Implement DNS-over-TLS capability in Pi-hole



For me it’s laziness. I already asked Scott why DOH and not DOT, but didn’t get a reply sadly.


A reason could be the used port. 443 Is less standing out then port 853.


Yes and No.

Yes: The DNS server in FTL is based on dnsmasq and, as such, is a DNS proxy that can either reply from its internal cache or has to forward the request to somewhere else. In the case of DoT, pihole-FTL forwards the requests to a local proxy which itself forwards it to Cloudflare using an encrypted connection.

There are several complications when it comes to implementing this into pihole-FTL: There are different flavors of encrypted DNS traffic: DNS-over-TLS (DoT), DNS-over-HTTPS (DoH), dnscrypt and a few more. Implementing them would be a major task and nobody can ensure that it is bug-free*. Furthermore, all the different providers have a (slightly) different take on the standards and specifications such that an implementation often cannot be generic enough to cover all use cases.

*) While this is always true, it is a special problem when it comes to cryptography as even tiny implementation bugs can make the encryption itself vulnerable.

The current solution of having various specialized agents to talk to their respective providers.
IMHO this is the - by far - best approach as the providers themselves know their own specs best. Moreover, many small projects are much easier to be maintained than a monolithic pihole-FTL binary that tries to do everything.

No: We fully support DoT inside Pi-hole. You just need to realize it using a local proxy of your preferred DNS provider. See the “Yes” reply for further details.