Steps:
- Boot Raspberry pi with Raspbian (using a USB flash drive)
- Installing Pi-hole and configuring it to also act as a DHCP server
- Setting up Quad9 on DoH, as the only upstream DNS server
- Download raspbian from the official link.
- Recommended: Raspberry Pi OS Lite
- Extract the .zip folder to find a .img file.
- Note: Even though Raspberry Pi (3B, 3B+, 4B) have a 64-bit CPU architecture, but Raspbian OS (desktop + recommended, desktop, and lite) are 32-bit based.
- Use Rufus to create a bootable USB flash drive (aka pen-drive / thumb drive) from the just extracted image file.
- Once done, create a file named "ssh" (without quotes and no extension) in the root folder of the bootable USB flash drive. This enables ssh capability on the Pi.
- Connect the bootable USB flash drive to a USB A port on the Pi, the ethernet cable to your Switch/Router's RJ45 jack.
- Note: Prefer USB 3.0 A port, if available.
- Power on the Pi and wait for a minute or so.
- Collect the Pi's IP from the routing table of your Switch/Router, or use an IP Scanner tool for the same.
- ssh into the pi via:
ssh pi@IP_ADDRESS_OF_THE_PI
- Note: The default password is
raspberry
; It's highly recommended to change it.
- Note: The default password is
- Once ssh'ed, run
sudo apt update && sudo apt upgrade -y
to update all packages. - Set up a static IP for the Pi via
sudo nano /etc/dhcpcd.conf
. In here add,
static ip_address=192.168.1.42/24
static routers="YOUR_ROUTER_GATEWAY"
- Save and exit nano
- Note: You can follow this method if you do not have access to your router's settings.
- Finally, reboot the Pi via
sudo reboot
- Your pi should now be accessable via
ssh pi@192.168.1.42
- Use Pi-hole's one step automated install by running
curl -sSL https://install.pi-hole.net | bash
on your Pi. - Follow on screen settings, and when asked for upstream DNS, choose
Quad9 Filtered DNSSEC
.- Note: This will be changed to use Quad9 on DoH.
- Post installing Pi-hole, note down the password, as this will be used to login to the admin webpage.
- Head over to http://192.168.1.42/admin/index.php?login and type in the above presented password.
- Once loggedin, navigate to the DHCP webpage via http://192.168.1.42/admin/settings.php?tab=piholedhcp
- Enable Pi-hole DHCP server and optionally IPv6 support.
- Note: Disable DHCP from your main router/switch!
- At http://192.168.1.42/admin/settings.php?tab=dns enable
Listen on all interfaces
- Back in the ssh terminal type in
getconf LONG_BIT
- The output 32 signifies that the OS is 32-bit.
- For DNS over HTTPS, we'll be using cloudflared. Install via:
wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-arm.tgz
tar -xvzf cloudflared-stable-linux-arm.tgz
sudo cp ./cloudflared /usr/local/bin
sudo chmod +x /usr/local/bin/cloudflared
cloudflared -v
- Next, we'll configure cloudflared to use Quad9 DNS
sudo mkdir /etc/cloudflared/
sudo nano /etc/cloudflared/config.yml
- In here, add
proxy-dns: true
proxy-dns-port: 5053
proxy-dns-upstream:
- https://dns.quad9.net/dns-query
- Save changes and exit nano.
- To save the configuration run:
sudo cloudflared service install --legacy
sudo systemctl start cloudflared
sudo reboot
- After the reboot, head over to http://192.168.1.42/admin/settings.php?tab=dns and uncheck both the boxes corresponding to
Quad9 (filtered, DNSSEC)
- Enable
Custom 1 (IPv4)
and add127.0.0.1#5053
in the box. - Finally save the changes and reboot Pi again!
References: https://docs.pi-hole.net/guides/dns/cloudflared