Cloudflared DNS over HTTPS (DoH) and Pi-Hole

(Using the new WordPress Editor and I am not sure I like it – in fact I hate it.  Gone back via the ‘Classic Editor’ plugin)

Background

I have been following Troy Hunt and Scott Hulme, 2 well known security experts and decided to try and employ DNS over HTTP (DoH).

I already had Pi-Hole installed on a DietPi VM (my favoured building block) so the logical thing was to put the cloudflared daemon on the same machine.

I used a combination of the following 3 references

Installation & Configuration

First step is to install the cloudflared package

To check it is installed correctly;

Next step is to configure the package correctly.  There are 2 means of providing a configuration to cloudflared; a config file or a yaml file.  I did not find the yaml method before I did the config.  I may change it at some point.

To setup the config file, create the following file

With this content

Setup a Service

Once configured, the next step is to run cloudflared as a service.  Create the required file;

and insert the following text;

Note I have commented out the reference to the user as this is DietPi and I simply run everything as root.

Once the file has been created, enable the service and start it;

To check that the service is running;

should return something like this

To test if this is working use this command;

The final piece of the puzzle is to now get Pi-Hole to use this for the DNS queries.  This is quite easy to do, simply add in  127.0.0.1#5053 to the custom DNS entry in the settings.

Change the Listener IP Address

There is one final thing.  Because of the way I wanted to set my network up, some devices bypass Pi-Hole but I still wanted the DNS queries to go via DoH.  In order to do that I wanted to point those machines DNS directly to the IP address hosting the Cloudflared daemon.  However it didn’t work.  After some discussion on the forum and looking at the output of  netstat -lnp I established that cloudflared was only listening on the loopback interface (127.0.0.1).

The solution was to add an  --address 0.0.0.0 parameter to the config line.

While the output of the netstat command still does not reflect the setup of a service like lighttpd, it does work.

Facebooktwitterby feather
This entry was posted in DietPi, Linux, Pi-Hole, Technical - General and tagged , . Bookmark the permalink.

Leave a Reply