Setup your own DNS over TLS

So I have gone a little crazy lately in my home lab. I have created a anycast address in the LAN of that goes to the nearest pihole. (Local, Datacetner 1 or Datacenter 2)  While that was nice I still wanted a way to have pihole while on the go.  I thought about a VPN, that works but is not perfect for what I want.  A little more pondering and I found that Android 9 supports “Private DNS”.  Turns out that it is a simply DNS over TLS. (DoT)  That just makes this so much easier now.

How does one make a DoT server then?  Again answer is really simple, stunnel4 is all you need.  A quick bit of googling will get you to this page, which will walk through a more indepth setup of stunnel4.  Boiled down, and assuming you have a SSL cert handy/installed on the system:

# yum install stunnel4

# cat /etc/stunnel/dnstls.conf
cert = /etc/letsencrypt/live/
key = /etc/letsencrypt/live/

accept = 853
connect =

# systemctl enable stunnel4
# systemctl start stunnel4

After that, it was a matter of punching a hole in the firewall to allow 853 in to the server running the stunnel4 daemon.  Once that was up I added a DNS record for to the ip where the firewall hole was punched.  Finally in my android Settings -> Network & Internet -> Advanced -> Private DNS.  I set that to “Private DNS provider hostname” and put the mentioned hostname in the text field.  Bam, now anywhere I go my phone is covered by one of my piholes.

Now to look into providing DNS over HTTPS (DOH) the same way…

3 thoughts on “Setup your own DNS over TLS

  1. cyberfence030

    Hi Thanks for great article !!!

    can you point me in right direction for setting anycast IP (Pi hole dns server) over zerotier VPN? Is it possible? are there any advantages of stunnel anycast over zerotier VPN anycast ?

    1. mindlesstux Post author

      Not sure what direction you are trying to go tward. Since I lazily wrote this little series I have switched over to wireguard as a back end with a zerotier fail over.

      You can create an anycast on the zt network sort of… The only way that comes to mind is what I am doing (and may have written). That would be to announce a route to what ever address to the other ospf nodes on the zt network. Then anytime you want to go to that you would get directed to the “closest” system saying it is that ip.

      Not sure what you mean stunnel anycast…


Leave a Reply