Using a forwarding resolver in Pi-Hole for DNS over TLS

Configs necessary for Pi-Hole to use either Cloudflared or Unbound as forwarding resolver to Quad9 using DNS over TLS.

Table of Contents

  1. Unbound as forwarding resolver
  2. Cloudflared as forwarding resolver
Information

The below forwarding addresses for Quad9 provide malware blocking, DNSSEC, and are ECS-enabled. Check out all of Quad9’s options. Alternately you may consider using Cloudflare’s 1.1.1.2 / security.cloudflare-dns.com which also supports DNSSEC and blocks malware.

Unbound as forwarding resolver

Create file, copy & paste the below into it: sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf

tls-cert-bundle: /etc/SSL/certs/ca-certificates.crt

forward-zone:
 name: "."
 forward-tls-upstream: yes
 # Quad 9
 forward-addr: 9.9.9.11@853#dns11.quad9.net
 forward-addr: 149.112.112.11@853#dns11.quad9.net

Cloudflared as forwarding resolver

Copy & paste the below into a compose.yaml then use docker compose up -d to create a fully-configured cloudflared container.

version: "3.6"

services:
  cloudflared:
    container_name: cloudflared
    image: cloudflare/cloudflared
    command: proxy-dns
    environment:
      - "TUNNEL_DNS_UPSTREAM=tls://9.9.9.9@853#dns.quad9.net,tls://149.112.112.112@853#dns.quad9.net"
      - "TUNNEL_DNS_PORT=853"
      - "TUNNEL_DNS_ADDRESS=0.0.0.0"
    restart: unless-stopped

Set up Pi-Hole for network-wide ad blocking and Unbound for recursive DNS

Using DNS over HTTPS with Pi-Hole and Cloudflared