Uncensored, privacy-protecting DNS with Pi-hole, pfSense and DNS over TLS (DoT)


Whew, what an utterly specific title. Well it simply descibes my own needs. Let me describe these in detail.

Avoiding censorship

I'm Swiss. Switzerland in general is quite illiterate when it comes to information technology, especially in the realm of data protection.

That's also why our country adopted the Federal Act on Gambling in 2018. It basically boils down to restricting online gambling to Swiss casinos by blocking unlicensed foreign offers via DNS. The list is even publicly available, also because national ISPs are urged to block their customers from accessing said offers.

So any normal user that does not know about DNS, will use their ISPs' resolver, which is required to block access to any item on that list.

Accessing those blocked services is just a desperate DNS change or VPN away. Once again, it's only about the money.

As privacy-protecting as possible

Sadly, also political: privacy is needed more than ever. Swiss citizens tend to vote for the wrong thing when it comes to privacy. Votes against privacy are fueled by IT illiteracy, fear, misinformation and ignorance. The generic lack of media coverage on those topics does not help either. We face many attacks against digital integrity and this will not suddenly come to a halt:

Technology refresh

Although both DNS over TLS (DoT, RFC 7858) and DNS over HTTPS (DoH, RFC 8484) are quite new, I only consider DoT here.

Why? I like that DoT is simple. It uses a standard protocol and adds encryption. DoH also falls short for me, because the main reason I do this is, is to centrally enforce things. DoH is quite the opposite, it shifts DNS to another "layer" which results in a total operations nightmare. DNS is a vital core service and thus should be managed centrally and ideally, clients should not be able to bypass such an essential configuration.

High level overview

Because this setup is a bit special, this might help to get the big picture:

The visualization is a tiny bit too simplified: Of course a bad client won't merely get back NXDOMAIN responses, it is simply forced to use the Pi-hole setup. On the reverse, of course, a good client can also ask for things that are blocked and this is fed back to it accordingly.

Pi-hole installation

I just cover some specifics, the official Pi-hole docs cover the general installation.

I use Docker to run Pi-hole. These are the environment variables I'm using:

PIHOLE_DNS_=<IP of pfSense>

pfSense and Pi-hole configuration


  1. Go to System -> General Setup
  2. add IP addresses and DNS names of public DNS servers that support DoT and that you trust (for example: Digitale Gesellschaft, Quad9, Freifunk München, UncensoredDNS or Mullvad DNS)
  3. Set the DNS resolution behavior to use remote DNS server, ignore local DNS. This avoids usage of DNS resolver
  4. Go to Services -> DNS Resolver
  5. Enable it on the interface your to-be-protected DNS clients dwell
  6. Disable Enable Fowarding Mode
  7. Go to Services -> DHCP Server
  8. Add Pi-hole as the only DNS server
  9. Go to Firewall -> NAT -> Port Foward
  10. Add two new rules:
  11. Source: any
  12. Destination: invert match, add IP of Pi-hole
  13. Destination port range: rule 1: 53/TCP+UDP, rule 2: 853/TCP+UDP
  14. Redirect target IP:
  15. Make sure to let it create an associated filter rule
  16. Test the setup


  1. Go to Settings -> DNS
  2. Add the respective pfSense box IP address as the only "custom" upstream DNS server


The average attitude of politicians, the government and the civilian population on the subject of data protection is not where it should be and seems to be drifting further and further away from it.

This means you need to help yourself and stay alert. As in security, layering is key:

  • Be sceptical
  • Check alternatives that require less data
  • use open source software where ever possible, resp. avoid commercial software
    • code: (self-hosted) Gitea or GitLab, or Codeberg instead of GitHub
    • office: LibreOffice instead of Microsoft Office
    • voice/chat: Element, Rocket.Chat, Jitsi
    • e-mail client: Mozilla Thunderbird or just webmail
    • e-mail provider: I cannot recommend to host our own anymore as big corporate players like Microsoft, Gmail etc. basically killed decentralized e-mail. Maybe Proton Mail despite the scandal (update)
  • Use browser extensions that block ads or cookies: uBlock Origin, Privacy Badger
  • Stay informed

If you use the DNS servers of Digitale Gesellschaft, please consider donating to help them cover the hosting fees.