So I have gone a little crazy lately in my home lab. I have created a anycast address in the LAN of 10.10.10.10 that goes to the nearest pihole. (Local, Datacetner 1 or Datacenter 2) While that was nice I still wanted a way to have pihole while on the go. I thought about a VPN, that works but is not perfect for what I want. A little more pondering and I found that Android 9 supports “Private DNS”. Turns out that it is a simply DNS over TLS. (DoT) That just makes this so much easier now.
How does one make a DoT server then? Again answer is really simple, stunnel4 is all you need. A quick bit of googling will get you to this page, which will walk through a more indepth setup of stunnel4. Boiled down, and assuming you have a SSL cert handy/installed on the system:
# yum install stunnel4 # cat /etc/stunnel/dnstls.conf [dnstls] cert = /etc/letsencrypt/live/mindlesstux.com/fullchain.pem key = /etc/letsencrypt/live/mindlesstux.com/privkey.pem accept = 853 connect = 10.10.10.10:53 # systemctl enable stunnel4 # systemctl start stunnel4
After that, it was a matter of punching a hole in the firewall to allow 853 in to the server running the stunnel4 daemon. Once that was up I added a DNS record for exampledot.mindlesstux.com to the ip where the firewall hole was punched. Finally in my android Settings -> Network & Internet -> Advanced -> Private DNS. I set that to “Private DNS provider hostname” and put the mentioned hostname in the text field. Bam, now anywhere I go my phone is covered by one of my piholes.
Now to look into providing DNS over HTTPS (DOH) the same way…