I'm using pihole with an upstream DNS server of Quad9 DoH. The upstream DNS and the pihole are configured with docker via a docker-compose.yml file
, with the upstream DoH server using the cloudflared service.
version: "3.5"
networks:
network-pihole:
name: "dns-pihole"
driver: bridge
ipam:
driver: default
config:
- subnet: 192.10.0.0/24 #Internal Docker Network between pihole and wirguard, bridged
cloudflared:
image: crazymax/cloudflared:latest
container_name: cloudflared
ports:
- '5053:5053/udp'
- '5053:5053/tcp'
environment:
- "TZ=Europe/Budapest"
- "TUNNEL_DNS_UPSTREAM=https://9.9.9.9/dns-query,https://149.112.112.112/dns-query"
# - "TUNNEL_DNS_UPSTREAM=https://1.1.1.1/dns-query,https://1.0.0.1/dns-query"
restart: unless-stopped
networks:
network-pihole:
ipv4_address: 192.10.0.2
pihole:
container_name: pihole
image: pihole/pihole:latest
ports:
- "53:53/tcp"
- "53:53/udp"
- "80:80/tcp"
- "443:443/tcp"
environment:
- "TZ=Europe/London"
- "PIHOLE_DNS_=192.10.0.2#5053"
dns:
- 127.0.0.1
- 9.9.9.9
# Volumes store your data between container upgrades
volumes:
- "./etc-pihole/:/etc/pihole/"
- "./etc-dnsmasq.d/:/etc/dnsmasq.d/"
cap_add:
- NET_ADMIN
restart: unless-stopped
networks:
network-pihole:
ipv4_address: 192.10.0.3
Within the cloudflared service under environment:. I set the TUNNEL_DNS_UPSTREAM=
settings to https://9.9.9.9/dns-query,https://149.112.112.112/dns-query
. And the pihole service under dns: to 9.9.9.9
.
Everything works great, however when I browse to this and this cloudflare checker it says I'm not using dns over https / secure dns:
However if I use cloudflares DoH I set the TUNNEL_DNS_UPSTREAM=
settings to TUNNEL_DNS_UPSTREAM=https://1.1.1.1/dns-query,https://1.0.0.1/dns-query
and the pihole service under dns: to 1.1.1.1
, then run the two cloudflare tests again, it now says: Using DNS over HTTPS (DoH) yes and a green tick for secure dns.
I'm not sure why these tests don't work for Quad9 DoH. Is there another way to verify that I am using Quad9 DoH?
I'm not even sure if I could use wireshark to look at packets to see if dns queries are encryprted? I'm very new to wirehshark so if that was a method of verifying Quad9 DoH then I'm not sure what i'd be looking for.