A docker-compose file to provide a secure adblocking DNS server
NOTE: if you are interested in a hosted solution, please take a look at nextdns.io. I'm not affiliated with nextdns.io.
NEW: Try using your-dns.run
as a DNS-over-TLS server. You can use this
domain with "Private DNS" feature in > Android 9 (Pie). This server is set up
using the your-dns-run
branch of this repo.
Run a secure DoT (DNS-over-TLS) and DoH (DNS-over-HTTPS) DNS server that can do ad blocking and hide your DNS query from your ISP.
Hide your DNS query from upstream recursive DNS server. Why? Because to me hide my trail from various ISPs (Verizon, ATT, and any other ISPs behind public WiFis) is more important.
We are running a DNS forwarder instead of a DNS resolver. Running a forwarder and connect to upstream DNS over secure connection does hide your DNS queries from your ISP, but it would also leaks your web history (in the form of DNS query) to the upstream DNS.
Your web history is always open to your ISP until ESNI is widely adopted. Even with ESNI, it's still easy for the ISP to learn your web history based on the IP addresses you connected.
The main benefit of running a forwarder that communicate securely with
upstream DNS is that your ISP won't be able to manipulate your DNS query
results, e.g. hijack the NXDOMAIN
response to show ads, force traffic
to go through a transparent proxy (with more and more sites offering
HTTPS, this is less of a concern) and so on.
There's a trade off you need to make whether the benefit beats the reduced privacy. Personally, making it harder for the ISP to learn my web history is a good enough reason.
NOTE: Previously Pihole+CoreDNS was used. That setup was deprecated. If you are still looking for that, take a look at the "pihole" branch.
docker-compose
command
(how).The following instruction will run a list of jobs on docker to DNS-over-TLS service on port 853 and foward your request through PiHole then to Cloudflare DNS.
By default the setup uses Cloudflare's 1.1.1.1 DNS server. You can
modify Corefile
and specify a different server. A list of DNS-over-TLS
name server is available at
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers.
infra_network
. (Why not create the network
in the compose file? Because you cannot create the default
network
in compose file, and can only replace it with external
.)
docker network create --subnet 172.30.0.0/16 infra_network
example.env
to .env
and update the values in the file. See
the comment in that file for instructions.adguard/conf/AdguardHome.yaml.example
to
adguard/conf/AdguardHome.yaml
.tls_server_name
in pomerium.yaml
to match the actual
domain name you will use.docker-compose up -d
and you are done :-)None