Pi-Hole and Stubby

SYN Shop runs it's own instances of Pi-Hole and Stubby so that our DNS is both encrypted on the wire and ad free. They're largely set up like mrjones' blog post. Pi-Hole is a local DNS resolver that blacklist domains that serve ads. Stubby is a local DNS proxy that accepts unencupted DNS requests and relays them to an upstream resolver via DNS over TLS (DoT). We currently use Quad 9 for upstream DNS service as they don't log and IPs or queries.

All VMs are hosted on the c220 running LXD.



For Ubuntu 16.04, follow mrjones' blog post link above for compiling from source.


For Ubuntu 18.04, just run apt-get install stubby. You'll have to comment out DynamicUser=true in /lib/systemd/system/stubby.service and then run systemctl daemon-reload


Both 16.04 and 18.04 have the same config after you've installed it per the steps above. Edit /etc/stubby/stubby.yml so that it's only listening on (no IPv6) and is only relaying to Quad9. For synshop-unfiltered network/wifi, use For synshop wifi, use

Be sure to have it enabled and started:

systemctl enable stubby
systemctl start stubby 


To set up the Pi-Hole, do the generic install via curl -sSL https://install.pi-hole.net | bash. On the Settings -> System page, flush logs and disable query logging. On Settings -> DNS page, set "Custom 1 (IPv4)" to and Listen on all interfaces, permit all origins. On Settings -> Privacy, set it to Paranoia mode. This way no logs will be stored of any DNS lookups.