DNS over HTTPS (DoH)

All our DNS servers support encrypted DNS over HTTPS!

By using our dns servers with DNS over HTTPS, you will both block (malicious) ads and increase your privacy online!

By using conventional DNS over port 53, even if you are visiting a site using HTTPS, your DNS query is sent over an unencrypted connection. That means that even if you are browsing https://pi-dns.com/, anyone listening to packets on the network knows you are attempting to visit pi-dns.com.

The second problem with unencrypted DNS is that it is easy for a Man-In-The-Middle to change DNS answers to route unsuspecting visitors to their phishing, malware or surveillance site. DNSSEC solves this problem as well by providing a mechanism to check the validity of a DNS answer, but only a single-digit percentage of domains use DNSSEC.

To make the internet safer and to increase the privacy for our users, pi-dns offers DNS resolution over an HTTPS endpoint. If you build a mobile application, browser, operating system, IoT device or router, you can choose for your users to use the DNS over HTTPS endpoint instead of sending DNS queries over plaintext for increased security and privacy of your users.

DoH Endpoints

Each DNS server has an api endpoint at https://doh.$location.pi-dns.com/dns-query that supports the DNS Wireformat. All DoH endpoints are listed below.

https://doh.northeu.pi-dns.com/dns-query
https://doh.westeu.pi-dns.com/dns-query
https://doh.westus.pi-dns.com/dns-query
https://doh.eastus.pi-dns.com/dns-query

Each endpoint also supports JSON format, althought we only recommend using JSON for debugging purposes.

Example requests using human readable JSON

Setup

To use DNS over HTTPS requires you to use some DoH client on your side. Since the SSL certificates on our servers only are valid for a fully qualified domain name (FQDN), it’s also required that you configure the /etc/hosts (or Hosts file on windows) to map the FQDN’s of our servers to their respective ip address.

On the machine that you plan to setup a DoH client on, edit the /etc/hosts or windows hosts file to look something like the examples below:

/etc/hosts example file

127.0.0.1       localhost
::1             localhost

31.220.42.65 doh.westeu.pi-dns.com
95.216.181.228 doh.northeu.pi-dns.com
45.67.219.208 doh.westus.pi-dns.com
185.213.26.187 doh.eastus.pi-dns.com

Windows hosts file example

The hosts file is located at: C:\Windows\System32\drivers\etc

31.220.42.65 doh.westeu.pi-dns.com
95.216.181.228 doh.northeu.pi-dns.com
45.67.219.208 doh.westus.pi-dns.com
185.213.26.187 doh.eastus.pi-dns.com

Setup DoH Client

One DoH client that I use on my local raspberry pi is cloudflare’s cloudflaredOne alternative can be to run a pi-hole instance on your local network that you use cloudflare’s DoH client on.  The setup is quite easy and can be found at: https://docs.pi-hole.net/guides/dns-over-https/.

After installing cloudflare’s DoH client you must configure it to use our dns servers. This is easily done by editing the file /etc/default/cloudflared (on linux). See the example below.

Edit /etc/default/cloudflared

If using the cloudflared DoH client, make sure to start it using our dns servers. On linux, you can easily do this by editing the file /etc/default/cloudflared as:

# Commandline args for cloudflared
CLOUDFLARED_OPTS=--port 5053 --upstream https://doh.northeu.pi-dns.com/dns-query --upstream https://doh.westeu.pi-dns.com/dns-query

Where you set your desired port with the –port property and each pi-dns server is added with the –upstream property. We recommend that you use as many of our servers as possible. Select at least the two that are geographically closest to you an order them by distance when adding them into the file, where the closest server comes first.

After installing cloudflared and editing the startup parameters in /etc/default/cloudflared, restart the daemon using

sudo systemctl restart cloudflared && sudo systemctl status cloudflared

The output should be something like

● cloudflared.service - cloudflared DNS over HTTPS proxy
   Loaded: loaded (/lib/systemd/system/cloudflared.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2019-09-28 22:22:52 BST; 99ms ago
 Main PID: 6400 (cloudflared)
    Tasks: 6 (limit: 4915)
   CGroup: /system.slice/cloudflared.service
           └─6400 /usr/local/bin/cloudflared proxy-dns --port 5053 --upstream https://northeu.pi-dns.com/dns-query --upstream https://westeu.pi-dns.com/dns-query

Questions? Help?

Do you have any questions? Is something not working as it should? Do you need help setting this up?

Contact us using our contact form here or even better, join our Telegram chat group here.

I’m always glad if I can help or if I get notified when something’s wrong!