Not a pi-hole user, but what is the plan for pi-hole once encrypted dns is everywhere? Will it just be dead? I can’t really think of a way for it not to be.
The pi-hole software turns the Raspberry Pi into a DNS server, so you can point your own DNS server (i.e. the raspberry pi) at the DNS provider of your choosing so that it can resolve uncached queries.
I don't think encryption matters because you control the sender (your PC), the first hop (the pi-hole), and the next resolution destination (Cloudflare/Quad9/Google/OpenDNS/etc.).
First, I created my own recursive resolver in the cloud using 'unbound'. You can do this quickly and easily with an EC2 instance or whatever (mine is a FreeBSD jail on my own server).
Second, I got a paid nextdns.io account and enabled the basic blocklists which are, essentially, the same as ublock origin would have locally.
Third, I set my recursive resolver to use the nextdns.io endpoint as its upstream source of DNS.
Finally, I set all of my networks to assign my personal DNS server (and no others) for all DHCP requests and I hardcoded it into my own machines.
So now I control my own dns, globally, and my upstream source of name resolution is "sanitized". Theoretically, I could just remove ublock origin from my browsers now ...
DoT isn't a big problem for a pihole, but it doesn't look like things are going that way. DoH can only be blocked by a mitm proxy. You would have to take a pretty serious security hit to do something like that with a pihole.
I've been using network-level ad blocking with software like Pi Hole for a while now.
According to the stats, about a year ago, I used to block around ~40% of traffic via DNS. Recently, it's only about ~10% of traffic that gets blocked.
Despite disabling application-level DoH in favor of network-level DoH on every device and app I could, I suspect streaming devices and various Android apps are using DoH at the application-level and are bypassing my DNS entirely.
I don't see how pi-hole get affected by DNS via https, unless you are leaving out the part about computers, tablets, and phones using hard-coded DNS servers that use DNS via https. This is a trend, but a very small one right now.
DNSSEC does not do encryption: DNSSEC is about data origin authentication. Encrypted DNS is DoT or DoH, DNS-over-TLS or DNS-over-HTTPS (and maybe in the future DoQ, DNS-over-QUIC)
buzzerbetrayed|5 years ago
dwrodri|5 years ago
I don't think encryption matters because you control the sender (your PC), the first hop (the pi-hole), and the next resolution destination (Cloudflare/Quad9/Google/OpenDNS/etc.).
rsync|5 years ago
First, I created my own recursive resolver in the cloud using 'unbound'. You can do this quickly and easily with an EC2 instance or whatever (mine is a FreeBSD jail on my own server).
Second, I got a paid nextdns.io account and enabled the basic blocklists which are, essentially, the same as ublock origin would have locally.
Third, I set my recursive resolver to use the nextdns.io endpoint as its upstream source of DNS.
Finally, I set all of my networks to assign my personal DNS server (and no others) for all DHCP requests and I hardcoded it into my own machines.
So now I control my own dns, globally, and my upstream source of name resolution is "sanitized". Theoretically, I could just remove ublock origin from my browsers now ...
Then I
Skunkleton|5 years ago
blacksmith_tb|5 years ago
0xCMP|5 years ago
skykooler|5 years ago
Spivak|5 years ago
m463|5 years ago
heavyset_go|5 years ago
According to the stats, about a year ago, I used to block around ~40% of traffic via DNS. Recently, it's only about ~10% of traffic that gets blocked.
Despite disabling application-level DoH in favor of network-level DoH on every device and app I could, I suspect streaming devices and various Android apps are using DoH at the application-level and are bypassing my DNS entirely.
anonymousisme|5 years ago
fanf2|5 years ago
throwaway2048|5 years ago