pihole dnsdist

Pihole is an ad-blocking DNS server that is very versatile and easy to configure. It uses DNSmasq as its DNS server, tightly integrated into its configuration. In order to upgrade security, dnsdist (1.4 and up) can be used to add DOT and DOH transport. Here's how:

• install dnsdist from repo.powerdns.com
• make sure you configure pihole to listen to all interfaces
• put the following in /etc/dnsdist/dnsdist.conf:

-- give dnsdist a port other than the default to avoid conflicting with pihole  
addLocal('0.0.0.0:5300', { reusePort=true })  
-- Add pihole as server, set check interval at 1 hour to prevent log spamming  
newServer({address='127.0.0.1:53',checkInterval=3600})  
-- Set up a DOH listener  
addDOHLocal('0.0.0.0',"/etc/dnsdist/cert.pem","/etc/dnsdist/key.pem")   
-- Set up a DOT listener  
addTLSLocal('0.0.0.0',"/etc/dnsdist/cert.pem","/etc/dnsdist/key.pem")   
-- Set up a webserver on port 8080, preventing conflict with pihole, with password 's3cr3t'  
webserver('0.0.0.0:8080',"s3cr3t")  

• create a self-signed certificate using the following command, using the right CN:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 1000 -nodes -subj '/CN=192.168.0.2'

• put the certificate files in /etc/dnsdist/
• start dnsdist

Done. The Pihole portal remains available on the usual port, dnsdist web is on port 8080.