Local DNS and Public DoH using Pi-hole and Cloudflared
Using Pi-hole and Cloudflare’s new 220.127.116.11 and 18.104.22.168 public DNS servers together is a good idea… bolting DoH (DNS over HTTPS) onto that via the Cloudflared daemon is an even better idea (until Pi-hole natively supports DoH anyways).
This raises an issue in any environment where local DNS resolution is needed; i.e. active-directory (AD) domain environments. In a typical AD environment there are at least two domain controllers (DC) that fulfill DNS resolution for local domain endpoints. DNS on these DCs is then configured with Forwarders so public DNS resolution can be fulfilled.
Here are a couple ways to utilize Pi-hole and Cloudflared, I’ll call it Pi-flared, to reap the benefits of DoH for public DNS resolution and still use our DCs for local DNS resolution.
AD DNS servers, or DCs, have the Pi-flared DNS server(s) configured as Forwarder(s).
- Pros: No configuration changes are required; i.e. DHCP scope options or statically defined DNS servers, etc.
- Cons: Since all DNS queries are going to the DCs first, Pi-hole’s query logs will only show the requests as forwarded from the DCs; i.e. granular, per-user metrics will not be available, via Pi-hole anyways.
(My preference) Clients are configured with the Pi-flared server(s) for DNS, the Pi-flared servers are then configured with domain-specific servers for local lookups.
- Pros: Pi-hole’s query logs will now show requests from every host on the network.
- Cons: Reconfiguration of static clients and DHCP scope or server options to define the Pi-flared DNS server(s) for DHCP clients. This will provide the granular, per-user metrics that I want to see in Pi-hole’s admin interface.
- I completed all of the steps below while logged in as root, you will need sudo privileges if you’re logged in as a different user.
- Using a USB stick for Pi-hole log storage can reduce stress on the SD card used in your Pi.
Install Ubuntu Mate on your Pi
Follow the setup guide on the distro page to get Ubuntu Mate installed on your Pi: https://ubuntu-mate.org/raspberry-pi/
This command is straight from Pi-hole’s site, where they advise that piping to bash can be dangerous and suggest that you review the code and run the installer locally.
curl -sSL https://install.pi-hole.net | bash
Install Cloudflared & Configure DNS
Full disclosure, The steps below are almost directly borrowed from Ben Dew’s DNS Over HTTPS post that I followed to get my Pi-hole/Cloudflared environment setup. I’m merely sharing my version of the deployment.
Download and untar the latest stable release.
wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-arm.tgz tar -xvzf cloudflared-stable-linux-arm.tgz
Copy the extracted files to /usr/local/bin and set permissions to allow execution by the cloudflared user.
cp ./cloudflared /usr/local/bin chmod +x /usr/local/bin/cloudflared
Create a user to run the daemon.
useradd -s /usr/sbin/nologin -r -M cloudflared
Create a configuration file for the Cloudflared options, this will be referenced in the systemd script created later.
Paste the following into buffer, then hit CTRL-X and Y.
[code]# Commandline args for cloudflared
CLOUDFLARED_OPTIONS=–port 5053 –upstream https://22.214.171.124/dns-query –upstream https://126.96.36.199/dns-query[/code]
Update permissions for the config file and the Cloudflared binary to permit access for the cloudflared user created eariler.
chown cloudflared:cloudflared /etc/default/cloudflared chown cloudflared:cloudflared /usr/local/bin/cloudflared
Create a systemd script to control the service and allow it to run at startup.
Paste the following into buffer, then hit CTRL-X and Y (to save).
Description=Cloudflared DoH Proxy
ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTIONS
Enable the new systemd script to run on startup, start the service, and finally check its status.
systemctl enable cloudflared systemctl start cloudflared systemctl status cloudflared
Edit the Pi-hole dnsmasq.d configuration file and add server= lines for the Cloudflared daemon for public queries, and your DCs for local domain(s) queries.
Note that : is not used in the configuration file to define the server port, instead # is used.
- Cloudflared daemon: 127.0.0.1#5053 (we just set this up)
- Primary DC: 10.1.1.51
- Secondary DC: 10.1.1.52
- Local domain name: shnosh.local
Comment out any PIHOLE_DNS lines in the Pi-hole configuration file with # to prevent Pi-hole from automatically regenerating the dnsmasq configuration files when reloaded.
This step can likely be skipped if this is a clean deployment; but to be safe, look through any other file in the /etc/dnsmasq.d directory and add a # before any line starting with server=; i.e.
Restart the Pi.
Network clients can now be configured to use your newly configured Pi-flared server(s).