Whew, what an utterly specific title. Well it simply descibes my own needs. Let me describe these in detail.
I'm Swiss. Switzerland in general is quite illiterate when it comes to information technology, especially in the realm of data protection.
That's also why our country adopted the Federal Act on Gambling in 2018. It basically boils down to restricting online gambling to Swiss casinos by blocking unlicensed foreign offers via DNS. The list is even publicly available, also because national ISPs are urged to block their customers from accessing said offers.
So any normal user that does not know about DNS, will use their ISPs' resolver, which is required to block access to any item on that list.
Accessing those blocked services is just a desperate DNS change or VPN away. Once again, it's only about the money.
As privacy-protecting as possible
Sadly, also political: privacy is needed more than ever. Swiss citizens tend to vote for the wrong thing when it comes to privacy. Votes against privacy are fueled by IT illiteracy, fear, misinformation and ignorance. The generic lack of media coverage on those topics does not help either. We face many attacks against digital integrity and this will not suddenly come to a halt:
- the 2015 Intelligence Services Act or "Nachrichtendienstgesetz" (NDG, german, english)
- the 2016 "Bundesgesetz betreffend die Überwachung des Post- und Fernmeldeverkehrs" (BÜPF, german)
- the 2021 anti-terror law (PMT)
- the ProtonMail case
- probably soon: EU chat control
- some more since I drafted this blog post
Why? I like that DoT is simple. It uses a standard protocol and adds encryption. DoH also falls short for me, because the main reason I do this is, is to centrally enforce things. DoH is quite the opposite, it shifts DNS to another "layer" which results in a total operations nightmare. DNS is a vital core service and thus should be managed centrally and ideally, clients should not be able to bypass such an essential configuration.
High level overview
Because this setup is a bit special, this might help to get the big picture:
The visualization is a tiny bit too simplified: Of course a bad client won't
merely get back
NXDOMAIN responses, it is simply forced to use the Pi-hole
setup. On the reverse, of course, a good client can also ask for things that are
blocked and this is fed back to it accordingly.
I just cover some specifics, the official Pi-hole docs cover the general installation.
I use Docker to run Pi-hole. These are the environment variables I'm using:
PIHOLE_DNS_=<IP of pfSense> TZ=CH IPv6=True
pfSense and Pi-hole configuration
- Go to
System -> General Setup
- add IP addresses and DNS names of public DNS servers that support DoT and that you trust (for example: Digitale Gesellschaft, Quad9, Freifunk München, UncensoredDNS or Mullvad DNS)
- Set the DNS resolution behavior to
use remote DNS server, ignore local DNS. This avoids usage of DNS resolver
- Go to
Services -> DNS Resolver
- Enable it on the interface your to-be-protected DNS clients dwell
Enable Fowarding Mode
- Go to
Services -> DHCP Server
- Add Pi-hole as the only DNS server
- Go to
Firewall -> NAT -> Port Foward
- Add two new rules:
- Source: any
- Destination: invert match, add IP of Pi-hole
- Destination port range: rule 1: 53/TCP+UDP, rule 2: 853/TCP+UDP
- Redirect target IP: 127.0.0.1
- Make sure to let it create an associated filter rule
- Test the setup
- Go to
Settings -> DNS
- Add the respective pfSense box IP address as the only "custom" upstream DNS server
The average attitude of politicians, the government and the civilian population on the subject of data protection is not where it should be and seems to be drifting further and further away from it.
This means you need to help yourself and stay alert. As in security, layering is key:
- Be sceptical
- Check alternatives that require less data
- use open source software where ever possible, resp. avoid commercial software
- code: (self-hosted) Gitea or GitLab, or Codeberg instead of GitHub
- office: LibreOffice instead of Microsoft Office
- voice/chat: Element, Rocket.Chat, Jitsi
- e-mail client: Mozilla Thunderbird or just webmail
- e-mail provider: I cannot recommend to host our own anymore as big corporate players like Microsoft, Gmail etc. basically killed decentralized e-mail. Maybe Proton Mail despite the scandal (update)
- Use browser extensions that block ads or cookies: uBlock Origin, Privacy Badger
- Stay informed
If you use the DNS servers of Digitale Gesellschaft, please consider donating to help them cover the hosting fees.