Hello lemmings! I have recently started the process of setting up my own Pi-Hole, I am a developer and pretty comfortable with Linux but I am a bit of a newcomer when it comes to networking.
Now, during the process I noticed that VPN I use claim to have DNS leaks (This is a bit obvious since I was no longer using the DNS they expected in the VPN tunnel). So after reading a bit on the pi-hole guides I figured I’d set up a cloudflared service, but instead of using the cloudflare dns-query I route it to Mullvads own DNS.
Now this works fine and all, it’s DoH and the running Mullvads own DNS so Mullvads own tool is happy with the DNS settings I have.
However, I also read about unbound in the Pi-Hole guides. I was curious if this was to prefer over cloudflared? Since I am running through Mullvads own DNS I don’t think there should be any issues. However locally hosting your own recursive DNS server also sounds good.
What is your opinion? Is it overkill? Is what I have now enough or should I try to set up unbound aswell?
Happy with just a discussion around this to learn more, just curious whether I should continue cooking on what I have now or if I should just focus on getting the entire network set up to use this.
Xanza@lemm.ee 6 days ago
Many people advocate for Cloudflared as a tunneling solution, but it’s not a one-size-fits-all tool. Personally, I avoid it. Your VPS already functions as a firewall for your connection. Using Tailscale is also self-host and avoids reliance on third-party services like Cloudflare while maintaining security and the same functionality.
For DNS privacy, I prefer odoh-proxy, which enables your VPS to act as an oDoH (Oblivious DNS over HTTPS) proxy for the cloudflare network. While oDoH introduces a slight latency increase, it significantly enhances privacy by decoupling query origins from content, making it a more secure option for DNS resolution. So you would be able to set your DoH resolver to your domain (dns.whatever.com/dns-query) and it would forward the request to cloudflare for resolution, and then back again.
As for Pi-Hole, its utility has diminished with the modern alternatives like serverless-dns. It allows you to deploy RethinkDNS resolver servers on free platforms, handling 99% of security concerns out-of-the-box. The trade-off is a loss of full custody over your DNS infrastructure, which may matter to some users but is less critical for general use cases.
Lastly, using consumer VPNs like Mullvad to proxy connections often introduces unnecessary complexity without meaningful security gains. While VPNs have their place they can really overcomplicate setups like this and rarely provide substantial privacy benefits for services like DNS.
Darkassassin07@lemmy.ca 6 days ago
OPs not using cloudflareds tunneling or services at all; in this application, it’s purely a local tool for translating regular DNS to DOH using the chosen DOH provider. Mullvad in this case.