You need a Raspberry Pi with either rasbian or ubuntu installed. We recommend installing ubuntu (64bit if you have Raspberry Pi 3 B+ or newer): https://ubuntu.com/download/raspberry-pi

Open up a terminal window and run the following command to install it.

sudo apt install stubby

The main configuration file is /etc/stubby/stubby.yml. You can open the file with:

sudo nano /etc/stubby/stubby.yml

The following line makes stubby run as a stub resolver instead of a full recursive resolver, which is why it’s named stubby.

resolution_type: GETDNS_RESOLUTION_STUB

The following configuration make stubby send DNS queries encrypted with TLS. It will not send quries in plain text.

dns_transport_list:
- GETDNS_TRANSPORT_TLS

This following line requires a valid TLS certificate on the remote recursive resolver.

tls_authentication: GETDNS_AUTHENTICATION_REQUIRED

The following lines set the listen addresses for the stubby daemon. By default, IPv4 and IPv6 are both enabled.

listen_addresses:
- 127.0.0.1
- 0::1

Standard port is 53, but we’re going to change this to 5053. Edit the listen addresses so it looks like this:

listen_addresses:
- 127.0.0.1@5053
- 0::1@5053

The following line make stubby query recursive resolvers in a round-robin fashion. If set to 0, Stubby will use each upstream server sequentially until it becomes unavailable and then move on to use the next.

round_robin_upstreams: 1

By default there are 3 recursive resolvers enabled in stubby configuration file. They are run by stubby developers and support DNS over TLS. You can choose to leave them enabled or disable them by putting an # in front.

Scroll down to the upstream_recursive_servers: section and add the following text above other DNS servers.

# CloudFlare servers
  - address_data: 1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
  - address_data: 1.0.0.1
    tls_auth_name: "cloudflare-dns.com"

Then find the following line:

round_robin_upstreams: 1

Change 1 to 0. This will make stubby always use CloudFlare DNS server. If CloudFlare is not available, stubby will use other DNS servers. Save the file and restart stubby for the changes to take effect.

sudo systemctl restart stubby

Now that stubby is set up we can start installing pi-hole. So type in this:

curl -sSL https://install.pi-hole.net | bash

When the installation is done open a browser window and type in your raspberry pi’s IP-address (example: 192.168.1.200/admin) to log into your pi-hole admin page. Then go to settings and click on DNS and change everything as done in the picture below.

Screenshot of Pi-hole configuration

Remember to click save at the bottom of the page afterwards.

Good, your pi-hole is now using DNS over TLS.

Whitelisting

Now we should whitelist a couple of pages so that some everyday websites will function as normal.

First off you should take a look at pihole’s own list over commonly whitelisted domains and either add all or those you need: https://discourse.pi-hole.net/t/commonly-whitelisted-domains/212

If you’re lazy and don’t want to check out Pihole’s own list and copy and paste many times over, we’ve compiled one list of the most important domains here which will fix issues with the following services: Google (Maps, Youtube, etc), Microsoft (Windows, Office, Skype, etc), Spotify, Facebook, Plex, Sonarr, Dropbox, Apple (ID, Music, etc), NVIDIA GeForce Experience, Android/iOS updates, Grand Theft Auto V Online, Epic Games Store, Mozilla Firefox Tracking Protection, Twitch

pihole -w clients4.google.com clients2.google.com s.youtube.com video-stats.l.google.com android.clients.google.com reminders-pa.googleapis.com firestore.googleapis.com googleapis.l.google.com dl.google.com www.msftncsi.com outlook.office365.com products.office.com c.s-microsoft.com i.s-microsoft.com login.live.com login.microsoftonline.com g.live.com dl.delivery.mp.microsoft.com geo-prod.do.dsp.mp.microsoft.com displaycatalog.mp.microsoft.com sls.update.microsoft.com.akadns.net fe3.delivery.dsp.mp.microsoft.com.nsatc.net clientconfig.passport.net v10.events.data.microsoft.com v20.events.data.microsoft.com client-s.gateway.messenger.live.com xbox.ipv6.microsoft.com device.auth.xboxlive.com www.msftncsi.com title.mgt.xboxlive.com xsts.auth.xboxlive.com title.auth.xboxlive.com ctldl.windowsupdate.com attestation.xboxlive.com xboxexperiencesprod.experimentation.xboxlive.com xflight.xboxlive.com cert.mgt.xboxlive.com xkms.xboxlive.com def-vef.xboxlive.com notify.xboxlive.com help.ui.xboxlive.com licensing.xboxlive.com eds.xboxlive.com www.xboxlive.com v10.vortex-win.data.microsoft.com settings-win.data.microsoft.com s.gateway.messenger.live.com client-s.gateway.messenger.live.com ui.skype.com pricelist.skype.com apps.skype.com m.hotmail.com sa.symcb.com s{1..5}.symcb.com officeclient.microsoft.com spclient.wg.spotify.com apresolve.spotify.com upload.facebook.com creative.ak.fbcdn.net external-lhr0-1.xx.fbcdn.net external-lhr1-1.xx.fbcdn.net external-lhr10-1.xx.fbcdn.net external-lhr2-1.xx.fbcdn.net external-lhr3-1.xx.fbcdn.net external-lhr4-1.xx.fbcdn.net external-lhr5-1.xx.fbcdn.net external-lhr6-1.xx.fbcdn.net external-lhr7-1.xx.fbcdn.net external-lhr8-1.xx.fbcdn.net external-lhr9-1.xx.fbcdn.net fbcdn-creative-a.akamaihd.net scontent-lhr3-1.xx.fbcdn.net scontent.xx.fbcdn.net scontent.fgdl5-1.fna.fbcdn.net graph.facebook.com b-graph.facebook.com connect.facebook.com cdn.fbsbx.com api.facebook.com edge-mqtt.facebook.com mqtt.c10r.facebook.com portal.fb.com star.c10r.facebook.com star-mini.c10r.facebook.com b-api.facebook.com fb.me bigzipfiles.facebook.com l.facebook.com plex.tv tvdb2.plex.tv pubsub.plex.bz proxy.plex.bz proxy02.pop.ord.plex.bz cpms.spop10.ams.plex.bz meta-db-worker02.pop.ric.plex.bz meta.plex.bz tvthemes.plexapp.com.cdn.cloudflare.net tvthemes.plexapp.com 106c06cd218b007d-b1e8a1331f68446599e96a4b46a050f5.ams.plex.services meta.plex.tv cpms35.spop10.ams.plex.bz proxy.plex.tv metrics.plex.tv pubsub.plex.tv status.plex.tv www.plex.tv node.plexapp.com nine.plugins.plexapp.com staging.plex.tv app.plex.tv o1.email.plex.tv o2.sg0.plex.tv dashboard.plex.tv gravatar.com thetvdb.com themoviedb.com services.sonarr.tv skyhook.sonarr.tv download.sonarr.tv apt.sonarr.tv forums.sonarr.tv placehold.it placeholdit.imgix.net dl.dropboxusercontent.com ns1.dropbox.com ns2.dropbox.com itunes.apple.com s.mzstatic.com appleid.apple.com gfwsl.geforce.com dev.virtualearth.net ecn.dev.virtualearth.net t0.ssl.ak.dynamic.tiles.virtualearth.net t0.ssl.ak.tiles.virtualearth.net android.clients.google.com connectivitycheck.android.com android.clients.google.com clients3.google.com connectivitycheck.gstatic.com msftncsi.com www.msftncsi.com ipv6.msftncsi.com captive.apple.com gsp1.apple.com www.apple.com www.appleiphonecell.com prod.telemetry.ros.rockstargames.com tracking.epicgames.com tracking-protection.cdn.mozilla.net s.amazon-adsystem.com c.amazon-adsystem.com countess.twitch.tv pubsub-edge.twitch.tv cdn-gl.imrworldwide.com

We also recommend the whitelist from https://github.com/anudeepND/whitelist to be installed with automatic update. So continue with the following steps:

cd /opt/
sudo git clone https://github.com/anudeepND/whitelist.git

Make the script to run the script at 1AM on the last day of the week

sudo nano /etc/crontab

Add this line at the end of the file:
0 1 * * */7 root /opt/whitelist/scripts/whitelist.py

CTRL + X then Y and Enter

sudo python3 whitelist/scripts/whitelist.py

Adlists

For adlists we recommend that you add the DBL list from OISD (this list should be the only one you need as this is a collection many adlists from accross the Internet, all verified). Go into your Pi-hole admin page -> Group Management -> Adlists and add the DBL list url there.

Optional, you can also add some of the lists from Firebog’s ticked list, but keep in mind some of those links are already in the OISD list so it’s no point in adding them for a second time since they are already included in OISD list

Congratulations

That’s it. Now all you need to do to protect your network is to point your DNS in the LAN settings of your router towards the IP address of your pi-hole and your whole network will be free of ads and protected by DNS over TLS.

To check that it’s working visit this page: https://1.1.1.1/help/

And to test the DNSSEC Resolver you can do this on this page: https://dnssec.vs.uni-due.de/

Accessing pihole with HTTPS

If you have a domain and would like to access your pihole from outside your network with HTTPS, this is how you continue to set it up.

sudo apt install certbot
sudo certbot certonly --webroot -w /var/www/html -d your.domain.name

Enter your email address. Then hit A and press enter. And then hit N and press enter.

sudo cat /etc/letsencrypt/live/your.domain.name/privkey.pem \
/etc/letsencrypt/live/your.domain.name/cert.pem | \
sudo tee /etc/letsencrypt/live/your.domain.name/combined.pem

Next, ensure the lighttpd user www-data can read the required certificates:

sudo chown www-data -R /etc/letsencrypt/live

Now, place the following into /etc/lighttpd/external.conf (again, making sure to subsitute your.domain.name for your FQDN):

$HTTP["host"] == "your.domain.name" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/letsencrypt/live/your.domain.name/combined.pem"
    ssl.ca-file =  "/etc/letsencrypt/live/your.domain.name/fullchain.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"       
  }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")
    }
  }
}

Finally, be sure to run sudo service lighttpd restart after this change has been made.