Wednesday, July 1, 2026

pihole-dot: Native DNS-over-TLS in Pi-hole's FTL (no unbound/stubby sidecar needed)

pihole-dot: Native DNS-over-TLS in Pi-hole's FTL (no unbound/stubby sidecar needed)

I got tired of running a Pi-hole + unbound sidecar just to get encrypted upstream DNS (DoT), so I forked pi-hole/FTL and added native DNS-over-TLS support directly into the resolver (mbedTLS is already linked in for the web server, so I reused it). The result is pihole-dot a drop-in Pi-hole image with DoT built in.

What it is: - FTL-DoT: a fork of FTL with a native async DoT client built into dnsmasq's forwarder - pihole-dot: the Docker image that uses it same config, same env vars, just point FTLCONF_dns_upstreams at tls://ip#port#hostname - No unbound, no stubby, no extra container/hop

Architecture: each upstream server gets a small pool of pipelined TCP+TLS connections (RFC 7766-style multiple queries in flight per connection, demultiplexed by DNS transaction ID), instead of one query at a time per connection.

Screenshot from my own router running pihole-dot right now config is a normal, unlocked Pi-hole DNS Settings page

Docker Hub: https://hub.docker.com/r/ismkdc/pihole-dot

Repos: - https://github.com/ismkdc/FTL-DoT - https://github.com/ismkdc/docker-pihole-dot

submitted by /u/HotPaleontologist268
[link] [comments]


No comments:

Post a Comment