Secure recursive DNS resolver with pi-hole

Docker based stack with Unbound recursive DNS resolver and pi-hole ad blocker.

Goals

• optimize privacy:
  • DNS sink to filter/block unwanted content
  • a recursive DNS with DNSSEC to shield visited sites from ISP's DNS
• docker-based for easy initial deployment and low-friction, regular updates
• forwarding to local DHCP/DNS host (e.g. Ubiquiti UDM) to resolve local network names
• TODO: deployable and upgradable via separate docker image on minimal config, immutable Ubuntu Core node (no git nor curl etc. installed on docker host)

local test for pihole

docker compose build
docker compose stop
docker compose up -d
docker compose ps
docker image prune -f --filter 'dangling=true'
dig -p 5300 @localhost github.com

test DNSSEC:

dig -p 5300 @localhost SOA com. +dnssec
dig -p 5300 @localhost cloudflare.com +dnssec

directly connect to container:

docker exec -it ns-dns-1 ash

Deployment

Manual deployment

• git clone this repo (or download latest release as zip, then unzip)
• Create your own *.prod.env file, use the checked in jenni.prod.env as starting point
• re-start compose stack (build & pull before stopping the already running DNS server!):

./deploy.sh

TODOs

There's still work left, see Issues

Any bugs, file via Issues.

References

• DNSSEC query and response process
• DNSSEC troubleshooting with dig