Solid DNS (Part 1): DoH using cloudflared

This post is part one of a three part series covering off Bind, pihole and DNS over HTTPS

DNS over HTTPS

As previously mentioned, we will be utilising Cloudflare for their DNS over HTTPS service. This ensures DNS queries that leave my network and traverse the internet are secured. To do this we install cloudflared which you can download from their website from here. (As this is an Ubuntu installation, we will need the .deb package)

A nice big warning regarding 1.1.1.1
Using Cloudflare’s 1.1.1.1 service has a few drawbacks at present. As it is a very privacy focused resovler, information such as ECS ( EFC 7871 EDNS Client Subnet on Wikipedia ) is not sent to the authoritative servers. This can (and does in some cases) create problems when accessing content distribution networks that use DNS to send clients to the nearest datacenter. This isn’t a problem for Anycast CDN’s (like Cloudflare) but I did find it somewhat troublesome with Office 365/Azure and sometimes Akamai. Keep this slight caveat in mind when using 1.1.1.1. I found I was regularly being sent to Office 365 datacenters in USA & Canada which will increase latency considerably if accessing from Australia.

/end warning

So lets install it:

1. Download cloudflared
   wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.deb

2. Install it
   dpkg -i cloudflared-stable-linux-amd64.deb

3. Create a configuration directory
   mkdir /etc/cloudflared

4. Create a configuration file /etc/cloudflared/config.yml that contains the following:
   

   logfile: /var/log/cloudflared.log
   proxy-dns: true
   proxy-dns-address: 127.0.0.1
   proxy-dns-port: 53
   proxy-dns-upstream:
         - https://1.1.1.1/dns-query
         - https://1.0.0.1/dns-query
   

5. Next run : /usr/local/bin/cloudflared service install

6. Follwing that, you can start cloudflared by running systemctl start cloudflared

   Now its a good idea at this point to check and see if cloudflared is working. To do this, simply type dig @127.0.0.1 cloudflare.com ds If you don’t get a valid response, cloudflared isn’t running or working properly. Check /var/log/cloudflared.log to see what may be going on.

7. Note: If you want cloudflared to start automatically on boot, simply run
   systemctl enable cloudflared

8. Once you’re certain cloudflared is working, you need to change the port its listening on. As we are running three separate services on the same server, they cant all listen on the same ports. So simply change the ports. To do this, simply change the following line in /etc/cloudflared/config.yml:
   proxy-dns-port
   So mine just reads
   proxy-dns-port: 5353

Don’t forget to issue systemctl restart cloudflared when you make those changes. Be sure to change the port if you intend on proceeding to the next part.

Now that you’re done with Part 1, you can continue to Part 2: Pi-Hole