Privacy-Focused DNS Architecture
Filtering, redundancy, encrypted upstream resolution, and private remote access.
Pi-holeDNSCryptDoHQuad9TailscaleDocker
Project Goal
Reduce plaintext DNS exposure while preserving filtering and internal name resolution.
This project built a layered DNS workflow for a homelab. Client devices use network-level filtering and internal DNS records, while upstream requests are forwarded through an encrypted resolver path. A separate private DNS-over-HTTPS endpoint supports remote browser testing without exposing the resolver publicly.
Request Flow
High-level architecture without private addressing.
- Clients receive the primary and secondary Pi-hole resolvers through DHCP.
- Pi-hole applies filtering rules and answers internal DNS records.
- External queries are forwarded to a containerized DNSCrypt proxy.
- The proxy sends encrypted upstream queries to privacy-focused public resolvers.
- Approved remote browser clients can use a tailnet-only DNS-over-HTTPS endpoint.
Skills Demonstrated
Networking and privacy concepts practiced through the project.
- DNS resolution flow and DHCP-distributed resolver design
- Redundant network services and internal records
- Encrypted DNS transport with DNSCrypt and DoH
- Docker networking, service health checks, and monitoring integration
Future Improvements
Useful next steps.
- Add a sanitized DNS request-flow diagram
- Expand alerting for resolver latency and failure states
- Document controlled failover testing between resolvers