Pi-Hole and Stubby
SYN Shop runs it's own instances of Pi-Hole and Stubby so that our DNS is both encrypted on the wire and ad free. They're largely set up like mrjones' blog post. Pi-Hole is a local DNS resolver that blacklist domains that serve ads. Stubby is a local DNS proxy that accepts unencupted DNS requests and relays them to an upstream resolver via DNS over TLS (DoT). We currently use Quad 9 for upstream DNS service as they don't log and IPs or queries.
All VMs are hosted on the c220 running LXD.
For Ubuntu 16.04, follow mrjones' blog post link above for compiling from source.
For Ubuntu 18.04, just run
apt-get install stubby. You'll have to comment out
/lib/systemd/system/stubby.service and then run
Both 16.04 and 18.04 have the same config after you've installed it per the steps above. Edit
/etc/stubby/stubby.yml so that it's only listening on
127.1.1.1 (no IPv6) and is only relaying to Quad9. For synshop-unfiltered network/wifi, use 18.104.22.168. For synshop wifi, use 22.214.171.124.
Be sure to have it enabled and started:
systemctl enable stubby systemctl start stubby
To set up the Pi-Hole, do the generic install via
curl -sSL https://install.pi-hole.net | bash. On the Settings -> System page, flush logs and disable query logging. On Settings -> DNS page, set "Custom 1 (IPv4)" to
Listen on all interfaces, permit all origins. On Settings -> Privacy, set it to
Paranoia mode. This way no logs will be stored of any DNS lookups.