This is a simple project to create a local, privacy and security focused, DNS resolver/sinkhole using a Raspberry Pi. It uses Pi-hole for ad blocking, local DNS for assigning resolvable urls to LAN clients, along with Unbound for DoT and a secure recursive resolver to mitigate ISP data mining. This is all run behind an Nginx reverse proxy to provide a secure and maintanable web interface for Pi-hole inspection and configuration.
TL;DR: This is a privacy enhanced Pi-hole setup with DoT and a reverse proxy for secure access to the web interface. All wrapped up in docker compose with a bash script to configure and manage the stack.
The goal was to enhance my already existing rendundant docker Pi-hole setup with and easier to manage deployment/maintance config along with using DoT and to avoid using my ISP's DNS servers. For extra (unnecessary) security, I also wanted to use a reverse proxy to access the Pi-hole web interface using ssl and allow access to both Pi-hole and Unbound using a single port.
This this stack is designed to be a semi-automated deployment of the same configuration across multiple servers, allowing for easy redundancy and failover. My goal was to be able to create a new Pi-hole server by only changing the environment vars and then running a script to manage certs and create/manage a daemon for the whole stack to ensure recovery after a reboot. This is made possible by using a bash script to build and configure the stack and an .env file to store the configuration.
- Pi-hole For ad blocking and local DNS via the image pihole/pihole
- Unbound For DoT and a secure recursive resolver mvance/unbound
- Nginx For a reverse proxy to Pi-hole and Unbound nginx
- Docker For packing it all together in a portable and reproducible way
- Raspberry Pi or similar ARM device
- Docker/Docker-compose
git clone https://github.com/neilanthunblom/PUNGuardDNS
cd PUNGuardDNScp sample.env .env
vim .envchmod +x ./bin/setup.sh
./bin/setup.sh