[bozzcl]

Last year, I added firewall rules to my router to block:

* Any outbound DNS and DNS-over-TLS requests coming from anything other than my Pi-Hole * Any outbound HTTPS requests to DNS-over-HTTPS providers that I know of

It's surprising how many hits I got to those block rules. Makes me very worried about the adoption of DoH: all its privacy and anti-tampering advantages also apply to devices that violate privacy, like smartphones and smart TVs. I want to keep those under control.

I'm curious about your setup: how many devices do you have in your network that you need a load-balanced Pi-Hole setup!? My RPi4 has been rock-solid, but it sounds it doesn't have to handle nearly as much load as yours. Makes me wonder if my next hardware purchase should be a small server to host a hypervisor instead of a single RPi.

[Dah00n]

>Makes me very worried about the adoption of DoH

Yes, this is what made me look closer at what happens at my LAN and got me into this mess. It is a loosing battle but I try to block things like DoH and DNS IPs via blocklists[1]. Pfsense add-on pfBlockerNG does this pretty well. I then strictly only allow DNS over TLS from the DNS server out on WAN.

>how many devices do you have in your network that you need a load-balanced Pi-Hole setup!?

I can see it wasn't very clear in my comment but it wasn't the amount of devices that caused the problem. It only takes one or two misbehaving devices that hammers pi-hole to make it hang. Pi-hole worked wonderfully until I forced all DNS requests to be redirected to it. I then got many many requests a second from some devices (Edit: because they didn't like the NXDOMAIN reply they got). Try refusing access to Google DNS if you have some Cromecasts. As far as I can remember they really don't like this. Any Android phone with only one DNS IP set will also default to Google DNS as a secondary DNS IP...

1: Blocking DNS servers really isn't easy. Not only do some devices use other ports but they aren't all well known. I had requests to 216.239.32.10 for example and had no idea this is yet another Google DNS IP (ns1.google.com?).

[atommclain]

would love to know more about this setup... I'm very worried about DoH

[Dah00n]

Sadly I don't think you can ever win a battle against DoH unless you control all devices on the network and can live without any that try to use it. I would hate to run an enterprise or school network these days!

My home LAN is a total overkill setup because I like tinkering with this stuff. If you want more control then my advice would be to look at enterprise hardware as often used enterprise hardware can be found cheaper than way worse equipment made for home users. Just make sure it doesn't have loud fans or that they can be disabled (which they mostly can outside hot server rooms). I swapped out my switches with some cheap HP 1910-24G managed switches and connected them with fiber. I got 3 of those cheaper than the one crappy Linksys I had before which last had a firmware update months before I bought it! But if I had to recommend a single easy solution I would buy a ready to go OPNsense device. I only know this shop in Sweden though: https://teklager.se/en/products/routers/

Basically what I did after I stopped using pi-hole was to setup pfsense (later switched to OPNsense when I found out that pfsense isn't actually open source) and broke up my LAN (via VLANs, which is where the HP 1910's came into the picture) into three pieces:

-DMZ that is totally open for Playstation etc. No access from or to this to/from anything on LANs

-LAN1 where only whitelisted things have WAN access. This is where all normal traffic is at.

-LAN2 where anything that need access from WAN are connected (this also have its own WAN IP)

Geeky!