pihole with native DNS-over-TLS, no sidecar, no unbound needed
2.9K
pihole with native DNS-over-TLS, no sidecar needed.
Not affiliated with or endorsed by the official Pi-hole project. "Pi-hole" is a trademark of Pi-hole LLC.
Drop-in replacement for the official pihole/pihole image. Uses ismkdc/FTL-DoT, a fork of pihole-FTL that adds a synchronous TCP+TLS upstream path (RFC 7858) directly inside the DNS forwarder. No unbound, no stubby, no extra container.
services:
pihole:
image: ismkdc/pihole-dot:latest
network_mode: host
environment:
TZ: 'Europe/Istanbul'
FTLCONF_webserver_port: 8181
FTLCONF_dns_upstreams: 'tls://8.8.8.8#853#dns.google;tls://8.8.4.4#853#dns.google'
volumes:
- './etc-pihole:/etc/pihole'
cap_add:
- NET_ADMIN
- SYS_TIME
restart: unless-stopped
tls://<ip>#<port>#<tls-hostname>
Semicolon-separated for multiple upstreams. Providers are also selectable as checkboxes in the web portal under Settings → DNS.
| Provider | FTLCONF_dns_upstreams |
|---|---|
tls://8.8.8.8#853#dns.google;tls://8.8.4.4#853#dns.google | |
| Cloudflare | tls://1.1.1.1#853#cloudflare-dns.com;tls://1.0.0.1#853#cloudflare-dns.com |
| Cloudflare (malware block) | tls://1.1.1.2#853#cloudflare-dns.com;tls://1.0.0.2#853#cloudflare-dns.com |
| Cloudflare (adult+malware) | tls://1.1.1.3#853#cloudflare-dns.com;tls://1.0.0.3#853#cloudflare-dns.com |
| Quad9 | tls://9.9.9.9#853#dns.quad9.net;tls://149.112.112.112#853#dns.quad9.net |
| Quad9 (unsecured) | tls://9.9.9.10#853#dns.quad9.net;tls://149.112.112.10#853#dns.quad9.net |
| AdGuard | tls://94.140.14.14#853#dns.adguard.com;tls://94.140.15.15#853#dns.adguard.com |
| AdGuard (family) | tls://94.140.14.15#853#dns.adguard.com;tls://94.140.15.16#853#dns.adguard.com |
| NextDNS | tls://45.90.28.0#853#dns.nextdns.io;tls://45.90.30.0#853#dns.nextdns.io |
| Mullvad | tls://194.242.2.2#853#dns.mullvad.net |
| Mullvad (ad+tracker block) | tls://194.242.2.3#853#adblock.dns.mullvad.net |
| dns0.eu | tls://193.110.81.0#853#dns0.eu;tls://185.253.5.0#853#dns0.eu |
Any RFC 7858 compliant DoT server works, format is always tls://ip#port#tls-hostname.
Not using Docker? ismkdc/pihole-dot is a fork of the official pihole installer that ships FTL-DoT instead of upstream FTL:
git clone --depth 1 https://github.com/ismkdc/pihole-dot.git pihole
cd "pihole/automated install/"
sudo bash basic-install.sh
linux/amd64 · linux/arm64 · linux/arm/v7 · linux/arm/v6 · linux/riscv64
All standard pihole environment variables work unchanged. The only difference is the upstream format:
| Variable | Example |
|---|---|
FTLCONF_dns_upstreams | tls://8.8.8.8#853#dns.google;tls://8.8.4.4#853#dns.google |
FTLCONF_webserver_port | 8080 |
TZ | Europe/Istanbul |
WEBPASSWORD | yourpassword |
FTL normally forwards DNS queries over UDP/TCP to plain resolvers. This fork adds a TCP+TLS path that activates when an upstream URL uses the tls:// scheme:
tls:// upstream, a TCP connection is established to port 853 and a TLS handshake is performed (ALPN: "dot", cert verification enabled).Key implementation detail: TLS 1.3 servers (Google, Cloudflare) send a NewSessionTicket immediately after the handshake, before the first DNS response. mbedTLS 4.x surfaces this as MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET (-0x7B00). Without handling it, the first query after every new connection silently fails. Fixed in src/dnsmasq/tls.c by treating it as a retry signal.
Content type
Image
Digest
sha256:8d6efebf8…
Size
36.1 MB
Last updated
13 days ago
docker pull ismkdc/pihole-dot