Does my isp see my dns request if i selfhost a pihole?

hi. i’m not that well versed in networking. does my isp see my dns requests on my self-hosted pihole, given that the rpi is somewhere within my house and connected to my wifi? if so, how can i prevent that? for context, i have a mullvad subscription through tailscale but i would like to have the fine tuning dns offered by pihole.

PiHole does your internal DNS to do its filtering and you need an external DNS for actually resolving DNS in this case you should probably use Mullvad’s.

1 Like

will the dns requests from the pihole to mullvad be seen?

Mullvad can see it, to the extent of their logging and other mitigations for their user anonymity/privacy.

Do check how their logging works.

Since they are recommended, I think they log just enough for DNS to actually work and don’t keep logs for an unreasonable amount of time.

right, mullvad will be seeing it because by nature of sending dns requests to them they will be receiving it, but no third parties (e.g. my isp) will be snooping on the dns requests sent to mullvad to be resolved by the pihole right?

For that I think you need to check if they use DNS over TLS vs DNS over HTTPS.

ISP can see what you want to resolve in one of the above. But I cant recall which one.

You can also check for DNS leaks via ipleak.net.

1 Like

With plain DNS as your upstream in pihole, your ISP could look at them if they wanted. The solution is to use DoH/DoT or have a VPN to Mullvad on the device that’s hosting your pihole.

Mullvad does not offer plain DNS anymore, which is good news:

3 Likes

Just to add to this, pi-hole provides configuration steps on how to do this in their documentation.

EDIT: I did make a post about DoT and DoH a while ago. I found the users answers in the thread pretty helpful / informative, so I thought I would add it as a reference if @astranon decides to try and configure this.

1 Like

I’m sorry you haven’t gotten a very straightforward answer so far.

Typical DNS requests are performed over port 53 and are unencrypted, therefore you should use DoH/DoT which use port 443 and 853 respectively and encrypt all DNS queries. You can think of this as the difference between connecting to a website using HTTP vs HTTPS. You will want to use an encrypted connection to prevent your ISP or other third parties from snooping on your DNS queries. Mullvad is my recommendation for the DNS Resolver since they keep no logs.

The simplest way to achieve what you want is to use AdGuard Home which has native support for DoH/DoH, unlike Pi-hole.

1 Like