Link Search Menu Expand Document

DNS over HTTPS

Table of contents

Install Tunnel for arm-64

wget -O cloudflared https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64
sudo mv cloudflared /usr/local/bin
sudo chmod +x /usr/local/bin/cloudflared
cloudflared -v

User and permission for cloudflared

sudo useradd -s /usr/sbin/nologin -r -M cloudflared
    # To Create a cloudflared user to run the daemon
sudo nano /etc/default/cloudflared
    # Proceed to create a configuration file for cloudflared

Run cloudflared on start

  • Add below to file: /etc/default/cloudflared, This file contains the command-line options that get passed to cloudflared on startup
CLOUDFLARED_OPTS=--port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query
        # Command-line args for cloudflared, using Cloudflare DNS
  • Update the permissions for the configuration file and cloudflared binary to allow access for the cloudflared user
sudo chown cloudflared:cloudflared /etc/default/cloudflared
sudo chown cloudflared:cloudflared /usr/local/bin/cloudflared
  • Run ls -la /usr/local/bin/cloudflared to check the permission

System configuration on cloudflared.service

  • Create systemd script
sudo nano /etc/systemd/system/cloudflared.service
  • Add below to this cloudflared.service file, this will control the running of the service and allow it to run on startup:
[Unit]
Description=cloudflared DNS over HTTPS proxy
After=syslog.target network-online.target

[Service]
Type=simple
User=cloudflared
EnvironmentFile=/etc/default/cloudflared
ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTS
Restart=on-failure
RestartSec=10
KillMode=process

[Install]
WantedBy=multi-user.target

Run cloudflared daemon

  • Enable the systemd service to run on startup, then start the service and check its status:
sudo systemctl enable cloudflared
sudo systemctl start cloudflared
sudo systemctl status cloudflared

Create a config.yml

sudo mkdir /etc/cloudflared/
sudo nano /etc/cloudflared/config.yml
  • Add below to the config.yml file
proxy-dns: true
proxy-dns-port: 5053
proxy-dns-upstream:
  - https://1.1.1.1/dns-query
  - https://1.0.0.1/dns-query
  # Uncomment following if you want to also want to use IPv6 for  external DOH lookups
  #- https://[2606:4700:4700::1111]/dns-query
  #- https://[2606:4700:4700::1001]/dns-query
  • Reload systemctl daemon-reload

Install cloudflared.service

sudo cloudflared service install
sudo systemctl start cloudflared
sudo systemctl status cloudflared

Test DoH

dig 127.0.0.1 -p 5053 google.com

    ; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> @127.0.0.1 -p 5053 google.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12157
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: 22179adb227cd67b (echoed)
    ;; QUESTION SECTION:
    ;google.com.                    IN      A
    ;; ANSWER SECTION:
    google.com.             191     IN      A       172.217.22.14
    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.1#5053(127.0.0.1)
    ;; WHEN: Wed Dec 04 09:29:50 EET 2019
    ;; MSG SIZE  rcvd: 77

Check

  • Run ip -c address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
    valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether dc:a6:32:c7:18:d1 brd ff:ff:ff:ff:ff:ff
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether dc:a6:32:c7:18:d3 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.25/24 brd 192.168.0.255 scope global dynamic wlan0
    valid_lft 75907sec preferred_lft 75907sec
    inet6 fe80::dea6:32ff:fec7:18d3/64 scope link 
    valid_lft forever preferred_lft forever
  • Run nslookup -port=5053 example.com 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#5053

Non-authoritative answer:
Name:   example.com
Address: 93.184.216.34
Name:   example.com
Address: 2606:2800:220:1:248:1893:25c8:1946