July 5, 2019

DNS-Over-HTTPS on Pi-hole

DNS-Over-HTTPS on Pi-hole

Encrypting your DNS queries helps to prevent tracking and malicious redirects of your traffic.

Securing your DNS with DoH (DNS-Over-HTTPS) is easily done for your whole network if you have a pi-hole installation already up and running.

All we need to do is grab and install the CloudFlare daemon (cloudflared), then point our pi-hole to use that for DNS queries.

wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-arm.tgz

Then extract the archive we grabbed, move the contents and make it executable.

tar -xvzf cloudflared-stable-linux-arm.tgz
sudo cp ./cloudflared /usr/local/bin
sudo chmod +x /usr/local/bin/cloudflared

Next we need to create a user to run the daemon.
(-r for a system user, -M to skip creating a home directory)

sudo useradd -s /usr/sbin/nologin -r -M cloudflared

Now we need to create the config file for cloudflared

sudo nano /etc/default/cloudflared

Paste the contents below into the file:

CLOUDFLARED_OPTS=--port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query

And give the daemon user ownership of the binary and config file we made

sudo chown cloudflared:cloudflared /etc/default/cloudflared
sudo chown cloudflared:cloudflared /usr/local/bin/cloudflared

Then create a unit file for systemd, so it starts automatically on boot and we can control the daemon using it as well.

sudo nano /lib/systemd/system/cloudflared.service

Paste the contents below into the file:

[Unit]
Description=cloudflared DNS over HTTPS proxy
After=syslog.target network-online.target

[Service]
Type=simple
User=cloudflared
EnvironmentFile=/etc/default/cloudflared
ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTS
Restart=on-failure
RestartSec=10
KillMode=process

[Install]
WantedBy=multi-user.target

That's the config done. We just need to enable it, start it and check the status to make sure it actually started.

sudo systemctl enable cloudflared
sudo systemctl start cloudflared
sudo systemctl status cloudflared

Our last step now is to go and enable our pi-hole to use the daemon in our Upstream DNS Servers web interface settings.

Enter   127.0.0.1#5053   in the Custom Upstream section.


All this info was found on the wonderful pi-hole documentation site here:
https://docs.pi-hole.net/guides/dns-over-https/

A big thanks to the pi-hole team for their awesome project, hard work and great documentation. https://github.com/pi-hole/pi-hole