I present an alternative way to use Pi-hole outside the home network by leveraging Encrypted DNS (aka DNS-over-TLS and DNS-over-HTTPS) instead of the usual VPN.
I do exactly this as well. Works great! Dynamic DNS is kind of a hilarious hack.
Quick question: since I use wireguard, do I need to use DNS-over-HTTPS for security? My assumption is that my entire session is already encrypted with my wireguard keys, so it doesn’t matter. But I figured I should double check.
Depends, do you have pihole/unbound setup to only recursively resolve? Or do you forward requests to an upstream (either as a fallback or just as a primary). If that’s the case, and depending on your threat model, you’ll want to set up DoH or DoT as your DNS requests will be forwarded in plaintext
Fortunately I set up unbound ages ago, and disabled every other upstream option in my pi.hole. However, I imagine that still “leaks” some information about my DNS queries, just indirectly – it’s not like my pi.hole has every domain mapped all the time!
Excellent to have confirmation, thanks. What about the VPN connection handshake? I always assumed it was OK over non-SSL, because the exchange should use signed keys. But that is quite an assumption on my part.
Wireguard uses public and private keys which are designed from the ground up to be used over plain text to establish the handshake so it isn’t an issue. Same idea with ssh keys and ssl keys
I have ddns on Cloudflare.
It works great, until your home IP changes.
After that wireguard will happily hammer the old IP, till something breaks the tunnel and it reestablishes it to the new IP.
Working as intended.
My workaround was forcing the IP change over night while everyone was home.
Use ddns on your router with a domain so you can then get something like wireguard.example.com and then use that as the endpoint in your wireguard.
Set the wireguard DNS as your pihole.
To make life easier set your home network IP space to something that another WiFi would never use, ie 192.168.46.xx
That way it will never conflict if you are on a public WiFi and you can access anything on your home lab when you need.
I’ve been using this setup for years on laptop, phone etc
I do exactly this as well. Works great! Dynamic DNS is kind of a hilarious hack.
Quick question: since I use wireguard, do I need to use DNS-over-HTTPS for security? My assumption is that my entire session is already encrypted with my wireguard keys, so it doesn’t matter. But I figured I should double check.
Depends, do you have pihole/unbound setup to only recursively resolve? Or do you forward requests to an upstream (either as a fallback or just as a primary). If that’s the case, and depending on your threat model, you’ll want to set up DoH or DoT as your DNS requests will be forwarded in plaintext
Fortunately I set up unbound ages ago, and disabled every other upstream option in my pi.hole. However, I imagine that still “leaks” some information about my DNS queries, just indirectly – it’s not like my pi.hole has every domain mapped all the time!
You do not need anything else. DNS requests are all sent over Wireguard with encryption
Excellent to have confirmation, thanks. What about the VPN connection handshake? I always assumed it was OK over non-SSL, because the exchange should use signed keys. But that is quite an assumption on my part.
Wireguard uses public and private keys which are designed from the ground up to be used over plain text to establish the handshake so it isn’t an issue. Same idea with ssh keys and ssl keys
Thanks. Wild that folks build SSH and HTTP around the same time without realising that HTTP could benefit from some of that same tech!
At the time, everything HTTP was supposed to be public.
I have ddns on Cloudflare. It works great, until your home IP changes. After that wireguard will happily hammer the old IP, till something breaks the tunnel and it reestablishes it to the new IP. Working as intended. My workaround was forcing the IP change over night while everyone was home.
Tailscale sorts all the issues I had.