Before I start, my school knows about this method (as I literally told them) and allowed me to use it as long as I don’t abuse it and use it for good purposes, such as accessing useful applications that haven’t been allowed by the Jamf manager yet. They monitor my activity anyway so there’s no reason to risk it and do other stuff.
Lately, I’ve been using Pi-Hole on my old, rooted Android phone to bypass the timed app+websites restrictions on my MDMd, personal iPad, by blocking both apple and jamf domains (at the cost of temporarily losing the app store and similar).
By blocking the domains before the configuration starts, I can use my iPad in unlocked mode during lessons (again, not for playing games) - All this by carrying my old phone to school, connecting it to the school-wide network for teachers, and set the dns on my ipad while being on the same network. Recently, however, the password for this network has been changed, therefore I’m stuck with all the class-specific networks.
What I’d like to do is to make the Pi-Hole accessible from my home, kinda like you would do with the VPN method, so that I could put the DNS in all the class-specific networks and never lose connection to it - Manually switching the network on both devices to stay connected couldn’t be a thing because of the IP address changing (unless I can put the same one as static on all networks) and not always being able to use my phones during lessons. At the same time, however, opening port 53 on the router isn’t a good idea as it could lead to security issues, so I have no idea what to do… maybe set up a server with a third party service (Wifi speed isn’t an issue, it’s already really slow and I could just use my hotspot if needed)? Please note that I can’t use VPNs at all as the config profile doesn’t allow them, so I can’t even add one.
Thanks for reading and hopefully you guys will have some ideas!
If you want 0 additional software on client’s devices, your only option of secure DNS over network is DoH.
- Opening port 53 is a (very) bad idea
- Unless you only serve whitelisted IP, but then you’ll need to maintain that yourself
- Using DoT is not viable as you cant do access control. Basically the same reason as open port 53
- VPNs needs additional software
So the problem now becomes “How to offer pihole over DoH”.
Simple, just use dnscrypt proxy to have a DoH inbound and a pihole outbound connection. In dnscrypt proxy terms, it would be listening on a HTTPS endpoint and have a Pi-hole upstream.
This wouldn’t be secure, however. Anyone can use it. So to solve this issue, you can made it to only serve on a custom path. For example, only serve on example.com/dns/90d1d241-4a05-4a75-b30d-2eb05d9abecf (just a random uuid). All other path returns a 404. That way, only people who knows the path can access.
However, doing custom path DoH breaks compatibility with default Android implementations. You can still use Chrome tho. You can also use something like Intra on Android. Also, all clients using DoH will be reported as the same client. I dont have compatibility information on iOS.
Another method is port knocking, but I dont think you can do that w/o additional servers.
Something I saw on another post seems like the answer to me but it is less complicated than they made it seem.
Open port 53 to the internet with a whitelist of your schools ip. It would be best to do this in the firewall for your home if possible but could be done on the dns server as well.
A lot of school systems have giant static blocks but use only a small amount of them. It would be pretty easy to get this right and have it work for the remainder of your time in school. IT doesn’t usually change things until things are broken.
Good luck!
At the same time, however, opening port 53 on the router isn’t a good idea as it could lead to security issues
Correct. You’ll need a protocol with authentifcation. Possibly DoT as that’s a capabilility of TLS, but my knowledge is limited.
[EDIT] Apparently it will require DoH. According to other redditors. DoT has no auth? TIL.
Please note that I can’t use VPNs at all as the config profile doesn’t allow them, so I can’t even add one.
I’m not sure to understand that part but I’ll trust you that VPN is not possible. No tunnel means “raw dns” is not a good idea.
In your usecase however, it seems that you’ll need the whole Android OS to be using Pi-hole. I think the only options left are using DoH (no custom path), DoT or port 53. In any case, you’ll still have to maintain a whitelist.
You can do custom path DoH when you can, if not, maintain a whitelist. It is way easier if your school has static IP (which my school did). But if you already had the network admin’s permission, ask him/her to make a DDNS to keep track of the school’s IP. Then you only need to do a dig +short to get the school’s public IP, and just whitelist that single IP only.
Use a firewall to only allow queries from certain IP. If you are using DoH anyway, you can use a reverse proxy in front, and filter queries using that. Plus, if you use wildcard cert, it is possible to make the attacker’s job way harder at guessing the subdomain. If you proxy it via cloudflare, you can add an extra layer of protection and deny any IPs from accessing other than your own country.
Nitpick : if DoH is DoT but with https, wouldn’t DoT be also possible in theory (and more efficient)?
Thanks for the clarification. About the no VPN thing, my iPad has been put in an MDM program that applies some restrictions to content (during lessons) and other system wide functions (VPN included), though it’s quite illegal. When going into VPN settings, it simply says that a configuration profile restricts the use of VPNs
can you read? My device doesn’t allow vpn connections
edit: downvotes deserved, didn’t know there’s more other than the vpn itself
Sounds great, will look into it! By the way, in case you didn’t get it (unless i misinterpreted it), Pi-Hole is running on the Android phone through linux deploy. It doesn’t have any use other than just being a server, in this case. In this case I talked with the Apple Distinguished Educators (which are incredibly nice, hopefully), so I’ll see if I can get a hold of the actual admin and see if they can do anything about it to make my job easier - I’ll eventually figure ever out. Thank you very much for your help!
However you cant limit access of DoT to specific clients with a password or similar. At least not easily with Android w/o a special client. So everyone can access it, so it’s basically a public port 53.
I have asked this question somewhere on reddit before, but I am too lazy to find it as I am travelling.
DoH however, you can use a custom path. I have done this before, and it does work. You may need a reverse proxy like caddy tho.
Stupid question : if you can set the network but not the VPN, there’s another crazy way.
You could setup your own router with a VPN x)
… Setting an appropriate DoH resolver would probably easier tho.
Although the reddittor probably didnt read, you can also rephrase the question better by probably adding a TL;DR at the top. Your whole post can basically be summarized to “How to access pi-hole over the network w/o vpn”.
Google might also help.
I recommend you study more on networking before saying others didn’t read.
Nowadays there are routers that can run TailScale and you can let your client to route from it, then your clients won’t need to install anything.
are you in a country where VPNs are banned? wireshark would still work
tailscails DNS would mean you can access your device AS IF THE ARE ON THE SAME ROUTER.
what fakemanhk said is spot on. he also understands network security and applications better than you
one device with tailscale installed can advertise the subnet where the pihole is and another device can do the same at the other end.
the clients dont need to install anything
In that case it would be significantly more complicated. I’ll have to think a bit more. Mostly because you cant have port 443 or port 53 forwarded if you are on mobile data or school wifi.
Just to make sure what we are working with, are network proxies allowed? Is it completely non accessible, or just a firewall blocking it?
Does the class-based wifi has peer isolation? Can clients connected under the same class-based wifi access each other’s IP?
Can the rooted android phone have a public IP and/or have ports forwarded to it? Maybe leave it at home and have the router forward a port?
Or Alternatively, does your home router have a public IP? can it forward ports? do you have a server running at home? We’ll at least need a public port to do anything feasible.
I’m confused. How is this helping you do your job when you are trying to get the school IT and security people to not do their jobs? IT security is there for a reason. If they want teachers to be able to do things that students can’t, then they can make “exceptions” into their network configuration.
As an IT guy, I’d be focusing attention to make sure that you were locked down as tightly as possible.
I think you also should read again the post - It’s the school’s MDM profile installed that is restricting me from using VPNs (though quite illegal, as the device is of my property and has not been obtained through school means) 
I’ve never said I’m a master in networking, going to school and not an uni should’ve already told you my age range and I obviously can’t be wikipedia at this age.
In any case, thanks for the clarification. Will look into it and the downvotes I got are well deserved.
