DNS Services

[Preskitt.man]

I apologize in advance for this post to the extent it has been answered in previous postings. I make this post for 1 basic reason, no where can I find a posting that basically ties all the options together to allow one to make a rational choice..
A) On the WAN tab. Once can let ISP (default choice) make a DNS assignment and at the same time make DNS over TLS server assignments which I presume override the ISP DNS
B) DHCP tab. One can name 2 DNS server entries DNS1/ 2 (currently blank) as well as make Manual Assignments - assigning either "Default" or some specific DNS server assignment to a specific client
C) DNS Filter Tab: By Default off, but when turned on (as mine is), can specify a global filter and 3 custom filters. Global Filter is set to value of "Router", though plenty of other choices, and each Custom Filter can be set to a specific IP address (though also plenty of other choices) - presumably an IP of a service that provides DNS services. Then for specified network devices (identified by MAC address), you can in turn specify Default/Custom1/Custom2/Custom3
D) And then obviously for network devices (in particular PC's), one can either accept the Default choice which is the DNS service the router (network) passes back or one can specify a DNS service of choice.

Individually, I sort of think I understand each of these criteria, but collectively I am totally confused how they interact with each other.
What I do have set is on the WAN page, a) Prevent client over ride for DOH is set to Auto, and opportunistic setting for TLS, with specific IP's for Cloudfare's DNS
On the DHCP page, I have "Advertise router's IP in addition to user-specified DNS" set to Yes; Enable Manual Assignment set to Yes and a bunch of my network clients set to "default" DNS service.

Until recently, this was the extent of my tinkering and I do believe that most / all of my clients were going to cloudfare with DNS over TLS present. This was based on going to 1.1.1.1/help and reading the feedback.

Then I inherited a Raspberry PI with pi-hole installed. So hooked that up to my network, enabled DNS filtering and set as Custom 1: 1.1.1.1; Custom 2: 1.0.0.1 and Custom 3 192.168.1.167 (the address of the Raspberry Pi) I then took many (but not all) of my network devices and entered them into the table, pointing them to Custom 3 (pi-hole). Pi-hole has no special rules - just a vanilla setup.

This seems to be working based on 2 observations - When I go to the pi-hole dashboard, see lots of evidence of blocked DNS requests and when I query from my PC 1.1.1.1/help - still seeing DNS over TLS
Great - but I would like to understand better what is going on here, and is there a more efficient way to accomplish my goal. My goal. My goal, as you might have gathered is:
1) For all (most) of my network devices, have DNS routed through Pi-hole and assuming Pi-Hole doesn't block anything, have it go on to Cloudfare as DNS over TLS.
2) No special setup of individual devices at the device level for DNS
3) Do this more or less in the most efficient manner possible
4) Understand what is really going on here. So, if my priorities change, I can adjust this.

Thanks for all those who had the patience to read through this, and even more thanks for those who answer.

 

[Crimliar]

I run both Diversion (1.0.0.2 & 1.1.1.2) on the router and have a Pi-hole pointed at a paid-for SDNS service. For what you seem to be trying to do Diversion alone would look like the better bet. The basic setup would be on the WAN>Internet Connection page, have your base DNS pointed at your ISPs DNS, and then just use the DNS privacy controls to point to the Cloudflare DNS.

Thats the simple soft way to do it. If you insist on using the Pi-Hole, you'll probably be needing to Unbound in order to enable DoT, or even try AdGuard Home!
Don't over complicate it, don't over think it, and don't go all authoritarian over it!

 

[bbunge]

Your goal of using the Pi-Hole as the LAN clients DNS server is best managed by entering the IP address of the Pi-Hole in LAN/DHCP-Server/DNS Server 1. Leave the WAN DNS settings as you have them. Set the DNS Director or Filter to Router or the custom setting for the Pi-Hole and set the Pi-Hole to no filtering. Do not enter any DNS server IP address in the Manual Assignment.
This way the router when booted will get its time set by resolving the time server through the WAN DNS Server settings, the clients will get an IP address via DHCP with their DNS set to Pi-Hole and the router.
For added security I recommend you use CloudFlare Security at 1.1.1.2 and 1.0.0.2 with a TLS Hostname of security.cloudflare-dns.com (theseare manual entries in WAN).
I have added Stubby to Pi-Hole to enable DoT which works quite well. There is a how to for this on the Pi-Hole forum somewhere. I can also provide instructions for this.

 

[Tech9]

and then just use the DNS privacy controls to point to the Cloudflare DNS

On your screen shot Opportunistic profile means only when available. You have to set it to Strict to ensure the use of DoT.

 

[Crimliar]

On your screen shot Opportunistic profile means only when available. You have to set it to Strict to ensure the use of DoT.

Yup, I understand that when you use "opportunistic" then servers will still be used even if they fail to authenticate. It all depends on how authoritarian you feel the need to be on this. I prefer a little extra assurance over total control. Maybe I'll change my position when the setting causes me real-world issues!

 

[bennor]

Then I inherited a Raspberry PI with pi-hole installed.

What is your end goal for using Pi-Hole? To route all LAN client DNS requests to it?

If you are using Pi-Hole and you have enabled "Advertise router's IP in addition to user-specified DNS" in the Merlin GUI then there will always exist the possibility that a LAN client DNS request could bypass the Pi-Hole. This is why when using Pi-Hole it is typically recommended one set "Advertise router's IP in addition to user-specified DNS" to No.

If you want to force all LAN Client DNS requests through the Pi-Hole then enable DNSFilter. Set the Global Filtering Mode to: Router. Leave the three Custom (User-Defined) DNS entries blank. Input/select the Pi-Hole's MAC address in the Client MAC Address, then set the Filter Mode to No Filtering then click the Add (plus icon) to add the Pi-Hole to the Client List. Then click the Apply button at the bottom of page to save the changes/settings. This way it should force LAN clients to use the Pi-Hole for DNS queries.

While Asus may recommend one input the Pi-Hole IP address into the WAN DNS fields for later Asus router firmware, the Pi-Hole documentation recommends only inputting put Pi-Hole IP addresses into the DHCP LAN DNS entry fields.

 

[Tech9]

Maybe I'll change my position when the setting causes me real-world issues!

You don't have issues. Your router may be using your ISP DNS from time to time. If you generate many DNS queries like the tests below you may see your ISP DNS server in the mix. Cloudflare is pretty reliable and you can use Strict to prevent this from happening.

DNS Leak Test

The DNS Leak Test is a tool used to determine which DNS servers your browser is using to resolve domain names. This test attempts to resolve 50 randomly generated domain names, of which 25 are IPv4-only and 25 are IPv6-only.

browserleaks.com

dnscheck.tools - check your dns resolvers

A tool to test for DNS leaks, DNSSEC validation, and more

dnscheck.tools

 

[Preskitt.man]

Ok - made the changes you suggested: On the LAN/DHCP page, made DNS1 point to pi-hole. On DNS filter page, Global was set to router, and for the client list, i insert Raspberry Pi's address with No Filtering. WAN page I left alone. On the plus side, client activity still works, and appears to be filtered by pi-hole. But, when I go to 1.1.1.1/help, DNS over TLS (and DOH) are now both off. Before, TLS was on. It does show I am using Cloudfare as my DNS server; and when I go to pi-hole config, the upstream DNS servers are specified as Cloudfare (DNSSEC)

 

[bennor]

Ok - made the changes you suggested: On the LAN/DHCP page, made DNS1 point to pi-hole. On DNS filter page, Global was set to router, and for the client list, i insert Raspberry Pi's address with No Filtering. WAN page I left alone. On the plus side, client activity still works, and appears to be filtered by pi-hole. But, when I go to 1.1.1.1/help, DNS over TLS (and DOH) are now both off. Before, TLS was on. It does show I am using Cloudfare as my DNS server; and when I go to pi-hole config, the upstream DNS servers are specified as Cloudfare (DNSSEC)

Some further reading to get you started...

cloudflared (DoH) - Pi-hole documentation

docs.pi-hole.net

Implement DNS-over-TLS capability in Pi-hole

Requested behaviour Although there is an experimental implementation of DNS-over-TLS through the use of Stubby, official support coming to Pi-hole would greatly enhance the privacy aspects of the Pi-hole. DNS-over-TLS is in essence an encrypted tunnel through which the DNS-requests are send...

discourse.pi-hole.net

Pi-hole for DNS-over-TLS - the Simplest Way

If you are trying to use pihole as a DNS-over-TLS endpoint, here is how I did it, in the lightest weight way possible. Using stunnel. Why stunnel? Because it is the simplest, lightest weight solution that purely acts as a SSL/TLS termination layer and from there on it is just a TCP proxy. That...

discourse.pi-hole.net

 

[Preskitt.man]

OK - following the gist of the advice given, I have let the WAN page alone (it does point to Cloudfare and has TLS specified. On the LAN/DHCP page, I point DNS Server1 to pi-hole and do not advertise routers IP; and on the DNS filter page, I have Global set to Router and entered in the MAC address of pi-hole and specified no filtering. While I haven't stress tested all this (and not a lot of stress goes on in my home setup), all my DNS requests seem to be filtered through pi-hole before going to Cloudfare and am using the 1.1.1.2/1.0.0.2 address of cloudfare.

I have figured out with assistance from above, that until I add some components to pi-hole, I will not be getting DNS over HTTPS nor DNS over TLS. From what I've also been reading, it's questionable that much benefit would come from that.

Thanks all for the assistance.

 

[coxhaus]

QUAD9 is the way to go. It is free. OpenDNS kind of started this and Cisco bought them. These are the only 2 I would use.
I would not use Cloudflare anything. But that is me in the USA.

 

[Preskitt.man]

QUAD9 is the way to go. It is free. OpenDNS kind of started this and Cisco bought them. These are the only 2 I would use.
I would not use Cloudflare anything. But that is me in the USA.

And why not Cloudfare? I've heard mostly good about them.

 

[netmik3]

I love quad 9 because of the extra security. Also never use B normally

 

[Mister2088]

Has anyone used OpenDNS Home with Dns-over-tls ? It supposedly works but as it is not in the UI drop-down list:
1. Is it because it really does not work well with DOT?
2. If is does work, is the server to use for DOT 'dns.umbrella.com' or 'dns.opendns.com'<-- cannot seem to find a straight answer
3. Ping seems just as fast as cloudflare for me (re. 1.1.1.2) but does anyone have any + or - to share?

I know privacy is not as good as cloudflare but hey, if you are on the internet, are you really that private?

BTW, I would like to use quad9, but for some reason, I am in Toronto, it routes to New York and by-passes the Toronto exchange, thus making response 3 x slower than cloudflare.

 

[netmik3]

Has anyone used OpenDNS Home with Dns-over-tls ? It supposedly works but as it is not in the UI drop-down list:
1. Is it because it really does not work well with DOT?
2. If is does work, is the server to use for DOT 'dns.umbrella.com' or 'dns.opendns.com'<-- cannot seem to find a straight answer
3. Ping seems just as fast as cloudflare for me (re. 1.1.1.2) but does anyone have any + or - to share?

I know privacy is not as good as cloudflare but hey, if you are on the internet, are you really that private?

BTW, I would like to use quad9, but for some reason, I am in Toronto, it routes to New York and by-passes the Toronto exchange, thus making response 3 x slower than cloudflare.

I used to use them before switching to quad9 because they didn't support dot only doh. Did they add it?

I guess they finally do just a few months ago

Use "dns.opendns.com" umbrella is the paid enterprise one
https://support.opendns.com/hc/en-us/community/posts/4418984676756-DNS-Over-TLS-Opendns#:~:text=DNS provider hostname" =-,dns.opendns.com,-> Save. Use Google

 

[Tech9]

Has anyone used OpenDNS Home with Dns-over-tls ?

Yes, and it's fast in Toronto with local servers in Toronto. Not in drop down list, you have to add it manually:

208.67.222.222 dns.opendns.com
208.67.220.220 dns.opendns.com

Quad9 is slow and unreliable around here.

 

[Mister2088]

So I have been playing around with dns dot servers. Some observations:
1. Tried opendns. Does not resolve with dns.opendns.com but does with dns. umbrella.com.
2. Tried cira canadian shield protect.
A. Says it supports dnssec validation but some sites, even cira's own does not resolve when using dnssec validation. However they work without
B. Although ping tests are in line with cloudflare, actual resolving is much slower than 1.1.1.2
So to me, I am sticking with cloudflare 1.1.1.2 and quad9 using Dot with dnssec combination. All works well, fast, dnssec validatand have no issues after months of use.
Ymmv

 

[Tech9]

Does not resolve with dns.opendns.com

It does. Check your settings.

 

[crazyindianstranger]

It does. Check your settings.

Yes, it does, I can confirm.