Using Nginx as a DoT proxy with Pi-Hole on a Raspberry Pi

install Nginx, and make sure the stream module is installed

apt install -y libnginx-mod-stream

Into your nginx.conf, add these lines to the end

stream {
        include /etc/nginx/streams/*;
}

Request an ssl certificate from certbot

certbot --nginx -d YOUR.DOMAIN.NAME

This command will complain that it cannot find an nginx file to automatically insert nginx directives into, but has downloaded the certificates anyway.

Create a folder called streams, as per the folder structure in the above command

Inside there, create a file called YOUR.DOMAIN.NAME.conf

Within there, add these lines

upstream dns {
        server 127.0.0.1:53; #Set to PiHole, change to any other DNS server
}

server {
        listen 853 ssl;
        ssl_certificate /etc/letsencrypt/live/YOUR.DOMAIN.NAME/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/YOUR.DOMAIN.NAME/privkey.pem;

        ssl_protocols   TLSv1.2 TLSv1.3;
        ssl_ciphers HIGH:!aNULL:!MD5;

        ssl_handshake_timeout   10s;
        ssl_session_cache       shared:SSL:20m;
        ssl_session_timeout     4h;

        proxy_pass dns;
}

Restart nginx, and voila you should be done.

You can now use YOUR.DOMAIN.NAME as a private DNS in Android.

Blog – Antony Hu

Leave a Reply Cancel reply

Recent Posts

Recent Comments

Archives

Categories