Skip to content

DNS over HTTPS over Tor with PiHole and DNSCrypt-Proxy

License

Notifications You must be signed in to change notification settings

cyberworm-uk/dohot-service

Repository files navigation

dohot-service

DNS Over HTTPS over Tor for Anonymized DNS with adblocking, with Pi-Hole and DNSCrypt-Proxy

Cribbed from Alec Muffett's DoHoT.

Update

As part of general improvements, I've consolidated and reformatted the backing containers. tor-proxy is now tor-client and dohot-proxy is now dnscrypt-proxy.

The associated dockerfiles are available here.

Overview

tor is run as a client, exposing a SOCKS proxy.

dnscrypt-proxy is run, configured to use the tor clients SOCKS proxy to connect and resolve over a wide selection of DOH servers.

pihole is run, configured to use dnscrypt-proxy as it's upstream resolver.

End user devices should be resolving via DNS provided by pihole to take advantage of the ad-blocking.

pihole should not be exposed to the internet at large, lest it be used as part of a DNS amplification attack. It should be listening on a LAN/VPN IP or a packet filter should restrict incoming DNS queries to the pihole to only authorized client devices.

Optionally, doh-front (container image for doh-server) can be used so that the pihole can be configured as a DOH server directly by end user devices (see the README).

Further optionally, as of Arti 1.1.10 it's now capable of listening on arbitrary ports (previously restricted to localhost) which means it's now suitable for deployment in containers.

Replace the existing tor proxy image with an equivalent ghcr.io/cyberworm-uk/arti:latest if you want to use the experimental rust tor client.