ismkdc/pihole-dot

By ismkdc

Updated 13 days ago

pihole with native DNS-over-TLS, no sidecar, no unbound needed

Image
Networking
Security
Monitoring & observability
1

2.9K

ismkdc/pihole-dot repository overview

pihole-dot

Docker Pulls Docker Image Size GitHub

pihole with native DNS-over-TLS, no sidecar needed.

Not affiliated with or endorsed by the official Pi-hole project. "Pi-hole" is a trademark of Pi-hole LLC.

Drop-in replacement for the official pihole/pihole image. Uses ismkdc/FTL-DoT, a fork of pihole-FTL that adds a synchronous TCP+TLS upstream path (RFC 7858) directly inside the DNS forwarder. No unbound, no stubby, no extra container.

Quick start

services:
  pihole:
    image: ismkdc/pihole-dot:latest
    network_mode: host
    environment:
      TZ: 'Europe/Istanbul'
      FTLCONF_webserver_port: 8181
      FTLCONF_dns_upstreams: 'tls://8.8.8.8#853#dns.google;tls://8.8.4.4#853#dns.google'
    volumes:
      - './etc-pihole:/etc/pihole'
    cap_add:
      - NET_ADMIN
      - SYS_TIME
    restart: unless-stopped

DoT upstream format

tls://<ip>#<port>#<tls-hostname>

Semicolon-separated for multiple upstreams. Providers are also selectable as checkboxes in the web portal under Settings → DNS.

ProviderFTLCONF_dns_upstreams
Googletls://8.8.8.8#853#dns.google;tls://8.8.4.4#853#dns.google
Cloudflaretls://1.1.1.1#853#cloudflare-dns.com;tls://1.0.0.1#853#cloudflare-dns.com
Cloudflare (malware block)tls://1.1.1.2#853#cloudflare-dns.com;tls://1.0.0.2#853#cloudflare-dns.com
Cloudflare (adult+malware)tls://1.1.1.3#853#cloudflare-dns.com;tls://1.0.0.3#853#cloudflare-dns.com
Quad9tls://9.9.9.9#853#dns.quad9.net;tls://149.112.112.112#853#dns.quad9.net
Quad9 (unsecured)tls://9.9.9.10#853#dns.quad9.net;tls://149.112.112.10#853#dns.quad9.net
AdGuardtls://94.140.14.14#853#dns.adguard.com;tls://94.140.15.15#853#dns.adguard.com
AdGuard (family)tls://94.140.14.15#853#dns.adguard.com;tls://94.140.15.16#853#dns.adguard.com
NextDNStls://45.90.28.0#853#dns.nextdns.io;tls://45.90.30.0#853#dns.nextdns.io
Mullvadtls://194.242.2.2#853#dns.mullvad.net
Mullvad (ad+tracker block)tls://194.242.2.3#853#adblock.dns.mullvad.net
dns0.eutls://193.110.81.0#853#dns0.eu;tls://185.253.5.0#853#dns0.eu

Any RFC 7858 compliant DoT server works, format is always tls://ip#port#tls-hostname.

Bare-metal (no Docker)

Not using Docker? ismkdc/pihole-dot is a fork of the official pihole installer that ships FTL-DoT instead of upstream FTL:

git clone --depth 1 https://github.com/ismkdc/pihole-dot.git pihole
cd "pihole/automated install/"
sudo bash basic-install.sh

Architectures

linux/amd64 · linux/arm64 · linux/arm/v7 · linux/arm/v6 · linux/riscv64

Configuration

All standard pihole environment variables work unchanged. The only difference is the upstream format:

VariableExample
FTLCONF_dns_upstreamstls://8.8.8.8#853#dns.google;tls://8.8.4.4#853#dns.google
FTLCONF_webserver_port8080
TZEurope/Istanbul
WEBPASSWORDyourpassword

How it works

FTL normally forwards DNS queries over UDP/TCP to plain resolvers. This fork adds a TCP+TLS path that activates when an upstream URL uses the tls:// scheme:

  1. On first query to a tls:// upstream, a TCP connection is established to port 853 and a TLS handshake is performed (ALPN: "dot", cert verification enabled).
  2. The TLS session is kept alive across queries, the handshake cost is paid once per upstream, not per query.
  3. DNS messages are framed with the RFC 7858 2-byte length prefix over the TLS stream.

Key implementation detail: TLS 1.3 servers (Google, Cloudflare) send a NewSessionTicket immediately after the handshake, before the first DNS response. mbedTLS 4.x surfaces this as MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET (-0x7B00). Without handling it, the first query after every new connection silently fails. Fixed in src/dnsmasq/tls.c by treating it as a retry signal.

Source

Tag summary

Content type

Image

Digest

sha256:8d6efebf8

Size

36.1 MB

Last updated

13 days ago

docker pull ismkdc/pihole-dot