Easy to configure pfsense to use DNS over TLS 
Better than some randoās github binary release.
Yeah, and pfsense has pfblockerNG for pi-hole-like adblocking also. It certainly does offer a ton of flexibility.
@SgtAwesomesauce: If I wanted to download and compile my own source to install and upgrade random applications Iād be running gentoo. Life is too short! I want a PPA with a nicely packaged application. Or even better, a snap package or docker container.
Agreed, but you donāt need to do that. pfsense can easily handle DNS over TLS for you. Not sure if itās this easy on a vanilla unbound install, but shouldnāt take that much effort to set up.
Indeed, but I donāt have a pfsense box. My high end as of 4 years ago ASUS router with aftermarket firmware does a fine job and I donāt feel the need to spend a couple hundred bucks replacing it.
Setting up VLANs to isolate my IOT stuff would be much easier with pfsense and that could be worthwhile, but I already worked through that pain!
Well, give it time. Who knows. If you ask nicely, maybe Iāll make a docker container. 
Edit: link me this guys implementation. Iāll have a look and see what itās going to take.
1 Like
I think you could spin up a pfsense vm and just use it as a local DNS server. Just ignore the routing stuff altogetherā¦ I was thinking of doing this at home actually.
Itās not a bad option.
Pi-Hole might be a preferential solution.
Actually after a bit more research, DNScrypt Proxy v2.0 supports DNS over HTTPS, and thatās a mature solution.
2 Likes
Pfsense DNS Resolver with caching was easy. Adding Pfblockerng on top of that was not difficult either.
There may be other/better guides, but this worked for me - just did as they suggested:
https://www.linuxincluded.com/block-ads-malvertising-on-pfsense-using-pfblockerng-dnsbl/
My VPN doesnāt support DNSSec, which is unfortunate, butā¦ If I canāt trust them with my DNS, then I canāt trust them with my VPN (same rule as an connecting to an ISP).
DNSSec provides security beyond whatās within the control of the specific DNS server you chooseā¦ but why does the VPN provider have any bearing on which DNS server you use?
Easy-button way to prevent leakage is use their servers and ātrustā them to do as they promise and not log or leak this data outside your tunnel. Also theoretically provides the most direct path to DNS info through your tunnel (most immediate hop).
Certainly donāt have to and if their servers are clogged/high latency or topologically impaired you are gonna have a bad time (though Iāve had no issue with a caching DNS pfsense setup using their servers).
1 Like
So far so good. I had some issues getting the Pi setup, which switching microSD cards resolved. Used 1.1.1.1 on the Pi-Hole for nowā¦ although Iād like to read up on all of the new stuff thatās been posted in this thread. See if one of the others listed might be a better choice.
Just got this setup on my pfsense box at home.
2 Likes
Quad9 is more private and still has dnssec and LTS.
1 Like
I set this up on my pfSense router, its fast when it works but Iāve intermittently had heavy slowdowns in DNS requests and there have been times when DNS cuts out entirely with it. Not sure whether it is an issue with my configuration or Cloudflares DNS yet but need to look into it more.
1 Like
Gonna have to flesh this out a bit more, this is a non topic right now.
2 Likes
please elaborate and expand on your post more. What do you want do you want out thoughts to be on?
1 Like
Hi HippyTree, you been enjoying the Hippy Trees a bit?
4 Likes
Oh, are you talking about DNS over SSL or DNS over HTTPS?