Pi-hole + NextDNS

dns-over-tls Mar 21, 2020

So I very recently blogged about using Pi-hole with dnscrypt-proxy. Where I was aiming for was Pi-hole to talk to dnscrypt-proxy which in turn would talk to NextDNS (via DNS over TLS). I couldn't find a way to do this, so instead resorted to Stubby.

Stubby

Installation was pretty simple:

  1. Install stubby via apt: sudo apt intall stubby
  2. Edit the file /etc/stubby/stubby.ytml
  3. Under the listen_addresses section change it to:
listen_addresses:
  - address_data: 127.0.0.1
    port: 5353
  - address_data: 0::1
    port: 5353
  1. Change round_robin_upstreams: 1 to become round_robin_upstreams: 0
  2. Change the upstream_recursive_servers section to be what is shown in your account under NextDNS. This is available under the Setup tab, and select Linux and then look for the Stubby section.
  3. Restart stubby: sudo systemctl restart stubby
  4. Setup/install Pi-hole
  5. In your Pi-hole instance, change your upstream DNS become 127.0.0.1#5353
  6. Test you configuration: dig @<pi-hole_ip> www.google.com (where <pi-hole_ip> is the IP address of your Pi-hole server).

Sean Wright

Lead Software Security Engineer and OWASP chapter leader, with special interest in web based security as well as TLS security (views are of my own and not of my current employer).

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.