Configuring Pi-Hole with DNS over HTTPS
Get the cloudflared daemon compiled for ARM (Raspberry Pi)
Configure it as a service that runs on startup under a user named cloudflared
Use systemd to start the service (or reboot, I guess?)
Ultimately this still goes to Cloudflare’s 184.108.40.206 DNS, except routed over HTTPS:
# Commandline args for cloudflared CLOUDFLARED_OPTS=--port 5053 --upstream https://220.127.116.11/dns-query --upstream https://18.104.22.168/dns-query
Why? Basically, with traditional HTTPS people don’t know what you are browsing (because it’s encrypted) but they can definitely tell what website (domain name) you are looking at.
Even if you are visiting a site using HTTPS, your DNS query is sent over an unencrypted connection. That means that even if you are browsing https://cloudflare.com, anyone listening to packets on the network knows you are attempting to visit cloudflare.com.
The second problem with unencrypted DNS is that it is easy for a Man-In-The-Middle to change DNS answers to route unsuspecting visitors to their phishing, malware or surveillance site. DNSSEC solves this problem as well by providing a mechanism to check the validity of a DNS answer, but only a single-digit percentage of domains use DNSSEC.
With DNS over HTTPS, a man in the middle can’t see the content, nor can they tell what website you are on. Also prevents tampering with DNS as as side benefit. 😅