Back in 2017 I setup a single Public Pi-hole as an experiment. It gained way more traction than I imagined, so I decided to setup a dedicated website with some additional instances last year. However, all instances were lacking support for DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT), one of the most requested features I received via email.
Last month finally got around to implementing DoH & DoT, but it came at a cost; I decided to migrate all instances from Pi-hole to Adguard Home. Yes, that’s right, the Public Pi-holes are no longer powered by Pi-hole…
Don’t get me wrong; Pi-hole is a great project, but it’s geared towards personal use on an internal network, not to setup a public DNS resolver. The Pi-hole developers are very clear about this, as they highly discourage anyone to setup a public DNS resolver because of the associated risks, such as DNS amplification attacks. Therefore Pi-hole lacks features as DoH, DoT and rate limiting, as they should not be needed over LAN.
Strictly speaking, I could’ve made DoH & DoT work with Pi-hole, but it would’ve added another set of moving parts to each instance, making it even more complex than it already is. Remember that the Public Pi-hole project does not use any DNS upstream servers such as Cloudflare or Quad9. Instead I run unbound to directly query the DNS root servers, so essentially I’m running two DNS servers on each instance. On top of that, everything is running in Docker, so the additional packages that would add support for DoH & DoT would need to run in Docker as well, making it an overly complex stack in my opinion. Hence I decided to switch the backend of each instance to Adguard Home, as it supports DoH, DoT and rate limiting out of the box.
So what does this mean?
Apart from the missing statistics page for each instance, which won’t be coming back anytime soon as Adguard Home does not feature a public statistics page (yet), there isn’t much difference from an end-user perspective, except the added support for DoH & DoT of course… that’s where this all started after all.
Rest assured, the adblocking DNS resolvers aren’t going anywhere. I intend on keeping this project alive, albeit being it under a new project name… and that’s where you come in; I’m looking for ideas for a new, more fitting, name. Submit your ideas for a new name in the comments, but please refrain from incorporating product names such as ‘Pi-hole’ or ‘AdGuard’ into it.
I’m looking forward to your submissions!
PS. Oh, and IPv6 support is coming soon as well!