- Hide menu

Building a private DOH server with Pi-hole and DNS-Crypt

There are good reasons to have your own private secure DNS server, with the Pi-hole ad-blocker. If you want to setup a private server on your home’s network, you can have a read on why it’s a good idea, and how to do it via https://scotthelme.co.uk/securing-dns…. I didn’t want to have a box running on my home’s LAN so wanted a way to set up a DNS server on the Net that was accessible when I was at home or out and about. This only works well if you can get to the server securely, and that’s where the DNS over HTTPS protocol comes in. Here’s a guide on setting a DOH+Pi-Hole server up at the rent-a-host Digital Ocean:

1. DOH server on Digital Ocean with Pi-hole

2. Setting up MacOS client to use the DOH server

3. Setting up iOS client to use the DOH server

1. DOH server on Digital Ocean

I used this guide to set up a DOH server: https://www.bentasker.co.uk/…dns-over-https-server; I followed all the steps with these exceptions:

2. Setting up MacOS client to use the DOH server

Follow the instructions at https://github.com/DNSCrypt/…macOS; to install a DNS-Crypt proxy that talks to the DOH server we set up at DO. I’ve configured it to use only the DOH server setup in step 1, and not use any of the publicly available DOH server.

Also install a little utility called dnscrypt-proxy-switcher that sits on the menu bar that allows you to switch between different DNS settings.

3. Setting up iOS client to use the DOH server

Install DNSCloak • Secure DNS client on iPhone and iPad. Then add your DOH server from step 1.

UPDATE: I am now running PiHole on a Raspberry Pi 4B with 2GB locally on my network. There are many guides on how to do this. The one I used is here, and I didn’t implement the DNSCrypt component. Instead, I implemented Unbound so it’s a complete standalone DNS server that doesn’t rely on any upstream provider. More about Unbound here. And a YouTube guide.

You might also find this guide here and here useful.