Wireguard + Pi-Hole + DNSCrypt

[Dnske]

Hello,

I'm looking to set up a Wireguard, Pi-Hole and DNSCrypt solution. I have a couple of questions.

1. Do I necessarily need Unbound? Or is DNSCrypt sufficient enough a Resolver.
2. Do I need the DNSCrypt client or server?
3. I see many users recommending the use of Unbound with Pi-Hole over DNSCrypt. Is there any merit to this?

Any feedback is appreciated.

 

[tgl]

1. Do I necessarily need Unbound? Or is DNSCrypt sufficient enough a Resolver.

AFAICT from a look at the DNSCrypt docs, the DNSCrypt "server" is just a proxy for a real DNS server. So if you are running a DNS server, you need unbound, bind, or some other DNS server that you then put DNSCrypt in front of.

2. Do I need the DNSCrypt client or server?

Your actual client machines would need the DNSCrypt client, while you'd run unbound+DNSCrypt server on your router. The "Deployment" section here shows what they have in mind.

3. I see many users recommending the use of Unbound with Pi-Hole over DNSCrypt. Is there any merit to this?

Given the need for per-client software installations, I suspect most people have decided that the cost/benefit ratio of DNSCrypt is not very good. It's going to be a PITA to get it going on all your clients, and the main scenario it protects against is somebody having already broken into your home network and trying to poison your DNS lookups from inside. I'd call that a case where you already lost. If you've got poorly-secured stuff like IoT devices, roping them off into a separate guest network will be a far easier and more effective security measure.