Pihole + DoH idea, please advice

RouterOS General
1

Hello all,

I was thinking how can I get out to the internet via DoH (RouterOS 7.19.6, model RB5009UG+S+) without installing another container (pihole already is eating enough ram) so I have an idea.

Please comment if it is (or not) wrong:

  1. set /ip/dhcp-server/network/dns-server as the IP of your pihole so each client will receive it as dns so their queries will go to pihole.

  2. set the Upstream DNS Servers of pihole to the IP of your router

  3. go to /ip/dns and set “use-doh-server” to a specific DoH address to exit outside encrypted

  4. maybe some NAT rules to force the clients passing their queries to pihole.

something like that

           +----------------+
           |    Clients     |
           | DHCP DNS=172.17.0.2 (Pi-hole) 
           +--------+-------+
                    |
                    | DNS request (port 53)
                    v
           +--------+-------+
           |     Pi-hole    |
           |   172.17.0.2   |
           | Filtering DNS  |
           +--------+-------+
                    |
                    | Forward DNS 
                    v
           +--------+-------+
           |   Router DoH   |
           | 192.168.10.1  |
           +--------+-------+
                    | (DoH)
                    v
               +----+-----+
               | Internet |
               +----------+

What do you guys say?

Thanks

2

I would use Adlist and DoH (actually, I wouldn’t use the latter).

And don’t forget to route all DNS requests to the MikroTik.

3

why not?

4

Overhead, and for me it doesn’t bring any advantages.

Why did you choose to use it?

5

more privacy?! nothing special

6

Just use AdGuard Home which supports DoH/ DoQ: GitHub - AdguardTeam/AdGuardHome: Network-wide ads & trackers blocking DNS server

7

yeah, that is another choice, in /container as a replacement for pihole

8

Are you also running VPN 24/7? Otherwise your provider can see where you are connecting to.

9

No, I am not. But at least I can encrypt my dns :slight_smile:

10

Your DoH provider will know the domains you requests. Do you trust them more than your ISP (or other third paty DNS provider)?

11

well, if your logic is going that direction then let’s not do anything because either way you cant hide anything :slight_smile: unless you’re using a VPN…

anyways, all I want is to know if my proposal will work.

thanks

12

It will work.

13

To put extremisms aside ... there are good uses for all of the "privacy" technologies (DoH, VPN, etc) ... but most of time using them all (or even any of them) doesn't make any sense (or even moves problems into another "corner").

E.g. if one lives in parts of globe where local politicians tend to care about people's thoughts too much (read: dictatorships), then it's probably sane thing to use VPN (and direct DNS requests, can also be traditional DNS, through it as well).
Or if one wants to use a service which is limited to certain regions (so user has to fight against capitalists).

OTOH the entity which breaks out your traffic will always know what you're doing. It just depends what party that is - by default that's your ISP and consequently perhaps your own government, when using VPN that will be your VPN provider, most probably some global corporation with HQ in USA and consequently US government agencies. One then has a choice which one is more evil: local ISP or global corporation (I believe there are places where global corporations are lesser evils, but I guess that majority of humanity lives where local (political and economical) environent is safer than global corporate landscape).

And similar for DoH: either your ISP will have possibility to know your browsing history ... or DoH provider will. Again choice between bad and worse. With addendum: as @erlinden already wrote, if you don't use VPN, then your ISP will already know a lot about you, so why "give out" the same information also to DoH providers?