-
Notifications
You must be signed in to change notification settings - Fork 917
pihole dnsdist
Pihole is an ad-blocking DNS server that is very versatile and easy to configure. It uses DNSmasq as its DNS server, tightly integrated into its configuration. In order to upgrade security, dnsdist (1.4 and up) can be used to add DOT and DOH transport. Here's how:
-
install dnsdist from repo.powerdns.com
-
make sure you configure pihole to listen to all interfaces
-
put the following in /etc/dnsdist/dnsdist.conf:
-- give dnsdist a port other than the default to avoid conflicting with pihole
addLocal('0.0.0.0:5300', { reusePort=true })
-- Add pihole as server, set check interval at 1 hour to prevent log spamming
newServer({address='127.0.0.1:53',checkInterval=3600})
-- Set up a DOH listener
addDOHLocal('0.0.0.0',"/etc/dnsdist/cert.pem","/etc/dnsdist/key.pem")
-- Set up a DOT listener
addTLSLocal('0.0.0.0',"/etc/dnsdist/cert.pem","/etc/dnsdist/key.pem")
-- Set up a webserver on port 8080, preventing conflict with pihole, with password 's3cr3t'
webserver('0.0.0.0:8080',"s3cr3t") -
create a self-signed certificate using the following command, using the right CN:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 1000 -nodes -subj '/CN=192.168.0.2'
- put the certificate files in /etc/dnsdist/
- start dnsdist
Done. The Pihole portal remains available on the usual port, dnsdist web is on port 8080.
Please also read the PowerDNS Documentation that is available from https://doc.powerdns.com/