Encrypt DNS requests to WAN

General questions
,
2

Hello,

DNSSEC is not for encrypting the DNS request, it is used for making the DNS data itself more secure by using digital signatures based on public key cryptography. With DNSSEC, it’s not DNS queries and responses themselves that are cryptographically signed, but rather DNS data itself is signed by the owner of the data.

What I did to achieve what you describe above is spinning up a specialized PiHole instance with preconfigured DoH to Cloudflare.

I am using the following docker image: azamserver/pihole-doh

I am just lazy and using someone else’s work here, but you are of course welcome to create your own image for this purpose.

The container configuration:

container {
     name pihole {
         environment DNS1 {
             value 127.0.0.1#5053
         }
         environment TZ {
             value <Your Timezone>
         }
         environment WEBPASSWORD {
             value <SuperSecretPassword123>
         }
         image azamserver/pihole-doh:latest
         network con_net {
             address 10.1.0.9
         }
         port dns_udp {
             destination 53
             protocol udp
             source 5353
         }
         port web_mgmt_tcp {
             destination 80
             protocol tcp
             source 8080
         }
         volume pihole_config {
             destination /etc/pihole/
             source /config/podman/pihole/config
         }
         volume pihole_dnsmasq {
             destination /etc/dnsmasq.d/
             source /config/podman/pihole/dnsmasq
         }
         volume pihole_log {
             destination /var/log/pihole/
             source /config/podman/pihole/log
         }
     }
     network con_net {
         prefix 10.1.0.0/24
     }
 }

Note: Persistent Volumes are optional, I am using local DNS function for all my internal DNS records and I of course want that to be persistent. If you do not need this feature you can ignore the volume mapping.

I decided not to use any container capabilities/permissions and I am doing a port mapping for what I want to have. The web_mgmt_tcp is optional, and the source port for dns_udp can be anything over the privileges ports (>1024).

I have then configured DNS forwarding and all my internal clients are using a VyOS VLAN interface as their DNS server:

service {
   dns {
       forwarding {
           allow-from <Required field, specify your desired range of allowed IPs>
           cache-size 0
           listen-address <Your DNS listen Address>
           name-server 127.0.0.1 {
               port 5353
           }
       }
   }
}

This would also of course require SNAT rules for your container network to allow PiHole to reach out to cloudflare for lookups.

Note: If you are using zone based firewall you need to add the container network interface to your desired zone!

2 Likes