Privacy Upgrade – Say Hello to DNS over HTTPS 🌐🔐
So far, we’ve been busy turning our Raspberry Pi into a full-blown homelab boss.
We’ve got Docker, Portainer, Pi-hole, websites, reverse proxy magic — the whole deal.
But today… we’re tightening the screws on privacy just a little more.
Because let’s be honest: standard DNS is still kinda… naked.
🔒 Meet DoH (DNS over HTTPS)
DoH encrypts your DNS queries so nosy ISPs and other in-between snoops can’t see which websites you’re asking for.
Let’s keep things classy, encrypted, and private.
We’ll run Cloudflared containers that translate DNS requests from Pi-hole into secure HTTPS queries — all locally on your own Pi.
🛠️ Here’s the setup (docker-compose.yml)
version: "3.5"
services:
cloudflared-cloudflare:
image: crazymax/cloudflared:latest
container_name: cloudflared-cloudflare
networks:
macvlan_net:
ipv4_address: 192.168.178.7
ports:
- "5053:5053/udp"
- "49312:49312/tcp"
environment:
- "TZ=Europe/Amsterdam"
- "TUNNEL_DNS_UPSTREAM=https://1.1.1.1/dns-query,https://1.0.0.1/dns-query"
restart: always
cloudflared-google:
image: crazymax/cloudflared:latest
container_name: cloudflared-google
networks:
macvlan_net:
ipv4_address: 192.168.178.8
ports:
- "5053:5053/udp"
- "49312:49312/tcp"
environment:
- "TZ=Europe/Amsterdam"
- "TUNNEL_DNS_UPSTREAM=https://8.8.8.8/dns-query"
restart: always
networks:
macvlan_net:
external: true
Spin it up with:
sudo docker-compose -p “dns-doh” up -d
Now we’ve got two local DoH endpoints:
One using Cloudflare’s DNS and one using Google’s.
🔧 Connecting DoH to Pi-hole
Time to hook this up to Pi-hole:
Open the Pi-hole Admin UI
Go to Settings → DNS
Scroll down to Custom 1 (IPv4) and Custom 2 (IPv4)
Enter the following:
192.168.178.7#5053
192.168.178.8#5053
Save your changes ✅
Boom — your Pi-hole now forwards DNS requests over encrypted HTTPS tunnels.
☁️ No more plain text DNS
With this in place:
All DNS traffic is encrypted end-to-end
You still have full control via Pi-hole
You’re one step closer to privacy nirvana 🧘