Setting up Cloudflared, the DNS-over-HTTPS client, the correct way

Step 1: add the repository, import GPG key and update apt cache

echo 'deb http://pkg.cloudflare.com/ Buster main' |
tee /etc/apt/sources.list.d/cloudflare-main.list

curl -C - https://pkg.cloudflare.com/pubkey.gpg | apt-key add -

apt update

Step 2: install cloudflared

apt install cloudflared

Step 3: edit the config file at /etc/cloudflared/config.yml

proxy-dns: true
proxy-dns-upstream:
 - https://223.5.5.5/dns-query
 - https://223.6.6.6/dns-query

Some of the other DoH-ready servers are:

  • https://8.8.8.8/dns-query
  • https://8.8.4.4/dns-query
  • https://1.1.1.1/dns-query
  • https://1.0.0.1/dns-query

The use of DNS names such as https://dns.google/dns-query or https://cloudflare-dns.com/dns-query in DoH requests should be discouraged as you may run into ciruclar DNS lookup failures.

Step 4: create the service file manually at /etc/systemd/system/cloudflared.service

[Unit]
Description=Cloudflared DNS over HTTPS proxy
After=syslog.target network-online.target

[Service]
Type=simple
ExecStart=/usr/bin/cloudflared --config /etc/cloudflared/config.yml
Restart=on-failure
RestartSec=10
KillMode=process

[Install]
WantedBy=multi-user.target

Step 5: reload systemd process and start cloudflared daemon

systemctl daemon-reload
service cloudflared start

Step 6: update /etc/resolv.conf

nameserver 127.0.0.1

At this point, you would have configured your system to resolve DNS via DoH.

Leave a Reply