DoH (DNS over HTTPS) w/ pihole in docker on DSM

Currently reading
DoH (DNS over HTTPS) w/ pihole in docker on DSM

57
5
NAS
DS718+
Router
  1. RT2600ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
Last edited:
Is anyone successfully running a pihole on their DS (in docker) with DoH (DNS over HTTPS) enabled on the router? I can get each working separately but not together. When enabling DoH, it greys out the primary DNS field at Network Center < Local Network < DHCP Server < Primary DNS, which is where you would put the ip address of the pihole (in my case same ip address of as my DS).
 

Rusty

Moderator
NAS Support
2,856
870
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Why would you wanna run doh on both your router lvl dns and your pihole (thats a dns server in the 1st place)?
 
57
5
NAS
DS718+
Router
  1. RT2600ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
Why would you wanna run doh on both your router lvl dns and your pihole (thats a dns server in the 1st place)?
I probably don’t know enough to answer your question directly. I’d just like to keep my DNS queries private. Is that accomplished with just the pihole? I have Cloudflare set as my upstream DNS servers in the pihole. Does the pihole run that encrypted?
 

Rusty

Moderator
NAS Support
2,856
870
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
If you have CF upstream server set to https://cloudflare-dns.com/dns-query, then your requests are encrypted with DoH
 
57
5
NAS
DS718+
Router
  1. RT2600ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
@Rusty - I have it set as shown in the picture in red. Are you saying I can enter that address in the section in blue / custom 1?
Annotation 2020-02-24 210838.jpg
 

Rusty

Moderator
NAS Support
2,856
870
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS

Shadow

Subscriber
608
208
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
Looks like Cloudflare is already preconfigured in that UI. Doesn't that also use HTTPS?
 

Rusty

Moderator
NAS Support
2,856
870
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Looks like Cloudflare is already preconfigured in that UI. Doesn't that also use HTTPS?
Good questions. Considering its just a CF checkbox its unsure what's behind it. With a manual added upstream server, you know what you are configuring. So in my book, upstream doh parameter is a safer bet.
 

Shadow

Subscriber
608
208
NAS
DS216+II, DS118, DS718+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
Good questions. Considering its just a CF checkbox its unsure what's behind it. With a manual added upstream server, you know what you are configuring. So in my book, upstream doh parameter is a safer bet.

I do wonder if this works for @daptap because looking at that GUI is seems to be asking for an IP address and doesnt give the option for a URL.
 
57
5
NAS
DS718+
Router
  1. RT2600ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
I do wonder if this works for @daptap because looking at that GUI is seems to be asking for an IP address and doesnt give the option for a URL.
Looks like no: "IP (https://cloudflare-dns.com/dns-query) is invalid! The settings have been reset to their previous values". Tried pasting and also typing in, in case past had something wrong with it. I think it does want an actual ip address.
 
99
28
I saw this when googling. I've got this in docker on my DS718 right now...been thinking about moving to my rp4...if I do I could try this.

DoH or DoT (DNS over TLS) isn’t working out of the box with pihole you need to install and configure some extras.

But if you want DoH or DoT to work out of the box you could look at Adguard Home Docker Hub
It is quite easy to setup and works great and also using less resources and memory.
 

Rusty

Moderator
NAS Support
2,856
870
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Agree. I switched to ADGuard a while back and haven't looked for another solution since.
 
57
5
NAS
DS718+
Router
  1. RT2600ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
DoH or DoT (DNS over TLS) isn’t working out of the box with pihole you need to install and configure some extras.

But if you want DoH or DoT to work out of the box you could look at Adguard Home Docker Hub
It is quite easy to setup and works great and also using less resources and memory.
Any tutorials for how to set this up in docker on a disk station?
 
130
36
NAS
DS918+ (8GB RAM, 4x WD RED 4TB SHR) ; EATON Ellipse PRO 1200FR
Operating system
  1. Windows
Mobile operating system
  1. Android
Any tutorials for how to set this up in docker on a disk station?

Hi,
I would also be interested in a quick tutorial on how to set Adguard up.
I have tried to install it in Docker but when I try to map the ports (eg: 53 host to 53 docker instance) it throws an error : port already used or something like that even though I'm not running a DNS server on my NAS.
 
57
5
NAS
DS718+
Router
  1. RT2600ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
Adguard
 
99
28
Change the following to your needs and use putty or mac terminal to create the Adguard Home docker container.
First you need to create a macvlan network and then the AGH container.


Code:
#create for singel IP

docker network create -d macvlan \
 --subnet=192.168.1.0/24 \              #change to your local lan Subnet
 --ip-range=192.168.1.50/32 \              #change to your ip range
 --gateway=192.168.1.1 \              #change to your gateway
 -o parent=eth0 \              #change to your network interface
 nameyour_network

Code:
docker pull adguard/adguardhome:latest
docker run -d --name adguard \
 -v /volume1/docker/adguard/work:/opt/adguardhome/work \
 -v /volume1/docker/adguard/config:/opt/adguardhome/conf \
 -v /volume1/docker/adguard/etc/hosts:/etc/hosts:rw \
 -v /etc/localtime:/etc/localtime:ro \
 -v /etc/TZ:/etc/timezone:ro \
 --env TZ='your/timezone' \
 --network=macvlan_network \
 --ip=192.168.xx.xx \                  #your macvlan IP
 --hostname='adguard' \
 -p 53:53/tcp -p 53:53/udp \
 -p 67:67/udp \
 -p 68:68/tcp -p 68:68/udp \
 -p 81:80/tcp -p 8443:443/tcp \
 -p 853:853/tcp -p 3000:3000/tcp \
 --restart always \
 adguard/adguardhome:latest
 
130
36
NAS
DS918+ (8GB RAM, 4x WD RED 4TB SHR) ; EATON Ellipse PRO 1200FR
Operating system
  1. Windows
Mobile operating system
  1. Android
@BobW ,

Thanks for this quick tutorial, it looks quite simple.
Do you think this can be done within the DSM UI instead of CLI ?

I'm pretty new to docker and I find it more confortable to not mess with CLI :D
Also, I don't really understand what macvlan does.... Does it allow you to assign a dedicated LAN IP (in the same subnet as your LAN) to the container ?
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top