Add nginx to the mix (simply put a TLS proxy between DNS and the outside world) and you’ve got a DoT server. Because it’s TCP you don’t need to consider DNS amplification attacks and Android has native DoT support that’ll work anywhere.
What you need is a domain (any domain will do) pointed at your WAN IP and a valid HTTPS certificate. Put this in your Pihole’s nginx config:
stream {
upstream dns {
zone dns 64k;
server 127.0.0.1:53;
}
server {
listen 853 ssl;
ssl_certificate /path/to/your/letsencrypt/certificate.pem;
ssl_certificate_key /path/to/your/letsencrypt/key.pem;
proxy_pass dns;
}
}
The hardest part is getting Let’s Encrypt set up, but you can use common DNS APIs to get those without ever forwarding port 80 to your Pihole. You do need to forward port 853 of course.
Then open your phone’s settings and set the secure DNS to custom, and point it at your WAN IP. You’ll now have PiHole support wherever you go, without a VPN.
The only downside is that you’ll have to turn it off in some hotspots that still use DNS interception to redirect you to their portal page rather than the standard protocols, but it’ll work in moet cases. Some routers also deal with port forwards weird (not forwarding packets destined for the WAN IP if they’re coming from LAN) which requires some more messing around, but I’m pretty sure those issues are becoming rarer and rarer.
If you’re feeling fancy you can set up DoH as well, but that’s more involved.
Tbh when I got my current phone it gave me the option of installing a duckduckgo browser. Seems to work fine and gives you a 1 button burn option that clears out cookies etc.
Only thing I have noticed is fb doesn’t let you log in but tbh that’s only a good thing in my book.
Z3k3@lemmy.world 9 months ago
Good solution if you never leave the house
skullgiver@popplesburger.hilciferous.nl 9 months ago
Add nginx to the mix (simply put a TLS proxy between DNS and the outside world) and you’ve got a DoT server. Because it’s TCP you don’t need to consider DNS amplification attacks and Android has native DoT support that’ll work anywhere.
What you need is a domain (any domain will do) pointed at your WAN IP and a valid HTTPS certificate. Put this in your Pihole’s nginx config:
The hardest part is getting Let’s Encrypt set up, but you can use common DNS APIs to get those without ever forwarding port 80 to your Pihole. You do need to forward port 853 of course.
Then open your phone’s settings and set the secure DNS to custom, and point it at your WAN IP. You’ll now have PiHole support wherever you go, without a VPN.
The only downside is that you’ll have to turn it off in some hotspots that still use DNS interception to redirect you to their portal page rather than the standard protocols, but it’ll work in moet cases. Some routers also deal with port forwards weird (not forwarding packets destined for the WAN IP if they’re coming from LAN) which requires some more messing around, but I’m pretty sure those issues are becoming rarer and rarer.
If you’re feeling fancy you can set up DoH as well, but that’s more involved.
Z3k3@lemmy.world 9 months ago
Tbh when I got my current phone it gave me the option of installing a duckduckgo browser. Seems to work fine and gives you a 1 button burn option that clears out cookies etc.
Only thing I have noticed is fb doesn’t let you log in but tbh that’s only a good thing in my book.
For yt I have gone down the route of ff + ublock
possiblylinux127@lemmy.zip 9 months ago
YouTube has plenty of third party clients and websites
MangoPenguin@lemmy.blahaj.zone 9 months ago
VPN back home, or set up DoT with adguard home instead of pihole.
Sethayy@sh.itjust.works 9 months ago
or setup some vpn fanciness
(or expose your port but yikes)