You are reading a single comment by @hippy and its replies. Click here to read the full conversation.
  • I do run NetGuard... but I want a single config across every device of mine even when they're outside the home.

    I also want to get to the point where I can write firewall rules like "block UDP port 53 that isn't from Pi-Hole".

    And the biggest problem with running Pi-Hole out on the web appears to be that you really want to be running DNS-over-TLS and/or DNS-over-HTTPS and having your devices call those. This is possible (though a pain in the arse), but the risk of not doing it is that your public UDP port 53 DNS server would be used as part of a DDoS reflection attack very quickly.


    1. One base config for malware/tracking/advertising protection everywhere (anything like NetGuard is additive on top)


    1. Must be able to run DNS-over-TLS and DNS-over-HTTPS... which Pi-Hole doesn't do yet (as dnsmasq doesn't support it and they're not using knot or kresd).
    2. Must be OK to block inbound UDP port 53

    So at the moment Pi-Hole looks like it won't work... it's close, but looks like I'd need to do it myself still.

  • Yeah, but they don't yet do DNS-over-TLS which is what Android 9+ considers "Private DNS" and allows you to define DNS servers without needing a VPN app.

    DNS-over-HTTPS takes care of "how will I get my home Pi-Hole replicating my internet Pi-Hole without UDP port 53", and DNS-over-TLS takes care of "how will I get my internet devices securely getting DNS from my internet Pi-Hole".

    So what I'm seeking to achieve is that the internet one is my primary Pi-Hole, and my home one is a secondary (reading from the primary but also cloning config should the primary be down).


Avatar for hippy @hippy started