Skip to content
remcovanmook edited this page Sep 22, 2019 · 4 revisions

Pihole is an ad-blocking DNS server that is very versatile and easy to configure. It uses DNSmasq as its DNS server, tightly integrated into its configuration. In order to upgrade security, dnsdist (1.4 and up) can be used to add DOT and DOH transport. Here's how:

  • install dnsdist from repo.powerdns.com

  • make sure you configure pihole to listen to all interfaces

  • put the following in /etc/dnsdist/dnsdist.conf:

    -- give dnsdist a port other than the default to avoid conflicting with pihole
    addLocal('0.0.0.0:5300', { reusePort=true })
    -- Add pihole as server, set check interval at 1 hour to prevent log spamming
    newServer({address='127.0.0.1:53',checkInterval=3600})
    -- Set up a DOH listener
    addDOHLocal('0.0.0.0',"/etc/dnsdist/cert.pem","/etc/dnsdist/key.pem")
    -- Set up a DOT listener
    addTLSLocal('0.0.0.0',"/etc/dnsdist/cert.pem","/etc/dnsdist/key.pem")
    -- Set up a webserver on port 8080, preventing conflict with pihole, with password 's3cr3t'
    webserver('0.0.0.0:8080',"s3cr3t")

  • create a self-signed certificate using the following command, using the right CN:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 1000 -nodes -subj '/CN=192.168.0.2'

  • put the certificate files in /etc/dnsdist/
  • start dnsdist

Done. The Pihole portal remains available on the usual port, dnsdist web is on port 8080.