https://scotthelme.co.uk/running-my-own-doh-relay-and-getting-pihole/ * Home * Speaking * Training * Media * Contact * Sponsor * * * * Subscribe Sponsored by: Want to sponsor my site? Click here for more info! Pi-Hole Running my own DoH relay and getting Pi-hole protection away from home! * Scott Helme Scott Helme Security researcher, entrepreneur and international speaker who specialises in web technologies. More posts by Scott Helme. Scott Helme Scott Helme 14 Jan 2021 * 7 min read I absolutely love the protection my Pi-hole gives me at home and absolutely hate how I don't get those benefits when I'm not at home, so I decided to solve the problem. This was surprisingly easy to do and can be a fun little project useful in other areas too! Pi-hole If you aren't familiar with Pi-hole then you should be. It's a little DNS server you can run on a Raspberry Pi inside your house and it will do DNS level blocking of all kinds of bad stuff! I have a blog on how to setup Pi-hole and even some more advanced stuff that I did, but honestly even the basics will be such an improvement if you don't want to take it any further. I recently added several new hosts lists to my @The_Pi_Hole, taking my blocked domains to 1.8m+! Over 20% of DNS queries on my network are now blocked and I have literally a few exceptions to make stuff work. pic.twitter.com/PRN1s8PoaX -- Scott Helme (@Scott_Helme) January 13, 2021 That little tweet thread I did covers most of the general idea and I love how Pi-hole will protect all devices on my network with no extra effort. Because it's done at DNS you don't need an ad blocker on your PC, phone, laptop, TV, refrigerator, toaster... uuhh wait. Exactly. Network wide protect is the key benefit here. The problem is, when I step outside of my house and drop off my Wi-Fi, I'm not on my network and I lose all of the protection. Extending Pi-hole protection out of my home There are many different ways that you can go about this and the way I've chosen is not 'the way' or necessarily the right way for you. This is how I did it and my criteria were that it would be quick and easy! What I need is a way for my DNS requests from my phone to hit my Pi-hole when I'm not at my house. For my laptop I already have a VPN solution to get back home for other reasons but that's a real 'sledgehammer to crack a nut' to get Pi-hole filtered DNS on my phone. I also wanted, as I often do, to see if I could get more benefit out of this than just passing DNS to my Pi-hole and that's when I thought about DoH, or DNS-over-HTTPS. I did talk about DoH in my linked blog further up and how it lets you encrypt your DNS by basically sending DNS requests as JSON requests over HTTPS. It's a simple HTTP API... That's when it struck me that I could just host a simple HTTP(S) endpoint to field queries from my phone if I could make it do DoH! Now, how do I get a DoH server up and running quickly and easily? I did some Googling and found out almost right away that Nginx has a DoH-to-DNS to capability! How bloody awesome considering I already run a local server with Nginx for other things and this would be a really simply addition. Here is the addition to my nginx.conf file. stream { # Import the JavaScript file that processes the DoH requests js_include /etc/nginx/njs.d/nginx_stream.js; # DNS upstream pool (can also be DoT) upstream dns { zone dns 64k; server 192.168.1.21:53; # My local Pi-hole } # DNS over HTTPS (gateway) translation process # Upstream can be either DNS (TCP) or DoT server { listen 127.0.0.1:8053; js_filter dns_filter_doh_request; proxy_pass dns; } } http { #DoH config upstream dohloop { zone dohloop 64k; server 127.0.0.1:8053; } ... } Here is the v-host for my DoH endpoint: server { listen *:443 ssl http2; listen [::]:443 ssl http2; root /var/www/html/home; server_name doh.scotthelme.co.uk; client_max_body_size 10M; ssl_certificate /home/scott/certificates/doh.scotthelme.co.uk/chain.crt; ssl_certificate_key /home/scott/certificates/doh.scotthelme.co.uk/private.key; ssl_dhparam /home/scott/acme/dhparam.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384"; ssl_prefer_server_ciphers on; gzip on; gzip_disable "msie6"; gzip_proxied any; gzip_vary on; gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript text/js application/javascript; gzip_static on; location / { return 404 "404 Not Found\n"; } location /dns-query { proxy_http_version 1.1; proxy_set_header Connection ""; proxy_pass http://dohloop; } } This is using the Nginx Javascript Module and does a few simple steps: 1. Listen for HTTP requests on https://doh.scotthelme.co.uk/ dns-query. 2. Proxy those requests to http://dohloop which is a defined upstream. 3. dohloop translates the DoH request to a DNS request against dns upstream. 4. The dns upstream passes the DNS request to my Pi-hole. That's it! I now have my own DoH endpoint that I can query against and the requests will be sent to my Pi-hole which means full protection for any device using that endpoint! The next problem is how do I get my phone to use DoH? Getting my iPhone to do DoH On later versions of Android you can set a system-wide DoH endpoint by going to Settings -> Network and Internet -> Advanced -> Private DNS. On my iPhone there isn't an equivalent setting just yet and whilst apps can opt-in to using DoH, I wanted to force this setting system-wide. To do that, I'm going to be using Apple Mobile Device Management (MDM) and it doesn't take as much effort as you'd think to set this open, probably just a couple of minutes. To create a configuration profile you just need an XML file with the settings defined that you'd like to enforce on the device that the profile will be loaded onto, here is mine: PayloadContent DNSSettings DNSProtocol HTTPS ServerURL https://doh.scotthelme.co.uk/dns-query PayloadDescription Configures device to DoH PayloadDisplayName Scott Helme DoH PayloadIdentifier com.apple.dnsSettings.managed.c9731aa9-1b80-46aa-af7f-5ab8beca8fe1 PayloadType com.apple.dnsSettings.managed PayloadUUID 1d01eca5-ed69-4abf-ad99-340aa8d98802 PayloadVersion 1 ProhibitDisablement PayloadDescription Configure device to use my own DoH server. PayloadDisplayName Scott Helme DoH PayloadIdentifier uk.co.scotthelme.doh PayloadRemovalDisallowed PayloadType Configuration PayloadUUID d9358d81-c292-41ef-8d8a-2dbfa9911139 PayloadVersion 1 My profile is an adaption of one of profiles found here and you can use those to force DoH to public endpoints like the Cloudflare 1.1.1.1 resolver if you'd like. You can also find more details about the DNS Settings in MDM payloads here. Once the profile is created you need to download it onto your iPhone, I just sent it via email and saved it locally. From there, click the profile and go through the prompts to install it. [IMG_7928] [IMG_7929] [IMG_7930] [IMG_7931] [IMG_7932] [IMG_7933] [IMG_7934] [IMG_7936] If you want, you can then inspect the profile to see what it contains. [IMG_7937] [IMG_7938] [IMG_7939] [IMG_7940] That's it! All of my DNS traffic is now routed to my simple relay at home using DoH which then passes it off to my Pi-hole for filtering/ blocking where needed. Of course, my Pi-hole also does DoH to my upstream provider at Cloudflare so the whole lot is now encrypted and protected! As an example, here I am opening a very important website on 4G and I can see the DNS requests showing up in my Pi-hole! [IMG_7941] [image] The client there is home.scotthelme.co.uk which is the internal name for my server and why it shows up like that but if I login to the server and tail my Nginx access log I can see the DoH queries coming in from my phone externally! [image-1] Now I will always have the protection of my Pi-hole wherever I am but also the performance advantages because noticing how much slower everything was when I was off my Wi-Fi network was starting to bother me! If you want to get notified when I publish a new blog, please consider subscribing! Tags: Pi-Hole, DNS, DoH, DoT, MDM Please enable JavaScript to view the comments powered by Disqus. Upcoming Events The Best TLS Training in the World (EMEA TZ Remote) 1st - 4th Mar The Best TLS Training in the World (US/Can TZ Remote) 8th - 11th Mar The Best TLS Training in the World (APAC TZ Remote) 19th - 22nd Apr Cheat Sheets CSP Cheat Sheet HSTS Cheat Sheet HTTPS Cheat Sheet Performance Cheat Sheet Projects Report URI Security Headers Why No HTTPS? Crawler.Ninja HTTP Forever Follow * * * * * * * * * * * * * * * * * More in Pi-Hole * Supercharging your DNS with Cloudflare for Teams! 1 Feb 2021 - 6 min read * Demonstrating that revocation checking is pointless! 13 Mar 2020 - 8 min read * Catching and dealing with naughty devices on my home network 18 Apr 2018 - 7 min read See all 4 posts - COEP COOP CORP CORS CORB - CRAP that's a lot of new stuff! Free Post CORP COEP COOP CORP CORS CORB - CRAP that's a lot of new stuff! Yep, you heard it right, we have a few new security features and even some new Security Headers in town! Whilst technically only COOP, COEP, CORP and CORB are new, * Scott Helme Scott Helme Scott Helme 18 Jan 2021 * 12 min read Report URI Penetration Test Free Post Report URI Report URI Penetration Test In line with our constant desire to improve and offer the best service we can, Report URI recently went through an independent penetration test as many other companies and organisations * Scott Helme Scott Helme Scott Helme 7 Dec 2020 * 13 min read License CC BY-SA 4.0 to scotthelme.co.uk Thanks for supporting me and my work! Great, you're subscribed! Perhaps you'd also consider supporting my work? Welcome back! You've successfully signed in. Wow! Thanks for the support! Success! Your billing info is updated. Billing info update failed.