DNS Over HTTPS over Tor for Anonymized DNS with adblocking, with Pi-Hole and DNSCrypt-Proxy
Cribbed from Alec Muffett's DoHoT.
As part of general improvements, I've consolidated and reformatted the backing containers. tor-proxy
is now tor-client
and dohot-proxy
is now dnscrypt-proxy
.
The associated dockerfiles are available here.
tor
is run as a client, exposing a SOCKS proxy.
dnscrypt-proxy
is run, configured to use the tor
clients SOCKS proxy to connect and resolve over a wide selection of DOH servers.
pihole
is run, configured to use dnscrypt-proxy
as it's upstream resolver.
End user devices should be resolving via DNS provided by pihole
to take advantage of the ad-blocking.
pihole
should not be exposed to the internet at large, lest it be used as part of a DNS amplification attack. It should be listening on a LAN/VPN IP or a packet filter should restrict incoming DNS queries to the pihole
to only authorized client devices.
Optionally, doh-front
(container image for doh-server
) can be used so that the pihole can be configured as a DOH server directly by end user devices (see the README
).
Further optionally, as of Arti 1.1.10 it's now capable of listening on arbitrary ports (previously restricted to localhost) which means it's now suitable for deployment in containers.
Replace the existing tor proxy image with an equivalent ghcr.io/cyberworm-uk/arti:latest
if you want to use the experimental rust tor client.