This post is part one of a three part series covering off Bind, pihole and DNS over HTTPS
DNS over HTTPS
As previously mentioned, we will be utilising Cloudflare for their DNS over HTTPS service. This ensures DNS queries that leave my network and traverse the internet are secured. To do this we install cloudflared which you can download from their website from here. (As this is an Ubuntu installation, we will need the .deb package)
A nice big warning regarding 126.96.36.199
Using Cloudflare’s 188.8.131.52 service has a few drawbacks at present. As it is a very privacy focused resovler, information such as ECS ( EFC 7871 EDNS Client Subnet on Wikipedia ) is not sent to the authoritative servers. This can (and does in some cases) create problems when accessing content distribution networks that use DNS to send clients to the nearest datacenter. This isn’t a problem for Anycast CDN’s (like Cloudflare) but I did find it somewhat troublesome with Office 365/Azure and sometimes Akamai. Keep this slight caveat in mind when using 184.108.40.206. I found I was regularly being sent to Office 365 datacenters in USA & Canada which will increase latency considerably if accessing from Australia.
So lets install it:
dpkg -i cloudflared-stable-linux-amd64.deb
Create a configuration directory
- Create a configuration file /etc/cloudflared/config.yml that contains the following:
logfile: /var/log/cloudflared.log proxy-dns: true proxy-dns-address: 127.0.0.1 proxy-dns-port: 53 proxy-dns-upstream: - https://220.127.116.11/dns-query - https://18.104.22.168/dns-query
- Next run :
/usr/local/bin/cloudflared service install
Follwing that, you can start cloudflared by running
systemctl start cloudflared
Now its a good idea at this point to check and see if cloudflared is working. To do this, simply type
dig @127.0.0.1 cloudflare.com dsIf you don’t get a valid response, cloudflared isn’t running or working properly. Check /var/log/cloudflared.log to see what may be going on.
Note: If you want cloudflared to start automatically on boot, simply run
systemctl enable cloudflared
- Once you’re certain cloudflared is working, you need to change the port its listening on. As we are running three separate services on the same server, they cant all listen on the same ports. So simply change the ports.
To do this, simply change the following line in /etc/cloudflared/config.yml:
So mine just reads
Don’t forget to issue
systemctl restart cloudflared when you make those changes. Be sure to change the port if you intend on proceeding to the next part.
Now that you’re done with Part 1, you can continue to Part 2: Pi-Hole