DNS-over-TLS on Knot Resolver

Install knot-resolver.

On Raspbian, add this to /etc/apt/sources.list:

deb https://ftp.acc.umu.se/debian/ stretch-backports main

You may have to add Debian signing keys.

Setting port

Knot Resolver works on easily Raspbian stretch as well, so if you use Pi-hole (you should) you have to change the port.

sudo systemctl edit kresd.socket

Paste this content to the file:

[Socket]
ListenDatagram=127.0.0.1:9153
ListenStream=127.0.0.1:9153

After saving and exiting, sudo systemctl restart kresd@1

dig SOA @127.0.0.1 -p 9153 should return an valid answer.

DNS-over-TLS

Add this to /etc/knot-resolver/kresd.conf:

require 'math'
math.randomseed(os.time())

tls_bundle='/etc/ssl/certs/ca-certificates.crt'

dns_providers = {
  { -- Digitalcourage
    {'46.182.19.48',
     hostname='dns2.digitalcourage.de', ca_file=tls_bundle}
  },
  { -- Digitale Gesellschaft
    {'185.95.218.42',
     hostname='dns.digitale-gesellschaft.ch', ca_file=tls_bundle}
  },
  { -- UncensoredDNS
    {'91.239.100.100',
     hostname='anycast.censurfridns.dk', ca_file=tls_bundle},
    {'89.233.43.71',
     hostname='unicast.censurfridns.dk', ca_file=tls_bundle}
  }
}

policy.add(function (request, query)
  return policy.TLS_FORWARD(dns_providers[math.random(1, #dns_providers)])
end)

Further reading