Hello lemmings! I have recently started the process of setting up my own Pi-Hole, I am a developer and pretty comfortable with Linux but I am a bit of a newcomer when it comes to networking.
Now, during the process I noticed that the VPN I use (Mullvad) claim to have DNS leaks (This is a bit obvious since I was no longer using the DNS they expected in the VPN tunnel). So after reading a bit on the pi-hole guides I figured I’d set up a cloudflared service, but instead of using the cloudflare dns-query I route it to Mullvads own DNS.
Now this works fine and all, it’s DoH and running Mullvads own DNS to query so Mullvads own tool is happy with the DNS settings I have.
However, I also read about unbound in the Pi-Hole guides. I was curious if this was to prefer over cloudflared? Since I am running through Mullvads own DNS I don’t think there should be any issues. However locally hosting your own recursive DNS server also sounds good.
What is your opinion? Is it overkill? Is what I have now enough or should I try to set up unbound aswell?
Happy with just a discussion around this to learn more, just curious whether I should continue cooking on what I have now or if I should just focus on getting the entire network set up to use this.
DoH on the lan between devices is completely pointless; I’m talking about DoH between the lan and external dns which unbound does NOT do.
DNS over TLS handles that. No need for DoH really. Unless DNS ports are blocked or captured by NAT or something and you need to use port 443 with DoH. At least not with a DNS server.
DoH is useful for individual applications to do their own DNS lookups bypassing the OS or network level DNS. Otherwise DoH and DoT provide the same basic protection. DoT is just at a lower network layer and thus more easily applies more broadly across the network or OS rather than being application or resolver specific. There’s never been a real need for a DNS server to use DoH instead of DoT unless DoT is blocked upstream.