Each DNS server has an api endpoint at https://doh.$location.pi-dns.com/dns-query that supports the DNS Wireformat. All DoH endpoints are listed below.
Each endpoint also supports JSON format, althought we only recommend using JSON for debugging purposes.
To use DNS over HTTPS requires you to use some DoH client on your side. Since the SSL certificates on our servers only are valid for a fully qualified domain name (FQDN), it’s also required that you configure the /etc/hosts (or Hosts file on windows) to map the FQDN’s of our servers to their respective ip address.
On the machine that you plan to setup a DoH client on, edit the /etc/hosts or windows hosts file to look something like the examples below:
127.0.0.1 localhost ::1 localhost 188.8.131.52 doh.westeu.pi-dns.com 184.108.40.206 doh.northeu.pi-dns.com 220.127.116.11 doh.westus.pi-dns.com 18.104.22.168 doh.eastus.pi-dns.com 2a01:6f0:ffff:49::abcd doh.westeu.pi-dns.com
The hosts file is located at: C:\Windows\System32\drivers\etc
22.214.171.124 doh.westeu.pi-dns.com 126.96.36.199 doh.northeu.pi-dns.com 188.8.131.52 doh.westus.pi-dns.com 184.108.40.206 doh.eastus.pi-dns.com
One DoH client that I use on my local raspberry pi is cloudflare’s cloudflared. One alternative can be to run a pi-hole instance on your local network that you use cloudflare’s DoH client on. The setup is quite easy and can be found at: https://docs.pi-hole.net/guides/dns-over-https/.
After installing cloudflare’s DoH client you must configure it to use our dns servers. This is easily done by editing the file /etc/default/cloudflared (on linux). See the example below.
# Commandline args for cloudflared CLOUDFLARED_OPTS=--port 5053 --upstream https://doh.northeu.pi-dns.com/dns-query --upstream https://doh.westeu.pi-dns.com/dns-query
Where you set your desired port with the –port property and each pi-dns server is added with the –upstream property. We recommend that you use as many of our servers as possible. Select at least the two that are geographically closest to you an order them by distance when adding them into the file, where the closest server comes first.
After installing cloudflared and editing the startup parameters in /etc/default/cloudflared, restart the daemon using
sudo systemctl restart cloudflared && sudo systemctl status cloudflared
The output should be something like
● cloudflared.service - cloudflared DNS over HTTPS proxy Loaded: loaded (/lib/systemd/system/cloudflared.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2019-09-28 22:22:52 BST; 99ms ago Main PID: 6400 (cloudflared) Tasks: 6 (limit: 4915) CGroup: /system.slice/cloudflared.service └─6400 /usr/local/bin/cloudflared proxy-dns --port 5053 --upstream https://northeu.pi-dns.com/dns-query --upstream https://westeu.pi-dns.com/dns-query
By using conventional DNS over port 53, even if you are visiting a site using HTTPS, your DNS query is sent over an unencrypted connection. That means that even if you are browsing https://pi-dns.com/, anyone listening to packets on the network knows you are attempting to visit pi-dns.com.
The second problem with unencrypted DNS is that it is easy for a Man-In-The-Middle to change DNS answers to route unsuspecting visitors to their phishing, malware or surveillance site. DNSSEC solves this problem as well by providing a mechanism to check the validity of a DNS answer, but only a single-digit percentage of domains use DNSSEC.
To make the internet safer and to increase the privacy for our users, pi-dns offers DNS resolution over an HTTPS endpoint. If you build a mobile application, browser, operating system, IoT device or router, you can choose for your users to use the DNS over HTTPS endpoint instead of sending DNS queries over plaintext for increased security and privacy of your users.