Skip to content

Pi-hole as DNS Server with DNS over HTTPS (DOH) Based on Ubuntu/Debian Server🔗

You can read about Pi-hole at their Official Website

webgui

Our setup fully depends on pi-hole dns server, that's why we use two servers one as primary DNS Server and the second as secondary DNS server.

We configured our router as a DNS server for all the DHCP clients. This way all the clients requests the router to resolve the DNS.

At the router we configured the primary and the secondary DNS as our pi-hole servers.

network flow
  • Virtual servers based on Ubuntu Server Release.
  • All the installation was under Root User

Installing Pi-hole🔗

Just follow the official One-Step Automated Install

We used the "Method 1: Clone our repository and run"

git clone --depth 1 https://github.com/pi-hole/pi-hole.git Pi-hole
cd "Pi-hole/automated install/"
sudo bash basic-install.sh

Installing DNS-Over-HTTPS (Cloudflared Daemon)🔗

wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.deb
sudo apt-get install ./cloudflared-stable-linux-amd64.deb
cloudflared -v

Now we configure Cloudflared Daemon to run on port then 5053 and provide it the DNS servers for resolving. We use the primary DNS server of cloudflare and secondary of google for redundancy.

mkdir /etc/cloudflared/
nano /etc/cloudflared/config.yml

Copy the following configuration:

proxy-dns: true
proxy-dns-port: 5053
proxy-dns-upstream:
  - https://1.1.1.1/dns-query
  - https://8.8.8.8/dns-query

Now install the service via cloudflared's service command:

cloudflared service install

Start, Enable on boot and Test

systemctl start cloudflared
systemctl enable cloudflared
systemctl status cloudflared

Now test that it is working! Run the following dig command, a response should be returned similar to the one below:

[email protected]:~ $ dig @127.0.0.1 -p 5053 google.com

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> @127.0.0.1 -p 5053 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12157
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 22179adb227cd67b (echoed)
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             191     IN      A       172.217.22.14

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: Wed Dec 04 09:29:50 EET 2019
;; MSG SIZE  rcvd: 77

Configure Pi-Hole with DNS-Over-HTTPS🔗

Finally, configure Pi-hole to use the local cloudflared service as the upstream DNS server by specifying 127.0.0.1#5053 as the Custom DNS (IPv4):

dnsSettings

Advanced DNS settings

nadvSettings

We use two blocklists that update daily they don't break any normal functionality and doing a good job for blocking ads

nadvSettings

Since pi-hole now is the only dns server in our system, we want to update it on daily base. Which includes the Ubuntu OS, pi-hole, and the blocklists. For this case we will use this Auto Update Script, to update our system and clean all unused packages.

wget https://raw.githubusercontent.com/fire1ce/debianAutoUpdate/master/debianAutoUpdate.sh
chmod +x debianAutoUpdate.sh
ln -s ${PWD}/debianAutoUpdate.sh /usr/bin/autoupdate

Last step is to use crontab jobs to run all the needed updates and reboot the server. Since we will be using two servers the jobs will be executed in different time so one of the servers should be online and working while the other performs the update maintains.

crontab -e

Append this to the end of the file

0 2 * * *  /usr/bin/autoupdate
15 2 * * * /usr/local/bin/pihole -up
30 2 * * *  /usr/local/bin/pihole -g
45 2 * * *  /sbin/shutdown -r now

This will run all the following

  • autoupdate updates and cleanup the system at 2:00
  • pihole -up updates all pihole components at 2:15
  • pihole -g updates the blocklists at 2:30
  • shutdown -r now reboot the server 2:45

On the second pihole server we use this cron:

0 3 * * *  /usr/bin/autoupdate
15 3 * * * /usr/local/bin/pihole -up
30 3 * * *  /usr/local/bin/pihole -g
45 3 * * *  /sbin/shutdown -r now

The finial step is to configure your router to use your new pi-hole-doh servers as primary and secondary DNS servers.

Comments