A docker-compose file to provide a secure adblocking DNS server
Run a secure DoT (DNS-over-TLS) and DoH (DNS-over-HTTPS) DNS server that can do ad blocking and hide your DNS query from your ISP.
AND
Hide your DNS query from upstream recursive DNS server.
- Nginx: High Performance HTTP Server that provides DNS-over-TLS and access to Pihole (doc)
- Pihole: Ad blocking DNS server. Pihole forked dnsmasq and provide a nice UI to manage the DNS server. (donate)
- Stubby: A DNS stub server, which support forwarding DNS request to upstream DNS-over-TLS server. Note Unbound also support forwarding request to upstream over TLS, but I was told (can't find the reference) Unbound does not reuse TLS connections which is a concern to me (my ATT gateway has an internal NAT table with limited # of entries). (doc)
- DNS-over-HTTPS: A DoH server.
- Install Docker (how) and
docker-composecommand (how). - Know how to DNAT from your public IP to the server running the stack. Or alternatively if you have IPv6, allow dport=853 access to your server.
- Know how to get a Let's Encrypt certificate for your domain. You need a single wildcard certificate if you host both DoH server and pihole on the same server.
The following instruction will run a list of jobs on docker to DNS-over-TLS service on port 853 and foward your request through PiHole then to Cloudflare DNS over Tor.
- Modify
.envfile. See the comment in that file for instructions. - Update
config/letsencrypt/credentials.txtwith your Cloudflare API key (See https://certbot-dns-cloudflare.readthedocs.io/en/stable/#credentials for reference) - Run the following command which should success.
docker-compose run --entrypoint="certbot certonly --email ${EMAIL:?} -d *.${DOMAIN_NAME:?},${DOMAIN_NAME:?} --rsa-key-size=4096 --agree-tos --force-renewal --dns-cloudflare-credentials /credentials.txt --dns-cloudflare" certbot
- Run
docker-compose up -d