Configure Ubuntu Pi-hole for Cloudflare DNS over HTTPS

I installed OpenVPN VPN solutions on Ubuntu for my businesses to secure all data communications. I also set up Pin-hole ad blocker on Ubuntu server along with OpenVPN. How do I force Pi-hole to use Cloudflare DNS over HTTPS (DoH) to increase my privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks?

Pi-hole is a free and open source software to block Internet ads and tracking domains. The most significant advantage is ad blocking on all devices on the network from your smartphone to your tablets including all desktop computers and apps. This page shows how to configure Cloudflare DNS over HTTPS service along with Pi-Hole server running on Ubuntu Linux 18.04 LTS.


Pi-hole DNS over HTTPS

DNS over HTTPS (DoH) is a protocol for DNS resolution through the HTTPS protocol. DoH increase your user’s privacy and security and help prevent manipulation of DNS.

How to configure Pi-hole for Cloudflare DNS

Naturally, you must set up and configure OpenVPN Server on Ubuntu and Pi-hole on Ubuntu Linux 18.04 LTS.

Download Cloudflared

There are numerous DNS over HTTPS (DoH) clients you can use to connect to Cloudflare DNS server IP address and We are going to use Cloudflared by downloading .deb package for Ubuntu. Type the following wget command:
cd /tmp

How to configuring DNS-Over-HTTPS on Pi-hole

Install Cloudflared

Installing cloudflared is comfortable job with the help of apt command or apt-get command:
$ sudo apt install ./cloudflared-stable-linux-amd64.deb
Verify installation, run:
cloudflared --version
Securing DNS with Pi-Hole and Cloudflare DNS over HTTPS

How to add a new Ubuntu Linux user for cloudflared

In order to configuring cloudflared to run on startup, first add a new Linux user named cloudflared using the useradd command:
sudo useradd -r -M -s /usr/sbin/nologin -c "Cloudflared user" cloudflared
Verify that user has been created with the help of grep command and /etc/passwd:
grep '^cloudflared' /etc/passwd
Alternatively, one can use the id command as well on Ubuntu to verify cloudflared user account:
id cloudflared
Lock down the Linux account named cloudflared:
sudo passwd -l cloudflared
sudo chage -E 0 cloudflared

You can see account aging information, run chage command:
sudo chage -l cloudflared
Setup Pihole for Cloudflare DNS over HTTPS

How to configuring cloudflared dns

Create a file named /etc/default/cloudflared as follows using text editor such as vim command or nano command:
sudo vi /etc/default/cloudflared
Append the following text:

## args for cloudflared ##
## 5353 is localhost:5353. This is where dns queries are sent by pi-hole ##
## and are Cloudflare DNS servers ##
CLOUDFLARED_OPTS=--port 5353 --upstream --upstream

Save and close the file in vim.
Set up permission using chown command:
sudo chown -v cloudflared:cloudflared /usr/local/bin/cloudflared /etc/default/cloudflared
Sample outputs:

changed ownership of '/usr/local/bin/cloudflared' from root:root to cloudflared:cloudflared
changed ownership of '/etc/default/cloudflared' from root:root to cloudflared:cloudflared

How to create systemd startup script for Cloudflared

Type the following command:
sudo vi /lib/systemd/system/cloudflared.service
Append the following config:

Description=cloudflared DoH proxy
ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTS

Enable and start the cloudflared service

Run the following systemctl command:
sudo systemctl enable cloudflared
sudo systemctl start cloudflared
echo $?
sudo systemctl status cloudflared

Pi-hole for Cloudflare DNS running on Ubuntu 18.04 LTS
Save and exit from the vim.

Verify that cloudflared working

Run the dig command or host command as follows to test Cloduflare DoH proxy:
dig -p 5353 @
Configure Ubuntu Pi-hole for Cloudflare DNS over HTTPS verification
Another option is to check and find out if the TCP/UDP port 5353 working using the nmap command:
sudo nmap -Pn -sT -sU -p 5353
Sample outputs:

Starting Nmap 7.60 ( ) at 2020-04-08 13:55 UTC
Nmap scan report for localhost (
Host is up (0.00013s latency).
5353/tcp open          rlm
5353/udp open|filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 2.05 seconds

Configure Ubuntu Pi-hole for Cloudflare DNS over HTTPS

Now, everything is set up and running. Hence, it is time to configure Pi-hole to use the local cloudflared service running on port 5353. Fire the web browser and type the pi-hole admin url as per your setup. In my case my OpenVPN and pi-hole running on, hence I type:

Pi-hole DNS over HTTPS using cloudflare DoH

Click to enlarge image

Click on the Settings > DNS > Choose Custom 1 (IPv4) under Upstream DNS Servers and enter “” > Scroll down and click on the Save button.

How do I upgrade cloudflard?

Download the latest version from the url and install it as follows:
$ cloudflared --version
cloudflared version 2020.8.2 (built 2020-08-20-1712 UTC)
$ cd /tmp
$ wget
$ sudo apt install ./cloudflared-stable-linux-amd64.deb
$ sudo systemctl restart cloudflared
$ cloudflared --version
cloudflared version 2020.8.2 (built 2020-08-20-1712 UTC)


This page explained DoH, and you learned how to implement DNS-Over-HTTPS on PiHole. For more information see this page here and here.

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallCentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

0 comments… add one

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.