Pi-hole is a free and open source software to block Internet ads and tracking domains. The most significant advantage is ad blocking on all devices on the network from your smartphone to your tablets including all desktop computers and apps. This page shows how to configure Cloudflare DNS over HTTPS service along with Pi-Hole server running on Ubuntu Linux 18.04 LTS.
Pi-hole DNS over HTTPS
DNS over HTTPS (DoH) is a protocol for DNS resolution through the HTTPS protocol. DoH increase your user’s privacy and security and help prevent manipulation of DNS.
How to configure Pi-hole for Cloudflare DNS
Naturally, you must set up and configure OpenVPN Server on Ubuntu and Pi-hole on Ubuntu Linux 18.04 LTS.
Download Cloudflared
There are numerous DNS over HTTPS (DoH) clients you can use to connect to Cloudflare DNS server IP address 1.1.1.1 and 1.0.0.1. We are going to use Cloudflared by downloading .deb package for Ubuntu. Type the following wget command:
cd /tmp
wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.deb
Install Cloudflared
Installing cloudflared is comfortable job with the help of apt command or apt-get command:
$ sudo apt install ./cloudflared-stable-linux-amd64.deb
Verify installation, run:
cloudflared --version
How to add a new Ubuntu Linux user for cloudflared
In order to configuring cloudflared to run on startup, first add a new Linux user named cloudflared using the useradd command:
sudo useradd -r -M -s /usr/sbin/nologin -c "Cloudflared user" cloudflared
Verify that user has been created with the help of grep command and /etc/passwd:
grep '^cloudflared' /etc/passwd
Alternatively, one can use the id command as well on Ubuntu to verify cloudflared user account:
id cloudflared
Lock down the Linux account named cloudflared:
sudo passwd -l cloudflared
sudo chage -E 0 cloudflared
You can see account aging information, run chage command:
sudo chage -l cloudflared
How to configuring cloudflared dns
Create a file named /etc/default/cloudflared as follows using text editor such as vim command or nano command:
sudo vi /etc/default/cloudflared
Append the following text:
## args for cloudflared ## ## 5353 is localhost:5353. This is where dns queries are sent by pi-hole ## ## 1.1.1.1 and 1.0.0.1 are Cloudflare DNS servers ## CLOUDFLARED_OPTS=--port 5353 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query
Save and close the file in vim.
Set up permission using chown command:
sudo chown -v cloudflared:cloudflared /usr/local/bin/cloudflared /etc/default/cloudflared
Sample outputs:
changed ownership of '/usr/local/bin/cloudflared' from root:root to cloudflared:cloudflared changed ownership of '/etc/default/cloudflared' from root:root to cloudflared:cloudflared
How to create systemd startup script for Cloudflared
Type the following command:
sudo vi /lib/systemd/system/cloudflared.service
Append the following config:
[Unit] Description=cloudflared DoH proxy After=syslog.target network-online.target [Service] Type=simple User=cloudflared EnvironmentFile=/etc/default/cloudflared ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTS Restart=on-failure RestartSec=10 KillMode=process [Install] WantedBy=multi-user.target
Enable and start the cloudflared service
Run the following systemctl command:
sudo systemctl enable cloudflared
sudo systemctl start cloudflared
echo $?
sudo systemctl status cloudflared
Save and exit from the vim.
Verify that cloudflared working
Run the dig command or host command as follows to test Cloduflare DoH proxy:
dig -p 5353 www.nixcraft.com @127.0.0.1
Another option is to check and find out if the TCP/UDP port 5353 working using the nmap command:
sudo nmap -Pn -sT -sU -p 5353 127.0.0.1
Sample outputs:
Starting Nmap 7.60 ( https://nmap.org ) at 2020-04-08 13:55 UTC Nmap scan report for localhost (127.0.0.1) Host is up (0.00013s latency). PORT STATE SERVICE 5353/tcp open rlm 5353/udp open|filtered unknown Nmap done: 1 IP address (1 host up) scanned in 2.05 seconds
Configure Ubuntu Pi-hole for Cloudflare DNS over HTTPS
Now, everything is set up and running. Hence, it is time to configure Pi-hole to use the local cloudflared service running on 127.0.0.1 port 5353. Fire the web browser and type the pi-hole admin url as per your setup. In my case my OpenVPN and pi-hole running on 10.8.0.1, hence I type:
http://10.8.0.1/
How do I upgrade cloudflard?
Download the latest version from the url and install it as follows:
$ cloudflared --version
cloudflared version 2020.8.2 (built 2020-08-20-1712 UTC)
$ cd /tmp
$ wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.deb
$ sudo apt install ./cloudflared-stable-linux-amd64.deb
$ sudo systemctl restart cloudflared
$ cloudflared --version
cloudflared version 2020.8.2 (built 2020-08-20-1712 UTC)
Conclusion
This page explained DoH, and you learned how to implement DNS-Over-HTTPS on PiHole. For more information see this page here and here.
- How To Setup OpenVPN Server In 5 Minutes on Ubuntu Server
- Install Pi-hole with an OpenVPN to block ads
- Update/upgrade Pi-hole with an OpenVPN
- OpenVPN server on Debian 9/8
- Import a OpenVPN .ovpn file with Network Manager
- Ubuntu 18.04 LTS Set Up OpenVPN Server In 5 Minutes
- CentOS 7 Set Up OpenVPN Server In 5 Minutes
- Pi-Hole and Cloudflare DoH config
- Debian 10 Set Up OpenVPN Server In 5 Minutes
- CentOS 8 OpenVPN server in 5 mintues
- Ubuntu 20.04 LTS OpenVPN server in 5 mintues
🐧 Get the latest tutorials on Linux, Open Source & DevOps via:
- RSS feed or Weekly email newsletter
- Share on Twitter • Facebook • 4 comments... add one ↓
Category | List of Unix and Linux commands |
---|---|
File Management | cat |
Firewall | Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
Network Utilities | dig • host • ip • nmap |
OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
Package Manager | apk • apt |
Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
Searching | grep • whereis • which |
User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
WireGuard VPN | Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |
How to verify that DOH is enable? I just want to make sure that my pihole is on DOH
visit https://1.1.1.1/help/
Thanks for this guide! One additional step I had to take on my Pi 2B was to run:
sudo dpkg --add-architecture arm
Raspbian comes with the architecture “armhf” which prevented me from installing cloudflared.
Additionally, I’m running into the following error:
pi@raspberrypi:~ $ sudo systemctl status cloudflared.service
Change port in /etc/default/cloudflared file and restart the service again.