Build Your Own Private DNS Resolver: PowerDNS on Raspberry Pi with a Pangolin VPS Proxy

Self-hosted Applications
, ,
1

Build Your Own Private DNS Resolver: PowerDNS on Raspberry Pi with a Pangolin VPS Proxy

Tired of your ISP’s DNS servers? Want more control, better privacy, or ad-blocking capabilities? This guide will show you how to set up the powerful PowerDNS Recursor on a Raspberry Pi at home. We’ll then use Pangolin on a Virtual Private Server (VPS) to create a secure tunnel, allowing you to use your private DNS from any device, anywhere, without complex network configurations.

Let’s get started!

Part 1: Setting Up PowerDNS Recursor on Your Raspberry Pi

First, we’ll get the DNS server software running on your Pi. We’ll use Docker Compose to make managing the service easy.

Step 1.1: Install Docker & Docker Compose

  1. Install Docker on your Raspberry Pi. The official script is the easiest way:

    curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh

  2. Add your user to the Docker group so you don’t have to type sudo for every command:

    sudo usermod -aG docker ${USER}

    You must log out and log back in for this to work.

  3. Install Docker Compose. This tool lets you manage multi-container applications easily.

    sudo apt-get update
sudo apt-get install docker-compose-plugin

Step 1.2: Create Your PowerDNS Configuration

  1. Create a new directory to hold your configuration file.

    mkdir ~/pdns-recursor
cd ~/pdns-recursor

  2. Inside this directory, create a file named docker-compose.yml:

    nano docker-compose.yml

  3. Copy and paste the following configuration into the file. This sets up the PowerDNS Recursor, enables its management API, and sets some basic security.

    
services:
  pdns-recursor:
    image: pschiffe/pdns-recursor:latest
    container_name: pdns-recursor
    restart: unless-stopped
    environment:
      # --- BASIC SETTINGS ---
      # Allow requests from local, private, and Docker networks
      - PDNS_allow_from=127.0.0.1, 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12

      # --- WEB SERVER & API SETTINGS ---
      - PDNS_webserver=yes
      - PDNS_webserver_address=0.0.0.0
      - PDNS_webserver_port=8082
      - PDNS_webserver_password=YourSecretPasswordHere # <-- CHANGE THIS
      - PDNS_api=yes
      - PDNS_api_key=YourSecretAPIKeyHere # <-- CHANGE THIS
    ports:
      # Expose ports only to the Pi itself.
      - "127.0.0.1:53:53/tcp"
      - "127.0.0.1:53:53/udp"
      - "127.0.0.1:8082:8082/tcp"

  newt:
    image: fosrl/newt:latest
    container_name: newt
    restart: unless-stopped
    environment:
      # --- Get these values from your Pangolin Dashboard ---
      - PANGOLIN_ENDPOINT=https://your-pangolin-domain.com # <-- CHANGE THIS
      - NEWT_ID= # <-- PASTE ID FROM PANGOLIN HERE
      - NEWT_SECRET= # <-- PASTE SECRET FROM PANGOLIN HERE
      - LOG_LEVEL=INFO

  4. IMPORTANT:

    • Change YourSecretPasswordHere to a strong password for the web interface.
    • Change YourSecretAPIKeyHere to a strong, random key for the API.
    • If your local network uses a different range than 192.168.x.x or 10.x.x.x, adjust the PDNS_allow_from line accordingly.
    • https://your-pangolin-domain.com: Change this to the actual domain of your Pangolin instance.
    • NEWT_ID & NEWT_SECRET: These will be blank for now. We will get these values in the next part.

  5. Save the file and exit the editor (Ctrl+X, then Y, then Enter).

Step 1.3: Launch PowerDNS Recursor

Now, start the container using your new compose file.

docker compose up -d

Docker will download the pdns-recursor image and start it in the background. Your private DNS server is now running on your Raspberry Pi!

Part 2: Building the Secure Tunnel with Pangolin

Let’s switch to your VPS and Pangolin dashboard to make your new DNS server accessible from the outside world.

Step 2.1: Connect Your Raspberry Pi to Pangolin

  1. In your Pangolin web dashboard, go to Sites and click Add Site.
  2. Give it a memorable name, like Raspberry Pi DNS.
  3. Click Create Site. Pangolin will generate a command for newt, its tunnel client.
  4. On your Raspberry Pi, run the newt command that Pangolin provides. This establishes the secure tunnel from your Pi to the VPS.

Step 2.2: Expose the DNS Service (Port 53)

This is the most crucial step. We need to forward DNS queries (on port 53) from your VPS to the Pi.

  1. In your Pangolin dashboard, go to Resources and click Add Resource.
  2. Fill out the form:
    • Name: PowerDNS Service
    • Site: Select Raspberry Pi DNS.
    • Resource Type: TCP & UDP Resource.
    • Forwarded Port on Server: 53 (the standard DNS port).
    • Protocol: TCP
  3. Click Create Resource.
  4. On the next page, under Target Configuration:
    • Host: Your Raspberry Pi’s local IP address (e.g., 192.168.1.50).
    • Port: 53
  5. Click Add Target and then Save Targets.
  6. REPEAT the entire process above, but this time select UDP as the protocol. DNS requires both TCP and UDP to function correctly. You will now have two resources named PowerDNS Service, one for TCP and one for UDP.

Step 2.3: Expose the PowerDNS Web Interface

Let’s make the management panel accessible through a secure subdomain.

  1. In Pangolin, go to Resources and click Add Resource.
  2. Fill out the form:
    • Name: PowerDNS Admin
    • Site: Raspberry Pi DNS
    • Resource Type: HTTP Resource.
    • HTTP Settings > Sub-domain: pdns (this will be accessible at pdns.yourdomain.com).
  3. Click Create Resource.
  4. On the next page, under Target Configuration:
    • Method: http
    • Host: Your Raspberry Pi’s local IP address.
    • Port: 8082 (the port we configured in docker-compose.yml).
  5. Click Add Target and then Save Targets.

Part 3: Using Your New Private DNS

You are all set! Now you can configure your devices to use your new DNS resolver.

Step 3.1: Configure Your Devices

  1. Find your VPS’s public IP address. This is the address you’ll use in your device settings.
  2. On any device you want to use the private DNS with (laptop, phone, etc.), go to the network settings and change the DNS server to your VPS’s IP address.
    • On Windows: Settings > Network & Internet > Ethernet/Wi-Fi > Edit DNS server assignments.
    • On macOS: System Settings > Network > Wi-Fi/Ethernet > Details... > DNS.
    • On iOS/Android: Look in the advanced settings for your Wi-Fi connection.

Step 3.2: Access the Management Interface

You can view stats and manage your PowerDNS recursor by navigating to the secure address you created in Pangolin:

https://pdns.yourdomain.com

Log in with the password you set in the docker-compose.yml file (YourSecretPasswordHere).

You now have a fast, private, and secure DNS resolver that you can use from anywhere in the world. Enjoy your newfound control over your internet experience!

1 Like
2

Isn’t exposing the DNS port to the whole internet a huge risk? Bad actors will abuse your resolver and cause significant issues.

2 Likes
3

people like it to try stuff. i should mention your comment in the front.

1 Like