Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Configuring Raspberry Pi 3 B+ to Run Pi-Hole and Use DNS over HTTPS

Configure the Raspberry Pi

Install Raspbian Lite

  • Download Raspbian Lite
  • Download and install balenaEtcher
  • Flash the Raspbian Lite .img or .zip to an SD card using balenaEtcher

Optimize & configure the Raspberry Pi

  • Turn on the Raspberry Pi and wait for it to boot to the CLI

  • Enter sudo raspi-config

    • Select 1 Change User Password and create a unique password
    • Optional: Select 2 Network Options > N1 Hostname
    • Optional: Select 2 Network Options > N2 Wi-fi
    • Select 3 Boot Options > B1 Desktop / CLI > B2 Console Autologin
    • Select 4 Localisation Options > I1 Change Locale (I use en_US.UTF-8 UTF-8)
    • Select 4 Localisation Options > I2 Change Timezone (I use Pacific-New)
    • Select 4 Localisation Options > I3 Change Keyboard Layout
    • Select 5 Interfacing Options > P2 SSH > Yes
    • Optional: Reduce the amount of memory dedicated to the GPU to the minimum.
      • Select 7 Advanced Options > A3 Memory Split and then enter 16
      • If you'll need more GPU performance for your application, skip this step.
    • Optional: 8 Update
    • Exit raspi-config and save
  • Optional: Force apt-get to use IPv4 (Mine would fail using IPv6)

    • Enter sudo nano /etc/apt/apt.conf.d/99force-ipv4
    • Add to file: Acquire::ForceIPv4 "true";
    • Exit and save (^X then Y then enter)
  • Update all of the things using sudo apt-get update && sudo apt-get upgrade

  • Optional: Enable accessing the Raspberry Pi using .local domains

    • Enter sudo apt-get install avahi-daemon
    • This step is entirely optional, but I have a bunch of Raspberry Pis on my network and like to access them via ssh using the .local domain
  • Optional: Disable Wi-Fi on the Raspberry Pi

    • Enter sudo nano /boot/config.txt
    • Scroll to the bottom and add dtoverlay=pi3-disable-wifi on a new line
    • Exit and save (^X then Y then enter)

Install Pi-hole

  • Install Pi-hole using curl -sSL | bash. If you don't trust piping to bash, use:
    git clone --depth 1 pihole
    cd "pihole/automated install/"
    sudo bash
  • Configure your router to use Pi-hole
    • I use a Netgear Orbi with Method #1 ("Define Pi-hole’s IP address as the only DNS entry in the router"). In an ideal world, I would use Method #2.
    • Unfortunately, I also had to disable IPv6 to eliminate some pesky logging. You may want to do the same if you see a ton of IPv6 traffic logged in Pi-hole.
  • Optional: Use Pi-hole's built-in DHCP server instead of your router.
    • This allows you to monitor traffic from individual devices on your network. You can skip this step if you're fine having all traffic logged to your router's IP address.
    • This step isn't necessary if your router supports Method #2 from the prior step.
  • Optional: Set static IP addresses for known devices on your network
    • Via admin panel (use this if you're not comfortable with the command line):
      • Go to http://pi.hole/admin in your browser
      • Select Settings > DHCP
      • Enter you static IPs under Static DHCP leases configuration
    • Via CLI (use this if you're comfortable with the command line and want to save some time):
      • sudo nano /etc/dnsmasq.d/04-pihole-static-dhcp.conf
      • Add one entry per line in the following format: dhcp-host=<MAC address>,<IP address>,<host name>
      • Exit and save (^X then Y then enter)
      • sudo service pihole-FTL restart
  • Optional: Enable DNSSEC
    • Go to http://pi.hole/admin in your browser
    • Select Settings > DNS
    • Check Use DNSSEC and click Save

Install DNSCrypt-proxy

  • Enter cd /opt
  • Download the latest pre-built linux_arm binary.
    • As of writing, the latest binary is dnscrypt-proxy-linux_arm64-2.0.23.tar.gz
    • sudo wget
  • Enter sudo tar -xzvf dnscrypt-proxy-linux_arm-2.0.23.tar.gz (replace with your file name)
  • Delete the archive using sudo rm dnscrypt-proxy-linux_arm-2.0.23.tar.gz (replace with your file name)
  • Rename the dnscrypt-proxy folder using sudo mv linux-arm dnscrypt-proxy
  • Enter cd dnscrypt-proxy
  • Create a configuration file based on the example with sudo cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml
  • Edit the configuration file with sudo nano dnscrypt-proxy.toml
  • Change the listening port because the default (53) is already used by Pi-hole. I changed the port to 5053 by changing listen_addresses = ['', '[::1]:53'] to listen_addresses = ['', '[::1]:5053'].
  • Optional: Change other settings. You can learn about them here. My preferences are below:
    • require_dnssec = true
    • server_names = ['cloudflare']
    • fallback_resolver = ''
    • ignore_system_dns = true
  • Install a dnscrypt-proxy service with sudo ./dnscrypt-proxy -service install
  • Start the dnscrypt-proxy service with sudo ./dnscrypt-proxy -service start

Force Pi-hole to use DNSCrypt-proxy

  • Go to http://pi.hole/admin in your browser
  • Select Settings > DNS
  • Make sure Custom 1 (IPv4) is the only box checked
  • Enter in the Custom 1 (IPv4) box
  • Optional: Setup IPv6
    • Check the box next to Custom 3 (IPv6)
    • Enter ::1#5053 in the Custom 3 (IPv6) box
  • Click "Save"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment