to complete whatever task I need to.

[Sean Wright 2]

I have had instances where it does break functionality, but not often. The logs are pretty decent and it's pretty simple to see what is being blocked and then whitelist it. Also there is an option to temporarily disable Pi-Hole (well stop it from blocking lookups).

[RT Hatfield 4]

9 hours ago, Steve Lord said:

It's certainly feasible, but DoH is pure cancer. DoT is better, but still dependent on the web of trust. DNSCurve is probably still the best option from a technical and ideological purity perspective.

Although of course, end users may not care in the end, but we should avoid solutions that have the potential to make things worse in the long run.

I have both Pi-Hole and an unbound instance running on my network. I point the Pi-Hole at the unbound server for filtering, and use the unbound server for DoT to Cloudflare

[Tim Casey 3]

On 9/2/2019 at 5:19 AM, james mckinlay said:

did you watch that before or after it was posted to the home firewall thread on the 24th ? 🙂

No, serendipitously I learned about pi-hole from a youtube video.

(Do you like that I replied more than a month later). 😉

I think a DNS solution/product for home use is really needed. I really don't think routers at the dmarc (that get dns from your cable provider) or access points (which just use the default gateway address as the dns address) is feature rich enough. Although a lot of cable providers are just defaulting to 8.8.8.8, 8.8.4.4 anyway. But that takes up a lot of your bandwidth.