your-dns

A docker-compose file to provide a secure adblocking DNS server

NOTE: if you are interested in a hosted solution, please take a look at nextdns.io. I'm not affiliated with nextdns.io.

NEW: Try using your-dns.run as a DNS-over-TLS server. You can use this domain with "Private DNS" feature in > Android 9 (Pie). This server is set up using the your-dns-run branch of this repo.

Goal

Run a secure DoT (DNS-over-TLS) and DoH (DNS-over-HTTPS) DNS server that can do ad blocking and hide your DNS query from your ISP.

Non Goal

Hide your DNS query from upstream recursive DNS server. Why? Because to me hide my trail from various ISPs (Verizon, ATT, and any other ISPs behind public WiFis) is more important.

Privacy Tradeoffs

We are running a DNS forwarder instead of a DNS resolver. Running a forwarder and connect to upstream DNS over secure connection does hide your DNS queries from your ISP, but it would also leaks your web history (in the form of DNS query) to the upstream DNS.

Your web history is always open to your ISP until ESNI is widely adopted. Even with ESNI, it's still easy for the ISP to learn your web history based on the IP addresses you connected.

The main benefit of running a forwarder that communicate securely with upstream DNS is that your ISP won't be able to manipulate your DNS query results, e.g. hijack the NXDOMAIN response to show ads, force traffic to go through a transparent proxy (with more and more sites offering HTTPS, this is less of a concern) and so on.

There's a trade off you need to make whether the benefit beats the reduced privacy. Personally, making it harder for the ISP to learn my web history is a good enough reason.

All components in this stack

1. Adguard Home: Ad blocking DNS server with native DoT/DoH support.
2. Pomerium: An identity-aware reverse proxy. This allows me to remote access PiHole's web UI. More importantly, Pomerium is used to get SSL certificate automatically from Let's Encrypt. (reference)
3. Optional: Autoheal: Auto-restart container that failed health check.
4. Optional: Ouroboros: Auto-pull latest version of each container.

NOTE: Previously Pihole+CoreDNS was used. That setup was deprecated. If you are still looking for that, take a look at the "pihole" branch.

Prerequisites

1. Install Docker (how) and docker-compose command (how).
2. Know how to DNAT from your public IP to the server running the stack. Or alternatively if you have IPv6, allow dport=853 access to your server.

Run the stack

The following instruction will run a list of jobs on docker to DNS-over-TLS service on port 853 and foward your request through PiHole then to Cloudflare DNS.

By default the setup uses Cloudflare's 1.1.1.1 DNS server. You can modify Corefile and specify a different server. A list of DNS-over-TLS name server is available at https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers.

1. Create a network called infra_network. (Why not create the network in the compose file? Because you cannot create the default network in compose file, and can only replace it with external.)

    docker network create --subnet 172.30.0.0/16 infra_network

1. Rename example.env to .env and update the values in the file. See the comment in that file for instructions.
2. Rename adguard/conf/AdguardHome.yaml.example to adguard/conf/AdguardHome.yaml.
3. Update the tls_server_name in pomerium.yaml to match the actual domain name you will use.
4. docker-compose up -d and you are done :-)

TODO

None