(Using the new WordPress Editor and I am not sure I like it – in fact I hate it. Gone back via the ‘Classic Editor’ plugin)
Background
I have been following Troy Hunt and Scott Hulme, 2 well known security experts and decided to try and employ DNS over HTTP (DoH).
I already had Pi-Hole installed on a DietPi VM (my favoured building block) so the logical thing was to put the cloudflared daemon on the same machine.
I used a combination of the following 3 references
- https://docs.pi-hole.net/guides/dns-over-https/
- https://scotthelme.co.uk/securing-dns-across-all-of-my-devices-with-pihole-dns-over-https-1-1-1-1/
- https://developers.cloudflare.com/1.1.1.1/dns-over-https/cloudflared-proxy/
Installation & Configuration
First step is to install the cloudflared package
1 2 |
wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.deb apt-get install ./cloudflared-stable-linux-amd64.deb |
To check it is installed correctly;
1 |
cloudflared -v |
Next step is to configure the package correctly. There are 2 means of providing a configuration to cloudflared; a config file or a yaml file. I did not find the yaml method before I did the config. I may change it at some point.
To setup the config file, create the following file
1 |
nano /etc/default/cloudflared |
With this content
1 2 |
# Commandline args for cloudflared CLOUDFLARED_OPTS=--port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query |
Setup a Service
Once configured, the next step is to run cloudflared as a service. Create the required file;
1 |
nano /lib/systemd/system/cloudflared.service |
and insert the following text;
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
[Unit] Description=cloudflared DNS over HTTPS proxy After=syslog.target network-online.target [Service] Type=simple #User=cloudflared EnvironmentFile=/etc/default/cloudflared ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTS Restart=on-failure RestartSec=10 KillMode=process [Install] WantedBy=multi-user.target |
Note I have commented out the reference to the user as this is DietPi and I simply run everything as root.
Once the file has been created, enable the service and start it;
1 |
systemctl enable cloudflared --now |
To check that the service is running;
1 |
systemctl status cloudflared.service |
should return something like this
1 2 3 4 5 6 7 8 9 10 11 12 13 |
● cloudflared.service - cloudflared DNS over HTTPS proxy Loaded: loaded (/lib/systemd/system/cloudflared.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2019-02-03 19:59:29 GMT; 3s ago Main PID: 58716 (cloudflared) Tasks: 7 (limit: 9830) CGroup: /system.slice/cloudflared.service └─58716 /usr/local/bin/cloudflared proxy-dns --port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query --address 0.0.0.0 Feb 03 19:59:29 DietPi-PiHole systemd[1]: Started cloudflared DNS over HTTPS proxy. Feb 03 19:59:29 DietPi-PiHole cloudflared[58716]: time="2019-02-03T19:59:29Z" level=info msg="Adding DNS upstream" url="https://1.1.1.1/dns-query" Feb 03 19:59:29 DietPi-PiHole cloudflared[58716]: time="2019-02-03T19:59:29Z" level=info msg="Adding DNS upstream" url="https://1.0.0.1/dns-query" Feb 03 19:59:29 DietPi-PiHole cloudflared[58716]: time="2019-02-03T19:59:29Z" level=info msg="Starting DNS over HTTPS proxy server" addr="dns://0.0.0.0:5053" Feb 03 19:59:29 DietPi-PiHole cloudflared[58716]: time="2019-02-03T19:59:29Z" level=info msg="Starting metrics server" addr="127.0.0.1:39623" |
To test if this is working use this command;
1 |
dig @127.0.0.1 -p 5053 google.com |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
; <<>> DiG 9.10.3-P4-Debian <<>> @127.0.0.1 -p 5053 google.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49941 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1452 ;; QUESTION SECTION: ;google.com. IN A ;; ANSWER SECTION: google.com. 118 IN A 216.58.206.110 ;; Query time: 20 msec ;; SERVER: 127.0.0.1#5053(127.0.0.1) ;; WHEN: Sun Feb 03 20:02:29 GMT 2019 ;; MSG SIZE rcvd: 65 |
The final piece of the puzzle is to now get Pi-Hole to use this for the DNS queries. This is quite easy to do, simply add in 127.0.0.1#5053 to the custom DNS entry in the settings.
Change the Listener IP Address
There is one final thing. Because of the way I wanted to set my network up, some devices bypass Pi-Hole but I still wanted the DNS queries to go via DoH. In order to do that I wanted to point those machines DNS directly to the IP address hosting the Cloudflared daemon. However it didn’t work. After some discussion on the forum and looking at the output of netstat -lnp I established that cloudflared was only listening on the loopback interface (127.0.0.1).
The solution was to add an --address 0.0.0.0 parameter to the config line.
1 |
CLOUDFLARED_OPTS=--port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query --address 0.0.0.0 |
While the output of the netstat command still does not reflect the setup of a service like lighttpd, it does work.
by