Pi-hole and NextDNS

• Pi-hole is a DNS sinkhole that can block ads and trackers for all devices on your network.
• Stubby is a local DNS Privacy stub resolver, which forwards requests using DNS-over-TLS.
• NextDNS is a privacy-oriented and feature-rich DNS resolver, which supports DNS-over-TLS.

With this setup, a DNS query traverses: Client ➤ Pi-hole ➤ Stubby ➤ NextDNS / authoritative name server

➤ Install Pi-hole (if not already):

curl -sSL https://install.pi-hole.net | bash

Follow the installation script, and confirm it works.

For local testing, you may want to install and use dig:

sudo apt install dnsutils
dig apple.com

At the end of the output, note: ;; SERVER: 192.168.178.2#53(192.168.178.2) - this is pi-hole responding on port 53 👍

➤ Install Stubby:

sudo apt install stubby

Edit the config file: sudo nano /etc/stubby/stubby.yml

Change the listen_addresses section to:

listen_addresses:
     
- address_data: 127.0.0.1
  port: 5353
- address_data: 0::1
  port: 5353

Change round_robin_upstreams: 1 to round_robin_upstreams: 0, or comment out and add in servers section.

Add a new first entry to the upstream_recursive_servers section, matching your NextDNS account at: my.nextdns.io.
Find this in the NextDNS Setup Guide section, click the Linux tab. Scroll down to the Stubby section:

round_robin_upstreams: 0
upstream_recursive_servers:

- address_data: 45.90.28.0
  tls_auth_name: "pihole-XXXXXX.dns1.nextdns.io"
- address_data: 2a07:a8c0::0
  tls_auth_name: "pihole-XXXXXX.dns1.nextdns.io"
- address_data: 45.90.30.0
  tls_auth_name: "pihole-XXXXXX.dns2.nextdns.io"
- address_data: 2a07:a8c1::0
  tls_auth_name: "pihole-XXXXXX.dns2.nextdns.io"

pihole-XXXXXX is your NextDNS ID, prefixed with a device name (eg: pihole) to show in the NextDNS logs.

You may also want to comment out (with #) all the other upstream servers, or leave a second server as a backup.

round_robin_upstreams: 0 will use each upstream server sequentially until it becomes unavailable
round_robin_upstreams: 1 queries across all the configured upstream servers, spreading requests

When done, save and exit (Ctrl+O Ctrl+X), then restart stubby:

sudo systemctl restart stubby

If it fails to start, investigate why with: systemctl status stubby.service (or the stubby command).

- the reason is likely to be a syntax error in /etc/stubby/stubby.yml

When stubby starts without error, test it with a few examples:

dig apple.com @localhost -p 5353
dig apple.com @121.0.0.1 -p 5353
dig apple.com @::1 -p 5353

At the end of the output, note: ;; SERVER: 192.168.178.2#5353(192.168.178.2) or ;; SERVER: ::1#5353(::1) - this is stubby 👍

➤ Back to pihole. Either edit /etc/pihole/setupVars.conf to add the stubby server:

PIHOLE_DNS_1=127.0.0.1#5353
PIHOLE_DNS_2=::1#5353

Or open the pihole web page, and goto Settings ➤ DNS and add the stubby server:

You should now start to see entries with the device name (pihole) show in your NextDNS logs:

This NextDNS/Stubby configuration uses localhost#5353, we can also install Unbound on localhost#5335.

Note:

• If you use Pi-hole regularly, remember to DONATE to the project to help with its continued development.

---