Cloudflared DoH proxy

calendar Feb 17, 2023 · 2 min read · Cloudflare Tutorial  ·
Share on: linkedin copy

This is a short tutorial on setting up cloudflared to proxy DoH for use with service like Pi.Hole. Old guides use sudo cloudflared service install --legacy and the --legacy flag was removed.

Download

The first thing that is needed is to install cloudflared, install instructions. For linux based OSs, I use the cloudflared package repo as it makes it easier to update.

If you want to manually install it then you can use the following commands. Please make a note on the architecture you are installed on and make adjustments as needed. See the releases for a full list of supported architectures.

1wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
2sudo apt-get install ./cloudflared-linux-amd64.deb
3cloudflared -v

Setup

Copy the below text and save it to /etc/systemd/system/cloudflared-doh.service

 1
 2[Unit]
 3Description=cloudflared DNS over HTTPS proxy
 4After=network-online.target
 5
 6[Service]
 7TimeoutStartSec=0
 8Type=notify
 9ExecStart=/usr/local/bin/cloudflared --no-autoupdate proxy-dns --port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query
10Restart=on-failure
11RestartSec=10
12
13[Install]
14WantedBy=multi-user.target
Note

You can change the upstream servers to others such as Google's https://8.8.8.8/dns-query or Cloudflare's Zero Trust Gateway DNS servers.

Config file

If you want to add your cloudflared options as a config file then run the following commands

1sudo mkdir /etc/cloudflared/
2sudo nano /etc/cloudflared/config.yml

and paste

1proxy-dns: true
2proxy-dns-port: 5053
3proxy-dns-upstream:
4  - https://1.1.1.1/dns-query
5  - https://1.0.0.1/dns-query

you will need to change the ExecStart to
ExecStart=/usr/local/bin/cloudflared --no-autoupdate --config /etc/cloudflared/config.yml.

After the service file has been added run the following to enable it and start on reboot:

1sudo systemctl daemon-reload
2sudo systemctl enable --now cloudflared-doh.service

Make sure that the service is healthly:

sudo systemctl status cloudflared

Test that DNS is resolving:

dig @127.0.0.1 -p 5053 google.com

Running with Docker

If you want to use docker to run the proxy then you can use Cloudflare's Image or a Community Maintained Image.

To run:

docker run -d -p 53:53/udp --name cloudflared-doh <cloudflared/image> proxy-dns

If you want to add upstream servers, defaults to cloudflare, then append --upstream <upstream> to the end of the command.