Pi-Hole and Stubby

SYN Shop runs it's own instances of Pi-Hole and Stubby so that our DNS is both encrypted on the wire and ad free. They're largely set up like mrjones' blog post. Pi-Hole is a local DNS resolver that blacklist domains that serve ads. Stubby is a local DNS proxy that accepts unencupted DNS requests and relays them to an upstream resolver via DNS over TLS (DoT). We currently use Quad 9 for upstream DNS service as they don't log and IPs or queries.

All VMs are hosted on the c220 running LXD.

Stubby

16.04

For Ubuntu 16.04, follow mrjones' blog post link above for compiling from source.

18.04

For Ubuntu 18.04, just run apt-get install stubby. You'll have to comment out DynamicUser=true in /lib/systemd/system/stubby.service and then run systemctl daemon-reload

Shared

Both 16.04 and 18.04 have the same config after you've installed it per the steps above. Edit /etc/stubby/stubby.yml so that it's only listening on 127.1.1.1 (no IPv6) and is only relaying to Quad9. For synshop-unfiltered network/wifi, use 9.9.9.10. For synshop wifi, use 9.9.9.9.

Be sure to have it enabled and started:

systemctl enable stubby
systemctl start stubby

Pi-Hole

To set up the Pi-Hole, do the generic install via curl -sSL https://install.pi-hole.net | bash. On the Settings -> System page, flush logs and disable query logging. On Settings -> DNS page, set "Custom 1 (IPv4)" to 127.1.1.1 and Listen on all interfaces, permit all origins. On Settings -> Privacy, set it to Paranoia mode. This way no logs will be stored of any DNS lookups.

Keys	Action
`?`	Open this help
`n`	Next page
`p`	Previous page
`s`	Search