In the previous blog entry [Pi-hole with DNS-over-TLS] I set up stubby for dns-over-tls on the pi-hole. I want to do the same now for DNS-over-HTTPS (DoH), but neither Stubby nor Unbound support the young protocol which answers DNS queries via HTTPS. Some browsers have now integrated DoH, but I would like to protect all DNS queries from my home network. Therefore I use the client of cloudflare written in Go:
More about the pi-hole and installation instructions can be found here:
Some time ago I installed a Pi-hole on a Raspberry Pi at home to filter unwanted ads. This works very well after some startup problems (self-made firewall problems). This will now filter all network traffic on my network, including TVs, smartphones, tablets, and so on.
Especially devices such as smartphones, which often feature in-app ads, benefit from filtering DNS requests directly on the DNS server. Not only ads are filtered, but also tracker from Samsung TV, Google Analytics or Sonos (which can't be turned off).
More information about the Pi-hole and instructions for installation can...
Anyone who has already dealt with the security of the DNS protocol had to realize that it can be easily manipulated, monitored and censored without much effort. These censors are not only theory, but are already implemented by various countries. To cover these topics in the DNS protocol, several extensions were specified, such as DNSSEC with DANE/TLSA to detect man-in-the-middle attacks. The newest approaches in this area go a step further and encrypt the whole DNS traffic.