Most Pi-hole setups leak your browsing to your ISP — here's the encryption layer that stops it

Pi-hole blocks ads and trackers locally but doesn't encrypt DNS traffic leaving your network, meaning your ISP can still see every domain your devices query. Switching to a public DNS resolver like Cloudflare or Google doesn't fix this either — it only changes the destination, not the encryption. The solution is adding dnscrypt-proxy as an encryption layer between Pi-hole and the upstream resolver. Deployed via Docker Compose alongside Pi-hole, dnscrypt-proxy listens on port 5053 and encrypts all outgoing DNS queries. Pi-hole's upstream DNS is then pointed to dnscrypt-proxy, making the setup network-wide without any per-device changes. One trade-off is that if the server hosting dnscrypt-proxy goes down, DNS resolution fails, requiring either a redundant setup or a fallback public resolver.