DNS-over-HTTPS with Fedora based PiHole and Cloudflare



  • How to setup DNS-over-HTTPS on Fedora based PiHole.
    Ref: https://bendews.com/posts/implement-dns-over-https/

    Now verified. Should be good, so let me know where I messed up.

    I've also written a script, because I'll want to do this a few more times, and what IT person doesn't like automation?
    https://github.com/travisdh1/FedPiHSecDNS

    Download Cloudflared

    wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.rpm

    Install the downloaded rpm file

    sudo dnf -y localinstall ./cloudflared-stable-linux-amd64.rpm

    Add a user for cloudflared to run as

    sudo useradd -s /usr/sbin/nologin -r -M cloudflared

    Change the executable ownership

    sudo chown cloudflared:cloudflared /usr/local/bin/cloudflared

    Create /etc/default/cloudflared

    sudo nano /etc/default/cloudflared 
    # Commandline args for cloudflared
    CLOUDFLARED_OPTS=--proxy-dns=true --proxy-dns-upstream https://1.1.1.1/dns-query --proxy-dns-upstream 
    https://1.0.0.1/dns-query --proxy-dns-port 5053
    

    Change ownership on /etc/default/cloudflared to cloudflared

    sudo chown cloudflared:cloudflared /etc/default/cloudflared

    Create /lib/systemd/system/cloudflared.service

    sudo nano /lib/systemd/system/cloudflared.service 
    [Unit]
    Description=cloudflared DNS over HTTPS proxy
    After=syslog.target network-online.target
    [Service]
    Type=simple
    User=cloudflared
    EnvironmentFile=/etc/default/cloudflared
    ExecStart=/usr/local/bin/cloudflared $CLOUDFLARED_OPTS
    Restart=on-failure
    RestartSec=10
    KillMode=process
    [Install]
    WantedBy=multi-user.target
    

    Enable, start, and check that cloudflared is running

    sudo systemctl enable cloudflared
    sudo systemctl start cloudflared
    sudo systemctl status cloudflared

    Check that the cloudflared service is working

    dig @127.0.0.1 -p 5053 google.com

    Should look something like:

    ; <<>> DiG 9.10.3-P4-Ubuntu <<>> @127.0.0.1 -p 5053 google.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65181
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 1536
    ;; QUESTION SECTION:
    ;google.com. IN A
    ;; ANSWER SECTION:
    google.com. 299 IN A 243.65.127.221
    ;; Query time: 3 msec
    ;; SERVER: 127.0.0.1#5053(127.0.0.1)
    ;; MSG SIZE rcvd: 65
    

    Edit /etc/dnsmasq.d/01-pihole.conf
    Comment out with a # on the beginning of the line any existing 'server=' lines.

    sed -i 's/server/#server/' /etc/dnsmasq.d/01-pihole.conf

    Add a line containing 'server=127.0.0.1:5053'

    sudo nano /etc/dnsmasq.d/01-pihole.conf
    Add server=127.0.0.1:5053 on the last line

    Restart the pihole-FTL service

    sudo systemctl restart pihole-FTL.service

    Your PiHole install is now using CloudFlare's DNS over HTTPS.



  • Another project to try out. Did you start with a minimal Fedora install? Any other requirements needed for this install to work?


  • Service Provider

    @nashbrydges said in DNS-over-HTTPS with Fedora based PiHole and Cloudflare:

    Another project to try out. Did you start with a minimal Fedora install? Any other requirements needed for this install to work?

    This goes on the Pi-hole instance

    so whereever you setup your pi-hole.



  • @nashbrydges said in DNS-over-HTTPS with Fedora based PiHole and Cloudflare:

    Another project to try out. Did you start with a minimal Fedora install? Any other requirements needed for this install to work?

    I start with a standard Fedora server install, not minimal. So things like wget should already be in place.

    Fedora server with PiHole installed should be all that's required.



  • Hm....

    I guess this doesn't really help me, since my PiHole is hosted outside my network, this would help with requests from the PiHole out to the internet however all requests from the router to the PiHole would be unencrypted.



  • Also, maybe PiHole will support in the future?




  • Service Provider

    @aaronstuder said in DNS-over-HTTPS with Fedora based PiHole and Cloudflare:

    Hm....

    I guess this doesn't really help me, since my PiHole is hosted outside my network, this would help with requests from the PiHole out to the internet however all requests from the router to the PiHole would be unencrypted.

    You can always tunnel that traffic. Although the value to point to point encryption is generally pretty minimal and DNS extremely low unless you are doing something super shady and are being tapped.



  • @aaronstuder said in DNS-over-HTTPS with Fedora based PiHole and Cloudflare:

    Hm....

    I guess this doesn't really help me, since my PiHole is hosted outside my network, this would help with requests from the PiHole out to the internet however all requests from the router to the PiHole would be unencrypted.

    Yep. I wouldn't mind having a DNS server that supports this stuff from the client side, so this is as good as it gets right now.


 

Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.