Skip to content

Automaticaly deploy Pi-Hole and DNSCrypt proxies through Docker containers to encrypt, authenticate and anonymize DNS requests + filter ads and telemetry.

License

Notifications You must be signed in to change notification settings

anon-mongoose/PiHole-DNSCrypt-dockerized

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

36 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Pi-Hole & DNSCrypt proxy dockerized

Nowadays, most people don't feel safe using HTTP when surfing on the web, they prefer using HTTPS instead that encrypts and authenticates their Internet communications, and they are right! But before using HTTPS when visiting a website by typing its domain name (e.g.: www.eff.org), your browser needs to know the IP address of the server it is trying to connect to.

And here the DNS protocol comes in, it will find the IP address linked to a particular domain name. Problem: the DNS protocol is not secure by default and the domain you are looking for will be visible in plain text on the networks. But fortunately, there is a way to solve this problem:

  • DNSCrypt: A dedicated protocol to encrypt, authenticate and anonymize DNS traffic.
  • DoH (DNS over HTTPS): DNS packets encapsulated in HTTPS packets.
  • DNSSEC: Authenticates DNS records and ensures data integrity.

Plus, the DNS protocol is used by companies to display ads and for telemetry. Some people would like to get rid of them, so using Pi Hole is the best choice.

This project allows anyone with basic IT knowledge to automatically setup two DNS proxies:

  • Pi-Hole: this proxy will help removing ads and telemetry efficiency.
  • DNSCrypt: this proxy will encrypt (DNSCrypt, DoH), authenticate (DNSSEC) and anonymize your DNS requests.

Description

This goal of this project is to setup and deploy the two proxies embedded in Docker containers, and to provide a small Bash script to deploy and update them automatically.

Files description

  • run.sh: updates and deploys automatically the two proxies. It will get the latest version of Pi-Hole and DNSCrypt, update the configuration files and redeploy the updated containers.
  • docker-compose.yaml: holds the containers configuration.
    • You may want to change the Pi-Hole exposed ports on your machine.
    • The admin web interface port is not exposed because the environment variables are not loaded for unknown reason, Thus anyone may access it.
    • You may want to edit the network configuration in case you already have one with the same subnet.
    • It is not a good security practice to setup the admin web interface password in plain text in this file. You should connect to the Pi-Hole container and change it manually by command line.
  • dnscrypt/dnscrypt-proxy.toml: holds the DNSCrypt proxy configuration. You may want to edit it with you own configuration. Make sure to rebuild manually the Docker image once done.
  • etc-dnsmasq.d/01-pihole.conf: holds the configuration of Pi-Hole.

How it works ?

Each proxy will be embedded in a Docker container. When deployed, only the DNS ports of the Pi-Hole containers will be exposed on the host machine.

When a DNS request comes into the host machine, actions will be the following:

  1. The DNS request is redirected to Pi-Hole container.
  2. The domain requested is filtered (ads, telemetry, other blacklists...).
  3. Pi-Hole redirects the DNS request to the DNSCrypt container.
  4. The DNS request is encrypted (DNSCrypt or DoH by default), authenticated (DNSSEC) and anonymized (around 70 DNS servers are used).
  5. DNSCrypt container returns DNS response to Pi-Hole.
  6. Pi-Hole container returns the DNS response.

Usage

  • To print the help message of the run.sh script, use the -h or --help options:
    $ sudo bash run.sh -h
    $ sudo bash run.sh --help

  • If you want to install or update the proxies automatically, use one of the following command from this cloned repository:
    $ sudo bash run.sh -f
    $ sudo bash run.sh --force

  • If you want to install or update the proxies manually (actions are prompted), use the following command from this cloned repository:
    $ sudo bash run.sh

  • If you want to deploy the proxies without checking for an update, use the following command from this cloned repository:
    $ sudo docker-compose up

  • If you want to remove the proxies, use the following command from this cloned repository:
    $ sudo docker-compose down

Notes: you may want to define the machine's architecture where you will deploy the proxies by editing the variable arch in the run.sh script line 9. By default it is set to x86_64. For a Raspberry Pi, you should set arm.

How to ensure the proxies work correctly ?

Dnsleaktest Website

First, you should visit the website https://www.dnsleaktest.com and click on "Standard test". It will then display the DNS servers your machine is requesting to. Thus, it will allow you to ensure the servers are not always the same and that they support DNSCrypt, DoH and DNSSEC.

The following screenshot is a Standard test realized without proxies. You may note that a single DNS server is listed. Dnsleaktest standard test results without proxies

The following screenshot is a Standard test realized with proxies. This time, 6 servers are listed and they will change each time you'll do the test. Dnsleaktest standard test results with proxies

Notes: to perform this test, make sure to deploy the proxies AND to configure your machine to use localhost as DNS resolver (and make sure to specify the good port if it is not the default one 53).

Network traffic analysis

Second, you may ensure the DNS requests are not sent in plain text. I used Wireshark to capture the network traffic when requesting some domains with the dig. My test was:

  1. Deploy the proxies on your machine with the bash run.sh -f command.
  2. Launch a network traffic recorder, in this case Wireshark.
  3. Request some domains without using the proxies with the dig command: ~$ dig eff.org
  4. Request some domains using the proxies with the dig command: ~$ dig @127.0.0.1 -p 53 eff.org
  5. Stop the network traffic recorder.

The following screenshot shows network traffic filtered on DNS protocol where we see all the domains in plain text I requested with dig (eff.org, example.com, qwant.com and github.com): DNS traffic without proxies

The following screenshot shows network traffic of the same requested domains but using proxies. No DNS requests show up, they are encrypted (TLSv1.2 packets presence). DNS traffic with proxies


Next improvements

  • Containers security hardening.

Dependencies

  • bash
  • docker
  • docker-compose
  • An Internet connection

Troubleshoots

Containers keep restarting

Containers ususally restart when they encounter an error. In order to find which one exactly, take a look of their logs with the command below:

sudo docker container logs CONTAINER_NAME

dnscrypt container may crash if the binary's architecture (defined in arch variable at the top of run.sh file) is not compatible with your machine arcitecture. Update the dedicated variable to match yours.

pihole container may crash for several reasons. Check out its logs to better understand what makes it crash.


Mentions

This project uses the awesome work of the Pi-Hole and DNSCrypt development teams. Do not hesitate to support them with donations and by visiting their websites!