A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
I prefer cloudflared myself.
While unbound requests its answers from the authoritative servers for each domain; it does so using regular DNS queries, so it's susceptible to monitoring and modification like any other DNS request. While adding latency by extending that request to several servers, instead of a single trusted provider.
That doesn't really seem beneficial to me. I'd rather use DOH.
Unbound supports DoH if compiled with the support and given TLS certificates. I don't use it internally on my home network because I have a pihole that I want to capture the traffic. I do use DNS over TLS for upstream communication, though.
DoH on the lan between devices is completely pointless; I'm talking about DoH between the lan and external dns which unbound does NOT do.
DNS over TLS handles that. No need for DoH really. Unless DNS ports are blocked or captured by NAT or something and you need to use port 443 with DoH. At least not with a DNS server.
DoH is useful for individual applications to do their own DNS lookups bypassing the OS or network level DNS. Otherwise DoH and DoT provide the same basic protection. DoT is just at a lower network layer and thus more easily applies more broadly across the network or OS rather than being application or resolver specific. There's never been a real need for a DNS server to use DoH instead of DoT unless DoT is blocked upstream.
I think what you have is fine, and wouldn't worry about it too much.
That said, I run unbound with pi-hole, directing the dns queries through a wireguard tunnel. It's a bit slower, but I do like having my own recursive DNS, especially with news that more and more services are implementing DNS level blocking.
However, I also read about unbound in the Pi-Hole guides. I was curious if this was to prefer over cloudflared?
Many people advocate for Cloudflared as a tunneling solution, but it’s not a one-size-fits-all tool. Personally, I avoid it. Your VPS already functions as a firewall for your connection. Using Tailscale is also self-host and avoids reliance on third-party services like Cloudflare while maintaining security and the same functionality.
For DNS privacy, I prefer odoh-proxy, which enables your VPS to act as an oDoH (Oblivious DNS over HTTPS) proxy for the cloudflare network. While oDoH introduces a slight latency increase, it significantly enhances privacy by decoupling query origins from content, making it a more secure option for DNS resolution. So you would be able to set your DoH resolver to your domain (https://dns.whatever.com/dns-query) and it would forward the request to cloudflare for resolution, and then back again.
As for Pi-Hole, its utility has diminished with the modern alternatives like serverless-dns. It allows you to deploy RethinkDNS resolver servers on free platforms, handling 99% of security concerns out-of-the-box. The trade-off is a loss of full custody over your DNS infrastructure, which may matter to some users but is less critical for general use cases.
Lastly, using consumer VPNs like Mullvad to proxy connections often introduces unnecessary complexity without meaningful security gains. While VPNs have their place they can really overcomplicate setups like this and rarely provide substantial privacy benefits for services like DNS.
Many people advocate for Cloudflared as a tunneling solution, but it’s not a one-size-fits-all tool. Personally, I avoid it. Your VPS already functions as a firewall for your connection. Using Tailscale is also self-host and avoids reliance on third-party services like Cloudflare while maintaining security and the same functionality.
OPs not using cloudflareds tunneling or services at all; in this application, it's purely a local tool for translating regular DNS to DOH using the chosen DOH provider. Mullvad in this case.
I'd recommend pihole->dnscrypt->mullvads DNS server.