Configure Pi-Hole with DNS Over HTTPS

April 1, 2018   

Introduction

Today CloudFlare launched 1.1.1.1, a new consumer DNS resolver that promises to respect your privacy, it also supports DNS over HTTPS! I’m a huge fan of Pi-Hole which I use to block tracking, advertisements etc across my whole network but unfortunately Pi-Hole does not yet support DNS over HTTPS. Lucky for us CloudFlare have released a https proxy which we can use while we wait for Pi-Hole to catch up.

Requirements

Setup

Inside a tmux / screen session as root start cloudflared like so;

cloudflared proxy-dns --port 54 --upstream https://1.1.1.1/.well-known/dns-query --upstream https://1.0.0.1/.well-known/dns-query
Basically all we are doing here is starting the dns/https proxy, telling it to listen on port 54 (because pihole is using 53) and passing it the upstream dns/https resolvers.

Open /etc/dnsmasq.d/01-pihole.conf comment out the old server lines and add one for our proxy

#server=8.8.8.8
#server=8.8.4.4
server=127.0.0.1#54
Note that we use # and not : for the port in dnsmasq config

Open /etc/pihole/setupVars.conf and comment out all the #PIHOLE_DNS lines, for example;

API_EXCLUDE_DOMAINS=
API_EXCLUDE_CLIENTS=
API_QUERY_LOG_SHOW=all
API_PRIVACY_MODE=true
WEBPASSWORD=
PIHOLE_INTERFACE=ens32
IPV4_ADDRESS=192.168.1.39/24
IPV6_ADDRESS=
QUERY_LOGGING=false
INSTALL_WEB=true
LIGHTTPD_ENABLED=1
DNSMASQ_LISTENING=single
#PIHOLE_DNS_1=8.8.8.8
#PIHOLE_DNS_2=8.8.4.4
DNS_FQDN_REQUIRED=true
DNS_BOGUS_PRIV=true
DNSSEC=true
CONDITIONAL_FORWARDING=false

Restart dnsmasq or pihole-ftl depending on which version of Pi-Hole you are running

systemctl restart dnsmasq.service
systemctl restart pihole-FTL.service

Success! You should now be using DNS over HTTPS with Pi-Hole