Pi-hole + NextDNS

dns-over-tls Mar 21, 2020

So I very recently blogged about using Pi-hole with dnscrypt-proxy. Where I was aiming for was Pi-hole to talk to dnscrypt-proxy which in turn would talk to NextDNS (via DNS over TLS). I couldn't find a way to do this, so instead resorted to Stubby.


Installation was pretty simple:

  1. Install stubby via apt: sudo apt intall stubby
  2. Edit the file /etc/stubby/stubby.ytml
  3. Under the listen_addresses section change it to:
  - address_data:
    port: 5353
  - address_data: 0::1
    port: 5353
  1. Change round_robin_upstreams: 1 to become round_robin_upstreams: 0
  2. Change the upstream_recursive_servers section to be what is shown in your account under NextDNS. This is available under the Setup tab, and select Linux and then look for the Stubby section.
  3. Restart stubby: sudo systemctl restart stubby
  4. Setup/install Pi-hole
  5. In your Pi-hole instance, change your upstream DNS become
  6. Test you configuration: dig @<pi-hole_ip> www.google.com (where <pi-hole_ip> is the IP address of your Pi-hole server).


Sean Wright

Lead Application Security SME at Immersive Labs with an origin as a software developer. Primarily focused on web based application security with a special interest in TLS related subjects.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.