Securing DNS with DoH

My raspberry pi running pi-hole was ticking along nicely and blocking all ads. We’d seen percentage of ads blocked hit 40%+ and it was improving our browsing experience no-end. The only issue bugging me (and it had been for a while) was that DNS queries are sent in the clear meaning our ISP (and probably google) are building up a nice picture of our browsing habits – not that we have anything to hide however.

This is where DNS -over-HTTPS (or DoH) comes into it. Simply put, the DNS requests are issued over HTTPS and therefore are not able to be tracked by your ISP or others. The pi running pi-hole can do the DoH stuff quite easily with a bit of help from cloudflare. The documentation you need is here but in a nutshell, you install cloudflared on the pi which means the pi can now use DoH when it is making requests of cloudflare’s 1.1.1.1 DNS resolver and then ensure the pi ‘talks to itself’ when making said requests.

It couldn’t be easier. No changes on your clients and now you can rest easy knowing all DNS requests from your network are running over HTTPS.