Privacy-Focused DNS Architecture

Filtering, redundancy, encrypted upstream resolution, and private remote access.

Pi-holeDNSCryptDoHQuad9TailscaleDocker

Project Goal

Reduce plaintext DNS exposure while preserving filtering and internal name resolution.

This project built a layered DNS workflow for a homelab. Client devices use network-level filtering and internal DNS records, while upstream requests are forwarded through an encrypted resolver path. A separate private DNS-over-HTTPS endpoint supports remote browser testing without exposing the resolver publicly.

Request Flow

High-level architecture without private addressing.

  1. Clients receive the primary and secondary Pi-hole resolvers through DHCP.
  2. Pi-hole applies filtering rules and answers internal DNS records.
  3. External queries are forwarded to a containerized DNSCrypt proxy.
  4. The proxy sends encrypted upstream queries to privacy-focused public resolvers.
  5. Approved remote browser clients can use a tailnet-only DNS-over-HTTPS endpoint.

Skills Demonstrated

Networking and privacy concepts practiced through the project.

  • DNS resolution flow and DHCP-distributed resolver design
  • Redundant network services and internal records
  • Encrypted DNS transport with DNSCrypt and DoH
  • Docker networking, service health checks, and monitoring integration

Future Improvements

Useful next steps.

  • Add a sanitized DNS request-flow diagram
  • Expand alerting for resolver latency and failure states
  • Document controlled failover testing between resolvers