Setup your own DNS over TLS

So I have gone a little crazy lately in my home lab. I have created a anycast address in the LAN of that goes to the nearest pihole. (Local, Datacetner 1 or Datacenter 2) While that was nice I still wanted a way to have pihole while on the go. I thought about a VPN, that works but is not perfect for what I want. A little more pondering and I found that Android 9 supports “Private DNS”. Turns out that it is a simply DNS over TLS. (DoT) That just makes this so much easier now.

How does one make a DoT server then? Again answer is really simple, stunnel4 is all you need. A quick bit of googling will get you to this page, which will walk through a more indepth setup of stunnel4. Boiled down, and assuming you have a SSL cert handy/installed on the system:

# yum install stunnel4

# cat /etc/stunnel/dnstls.conf
cert = /etc/letsencrypt/live/
key = /etc/letsencrypt/live/

accept = 853
connect =

# systemctl enable stunnel4
# systemctl start stunnel4

After that, it was a matter of punching a hole in the firewall to allow 853 in to the server running the stunnel4 daemon. Once that was up I added a DNS record for to the ip where the firewall hole was punched. Finally in my android Settings -> Network & Internet -> Advanced -> Private DNS. I set that to “Private DNS provider hostname” and put the mentioned hostname in the text field. Bam, now anywhere I go my phone is covered by one of my piholes.

Now to look into providing DNS over HTTPS (DOH) the same way…

This post is licensed under CC BY 4.0 by the author.