Thursday, July 5, 2018

Secure your DNS with DNS over HTTPS and CloudFlare

So I recently set up a spare Raspberry Pi at my house in order to act as a local DNS server which blocks requests based on ad-lists and rules.  The software that does this is called, appropriately, Pi-Hole and is fully open source.  This has been great because it works across all devices on the network without having to install ad-blockers on each device.

After running this setup for a while and having it use the standard Google Public DNS servers at, I found an article about a new public DNS service hosted by CloudFlare on, which is a much faster server.  Instead of responses in and around the 30-50ms range, the CloudFlare DNS server typically resolves hosts around 11-20ms, or almost twice as fast!

In addition to changing the Pi-Hole software to use this DNS resolver, I read that the CloudFlare DNS server is also offering DNS over HTTPS.  (Google Also offers this service)  This is great because normal DNS queries are sent unencrypted, meaning anyone on the network between you and the resolver can eavesdrop on your requests and log which sites and services you are visiting with minimal effort.  In addition, some Internet Service Providers have even gone so far as to modify the DNS responses to some sites in order to inject ads into your browsing experience!! (pure evil, IMHO)

In order to protect against this type of hijacking and eavesdropping, you can encrypt and send your DNS requests using the HTTPS protocol.  The same protocol which protects secure web sites like your bank from being intercepted and read while they travel over the internet.

The guide that I used for configuring the DNS over HTTPS proxy can be found here:

Another benefit of using Pi-Hole is that it supports DNSSEC, which everyone should be using.  DNSSEC adds signature verification to detect and prevent tampering with the records in transit.  It's an extra layer of protection to the HTTPS protocol and it's supported by the Pi-Hole.  (just make sure to turn it on, as it's off by default!)

No comments: