I 've been spinning up a lot of PiHole DNS servers using CloudFlare 's new DNS-over-HTTPS service

[G+_Travis Hershberger]

I've been spinning up a lot of PiHole DNS servers using CloudFlare's new DNS-over-HTTPS service. Thought some of you might be interested.

 

The Debian/Raspbian side of things has already been done, Ref: https://bendews.com/posts/implement-dns-over-https/

 

I normally work in Fedora, so I've written some instructions for the PiHole software installed on it.

 

Download Cloudflared

wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.rpm

 

Install the downloaded rpm file

sudo dnf -y localinstall ./cloudflared-stable-linux-amd64.rpm

 

Add a user for cloudflared to run as

sudo useradd -s /usr/sbin/nologin -r -M cloudflared

 

Change the executable ownership

sudo chown cloudflared:cloudflared /usr/local/bin/cloudflared

 

Create /etc/default/cloudflared

sudo nano /etc/default/cloudflared

# Commandline args for cloudflared

CLOUDFLARED_OPTS=--proxy-dns=true --proxy-dns-upstream https://1.1.1.1/dns-query --proxy-dns-upstream https://1.0.0.1/dns-query --proxy-dns-port 5053

 

Change ownership on /etc/default/cloudflared to cloudflared

sudo chown cloudflared:cloudflared /etc/default/cloudflared

 

Create /lib/systemd/system/cloudflared.service

 

sudo nano /lib/systemd/system/cloudflared.service

[unit]

Description=cloudflared DNS over HTTPS proxy

After=syslog.target network-online.target

 

[service]

Type=simple

User=cloudflared

EnvironmentFile=/etc/default/cloudflared

ExecStart=/usr/local/bin/cloudflared $CLOUDFLARED_OPTS

Restart=on-failure

RestartSec=10

KillMode=process

 

[install]

WantedBy=multi-user.target

 

Enable, start, and check that cloudflared is running

sudo systemctl enable cloudflared

sudo systemctl start cloudflared

sudo systemctl status cloudflared

 

Check that the cloudflared service is working

dig @127.0.0.1 -p 5053 google.com

should look something like

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @127.0.0.1 -p 5053 google.com

; (1 server found)

;; global options: +cmd

;; Got answer:

;; >>HEADER<< opcode: QUERY, status: NOERROR, id: 65181

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 1536

;; QUESTION SECTION:

;google.com. IN A

;; ANSWER SECTION:

google.com. 299 IN A 243.65.127.221

;; Query time: 3 msec

;; SERVER: 127.0.0.1#5053(127.0.0.1)

;; MSG SIZE rcvd: 65

 

Edit /etc/dnsmasq.d/01-pihole.conf

Comment out with a # on the beginning of the line any existing 'server=' lines.

sudo sed -i 's/server/#server/' /etc/dnsmasq.d/01-pihole.conf

 

Add a line containing 'server=127.0.0.1:5053' on the last line of /etc/dnsmasq.d/01-pihole.conf

echo "server=127.0.0.1:5053" >> /etc/dnsmasq.d/01-pihole.conf

 

Restart the pihole-FTL service

sudo systemctl restart pihole-FTL.service

 

Your PiHole install is now using CloudFlare's DNS over HTTPS.

 

From my blog page: https://www.travisdh1.net/node/4

Also wrote a script that's available on my github site: https://github.com/travisdh1/FedPiHSecDNS

 

Hope at least some of you find this useful!

https://www.travisdh1.net/node/4

[G+_Ben Reese]

Very cool! I've been using OpenDNS in conjunction with Pihole to protect the family, but I like the idea of using the 1.1.1.1 with Pihole for privacy.