These instructions will set up your Pi-Hole to run DNS over TLS and TOR.
For those unfamiliar, here is a description of the issues with regular DNS.
DNS over TLS encrypts the DNS requests between you and the DNS provider so that only you and the DNS provider know what requests you have made. The DNS provider however will have both your IP address and your request.
By adding TOR to the chain, no one has access to your request and your IP address. The DNS provider will see a Tor exit node making the request and the Tor exit node will see an encrypted message going out to the DNS provider.
Its a small step to increasing your privacy online, but its fairly easy.
Your ISP will still see all your regular traffic, this is a reduction in footprint, not a magic bullet.
DNS over TLS and TOR is slower. The instructions below should increase your caching of DNS entries (a cached DNS entry is very fast) but non-cached entries may take up to a second to resolve.
In practice, I havent noticed a slowdown. Currently with pi-hole, 50% of my requests are cached, 20% are blocked and only 30% are resolved externally.
This stack points the pi-hole DNS to use stubby (which performs DNS over TLS) which is then redirected via proxychains to TOR. These instructions assume you have set up pi-hole.
If not please install pi-hole first .
Playing around with DNS can result in you not being able to resolve any domain names and therefore no access to the internet and no way to google how to get out of the mess. You should, at the minimum have the ip address of your pi-hole so that you can access it to turn off the new DNS server and a copy of these instructions locally. If you are not confident you can recover from DNS issues, this probably isnt for you, or test it out on a test machine rather than your main DNS server
Log into your pi-hole.
Check everything is up to date.
sudo apt-get update && sudo apt-get upgrade
sudo apt-get install tor
Check tor installation.
sudo netstat -tpln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0: LISTEN 504/sshd
tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN 3057/tor
tcp6 0 0 :::22 :::* LISTEN 504/sshd
*
We are looking for tor listening on port 9050.
Check its working Firstly my ip without tor.
curl ifconfig.me
Then your ip with tor.
torsocks curl ifconfig.me
These two should be different.
Stubby is now in buster so if you have buster you can just
sudo apt-get install stubby
This actually starts the program so we need to stop it.
sudo systemctl stop stubby
If you dont have stubby in your repositories there is a description here of how to build it from source.
(Note it might be worth building it from source anyway to get the latest version).
Loate the config file for stubby.
stubby -i | head
[08:57:52.097323] STUBBY: Read config from file /usr/local/etc/stubby/stubby.yml
Change the port that stubby listens on.
sudo nano /usr/local/etc/stubby/stubby.yml
Change the listen_addresses to
listen_addresses:
- 127.0.0.1@8053
- 0::1@8053
Save and exit.
Now start stubby
sudo systemctl start stubby
And test it.
dig @127.0.0.1 -p 8053 google.com
This should return an ip address for google.
Now lets stop stubby for the momment
sudo systemctl stop stubby
sudo apt-get install proxychains
We know need to make a change to the proxychains config to not do dns resolution.
sudo nano /etc/proxychains.conf
Comment out the line
proxy_dns
so that it appears like this.
# proxy_dns
and at the end of the file change socks4 to socks5 ie.
socks5 127.0.0.1 9050
(Not sure if this is really necessary).
Save and exit.
To check it is working
proxychains curl ifconfig.me
and
curl ifconfig.me
should give different ip addresses.
To test its all working type the following
proxychains stubby &
and test it.
dig @127.0.0.1 -p 8053 google.com
You should get back the ip address. In the returned records you should see the time the request took. Its probably very slow but we can speed that up later.
Now stop our test server.
killall stubby
sudo nano /etc/systemd/system/multi-user.target.wants/stubby.service
and change the ExecStart line to be
ExecStart=/usr/bin/proxychains /usr/bin/stubby
and change the After line to be (adding tor.service)
After=network-online.target tor.service
Save it and exit.
Run the following
sudo systemctl daemon-reload
sudo systemctl start stubby
and test it.
dig @127.0.0.1 -p 8053 google.com
Go to your pi-hole web interface and go to settings. There is a tab at the top called DNS, go there.
Turn off your other DNS providers and add Custom server
127.0.0.1#8053
Hit save at the bottom of the page and we should be done.
We can test it using
dig apple.com
We should use an address we havent checked before because the pi-hole caches dns requests. If everything is working, the dig command will probably be quite slow.
Firstly add a minimum TTL (Time to live) to DNS requests. This will mean DNS requests get repeated within about an hour. IP addresses rarely move but you may want a smaller value in certain cases.
Type the following.
sudo bash
cat << EOF > /etc/dnsmasq.d/min_tls.conf
min-cache-ttl=3500
EOF
exit
Secondly change the servers that stubby uses.
sudo nano /usr/local/etc/stubby/stubby.yml
Increase the idle_timeout (in milliseconds)
idle_timeout: 1000000
Enable the ca certs (uncomment the following line)
tls_ca_path: "/etc/ssl/certs/"
Uncomment (if you want) Google servers.
- address_data: 8.8.8.8
tls_auth_name: "dns.google"
- address_data: 8.8.4.4
tls_auth_name: "dns.google"
Save and exit.
Restart pi-hole and stubby
sudo systemctl restart stubby
sudo systemctl restart pihole-FTL
Test again.
dig apple.com
which is probably not going to break any speed records, though it we try it again
dig apple.com
We should get a response in a millisecond.
If you want to remove this configuration, change the DNS server back on the pi-hole web interface to your preffered DNS server and remove the 127.0.0.1#8053 entry. Save
That should get your dns back to how it was.
To stop the stubby service from running.
sudo systemctl disable stubby
sudo systemctl stop stubby