1. Install Pi-Hole 2. Install Unbound 3. Set Unbound as the upstream for Pi-Hole 4. Disable DoH (DNS-over-HTTPS) on all devices/browsers 5. Set your DHCP server (router or Pi-Hole) to assign the Pi-Hole IP as DNS for all leases 6. Enable DNSSEC 7. Profit
That's the setup I use and I've been pretty happy with it. Now all DNS queries go to Pi-Hole first. If it's not on a blocklist and it's not cached by Pi-Hole, then it gets kicked over to Unbound. If it's not cached by Unbound, then it gets the info directly from a root server.
Takes a small amount of effort to setup, but once it's done you no longer have to worry about 3rd party servers being down, or finding new ones. Also, you can set the logging level to whatever you want, or not log anything at all.
For bonus points, you can have Pi-Hole act as your DHCP server, which makes things a little easier. There are also some blocklists floating around that block the domains used by a lot of the DoH providers (https://raw.githubusercontent.com/Sekhan/TheGreatWall/master/TheGreatWall.txt for example), and my router also has a bunch of Google/CloudFlare DNS server IPs static routed to nowhere.
You just feed it locations for whatever blocklists you want, and it queries them once a week to see what's changed. Those locations can be URLs or local files.
Its best to block dns port 53 outbound on the router. There are lists on github of the ip addresses of doh servers (the ones firefox uses and the "private dns" settings on a Android phone. 1) Block port 53 2) Install dnscrypt 3) Port forward 53 to wherever dnscrypt is listening
The above works well for pfsense and opnsense, You can easily adblock and geoip block as well with those.
Some people or your kids have a dns allready set in their browser, OS or some app. Blocking 53 solves this except they are now hard wiring doh dns servers in the browsers. So you need to block those IP address's. That will force everyone on your network to use dnscrypt. Set dnscrypt to log all queries. While your at it block social media and all microsoft domains as well as ads.
[ + ] uvulectomy
[ - ] uvulectomy 2 points 2.1 yearsMar 23, 2023 22:14:12 ago (+2/-0)*
2. Install Unbound
3. Set Unbound as the upstream for Pi-Hole
4. Disable DoH (DNS-over-HTTPS) on all devices/browsers
5. Set your DHCP server (router or Pi-Hole) to assign the Pi-Hole IP as DNS for all leases
6. Enable DNSSEC
7. Profit
That's the setup I use and I've been pretty happy with it. Now all DNS queries go to Pi-Hole first. If it's not on a blocklist and it's not cached by Pi-Hole, then it gets kicked over to Unbound. If it's not cached by Unbound, then it gets the info directly from a root server.
Takes a small amount of effort to setup, but once it's done you no longer have to worry about 3rd party servers being down, or finding new ones. Also, you can set the logging level to whatever you want, or not log anything at all.
For bonus points, you can have Pi-Hole act as your DHCP server, which makes things a little easier. There are also some blocklists floating around that block the domains used by a lot of the DoH providers (https://raw.githubusercontent.com/Sekhan/TheGreatWall/master/TheGreatWall.txt for example), and my router also has a bunch of Google/CloudFlare DNS server IPs static routed to nowhere.
[ + ] HowDoYouDoFellowNiggers
[ - ] HowDoYouDoFellowNiggers 0 points 2.1 yearsMar 24, 2023 12:57:45 ago (+0/-0)
[ + ] uvulectomy
[ - ] uvulectomy 0 points 2.1 yearsMar 24, 2023 13:27:56 ago (+0/-0)
[ + ] foxtrot45
[ - ] foxtrot45 2 points 2.1 yearsMar 23, 2023 20:15:37 ago (+2/-0)
1) Block port 53
2) Install dnscrypt
3) Port forward 53 to wherever dnscrypt is listening
The above works well for pfsense and opnsense, You can easily adblock and geoip block as well with those.
[ + ] iThinkiShitYourself
[ - ] iThinkiShitYourself [op] 1 point 2.1 yearsMar 23, 2023 22:44:41 ago (+1/-0)
[ + ] foxtrot45
[ - ] foxtrot45 0 points 2.1 yearsMar 24, 2023 09:09:02 ago (+0/-0)
[ + ] ParnellsUprising
[ - ] ParnellsUprising 1 point 2.1 yearsMar 23, 2023 18:48:48 ago (+1/-0)