Encouraged by the numerous glowing reviews, over the past few years I've built out a home network using Unifi gear. Being enterprise-grade gear, Unifi allows me to use a few privacy tweaks to the home network that aren't possible with a lot of consumer gear. The addition of a Pi-Hole covers most privacy concerns with basic ad-blocking, but there are a couple software changes that make a larger difference to the end result.

I got the Cloud Key to actively run my Unifi's controller software. This provides stats on client usage, network congestion, and allows me to set static local IP addresses for clients on the network. Importantly I'm also able to define a Domain Name System (DNS) server of my choice.

Being able to choose a DNS server is the starting point for a privacy focused network. By default most network gear provided by an ISP (Internet Service Provider) uses the ISP's servers for DNS queries. Since DNS server acts like a large phonebook for the internet, I want to choose which phonebook I use. If I used the ISP's phonebook, the ISP could see everything I've looked up.

Since I don't want that, and I want to play with new toys, I use the Pi-Hole on my network. With Unifi I can set my DNS server to be the Pi-Hole, which then serves as my DNS server.

The Pi-Hole makes all of the DNS queries for my network, keeping more of my information private from my ISP, and blocking a whole bunch of ads and trackers. The only problem with this setup is that traditionally DNS queries are made using insecure HTTP queries, which could be viewed by my ISP if they wanted to snoop. To solve this we can configure the Pi-Hole to make DNS-over-HTTPS (DoH) queries, which will be encrypted and brings privacy up another level.

Accomplishing DoH is really straightforward with the latest Pi-Hole (v5) and Dnscrypt-Proxy. I used this guide to setup Dnscrypt-Proxy and add it to the Pi-Hole, and then this guide to configure Dnscrypt-Proxy to point to cloudflare using DoH. Cloudflare has a good privacy policy, and is usually the fastest DNS server available. Done.

Unifi also gives me the ability to host a VPN (virtual private network) server, so when I'm away from home, I can VPN back to the home network and leverage all of those local features. I accomplish this by using Duck DNS as a dynamic DNS service to my home network IP address, which means I don't have to worry about getting a static IP from my ISP. At that point configuring the VPN is straightforward on most devices.

Now the vast majority of web queries from inside the network will be made using HTTPS keeping things safe and private, a large improvement from using ISP hardware and services. Building these privacy features into the network stack results in good baseline privacy without constantly managing or configuring it on each device I use, with the added benefit of being able to take off my tin-foil hat when I get home.

There is one more bit of configuration to complete before this entire setup is done. When dealing with DNS, it turns out that many devices are configured to ignore your network setting entirely in favour of hardcoded DNS servers. The reasons for this aren't super important, but I would like to ensure that every device on my network follows the same DNS lookups. This is where the power of the UniFi system comes into its own. I can configure my router to block DNS requests from leaving the network and force them through the Pi-Hole instead. I followed this guide as a start, and searched through the UniFi forums and found this file to help configure the actual JSON when things weren't exactly the same.

The results of all of this configuration is that all DNS queries are forced through the Pi-Hole with DoH, no exceptions.