(config)#shut, no shutHave you tried turning it off and on again?

Local DNS and Public DoH using Pi-hole and Cloudflared

Using Pi-hole and Cloudflare’s new and public DNS servers together is a good idea… bolting DoH (DNS over HTTPS) onto that via the Cloudflared daemon is an even better idea (until Pi-hole natively supports DoH anyways).

This raises an issue in any environment where local DNS resolution is needed; i.e. active-directory (AD) domain environments. In a typical AD environment there are at least two domain controllers (DC) that fulfill DNS resolution for local domain endpoints. DNS on these DCs is then configured with Forwarders so public DNS resolution can be fulfilled.

Here are a couple ways to utilize Pi-hole and Cloudflared, I’ll call it Pi-flared, to reap the benefits of DoH for public DNS resolution and still use our DCs for local DNS resolution.

Option 1

AD DNS servers, or DCs, have the Pi-flared DNS server(s) configured as Forwarder(s).

  • Pros: No configuration changes are required; i.e. DHCP scope options or statically defined DNS servers, etc.
  • Cons: Since all DNS queries are going to the DCs first, Pi-hole’s query logs will only show the requests as forwarded from the DCs; i.e. granular, per-user metrics will not be available, via Pi-hole anyways.

Option 2

(My preference) Clients are configured with the Pi-flared server(s) for DNS, the Pi-flared servers are then configured with domain-specific servers for local lookups.

  • Pros: Pi-hole’s query logs will now show requests from every host on the network.
  • Cons: Reconfiguration of static clients and DHCP scope or server options to define the Pi-flared DNS server(s) for DHCP clients. This will provide the granular, per-user metrics that I want to see in Pi-hole’s admin interface.


  • I completed all of the steps below while logged in as root, you will need sudo privileges if you’re logged in as a different user.
  • Using a USB stick for Pi-hole log storage can reduce stress on the SD card used in your Pi.

Process Order

Install Ubuntu Mate on your Pi

Follow the setup guide on the distro page to get Ubuntu Mate installed on your Pi: https://ubuntu-mate.org/raspberry-pi/

Install Pi-hole

This command is straight from Pi-hole’s site, where they advise that piping to bash can be dangerous and suggest that you review the code and run the installer locally.

curl -sSL https://install.pi-hole.net | bash

Install Cloudflared & Configure DNS

Full disclosure, The steps below are almost directly borrowed from Ben Dew’s DNS Over HTTPS post that I followed to get my Pi-hole/Cloudflared environment setup. I’m merely sharing my version of the deployment.

Download and untar the latest stable release.

wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-arm.tgz
tar -xvzf cloudflared-stable-linux-arm.tgz

Copy the extracted files to /usr/local/bin and set permissions to allow execution by the cloudflared user.

cp ./cloudflared /usr/local/bin
chmod +x /usr/local/bin/cloudflared

Create a user to run the daemon.

useradd -s /usr/sbin/nologin -r -M cloudflared

Create a configuration file for the Cloudflared options, this will be referenced in the systemd script created later.

nano /etc/default/cloudflared

Paste the following into buffer, then hit CTRL-X and Y.

[code]# Commandline args for cloudflared
CLOUDFLARED_OPTIONS=–port 5053 –upstream –upstream[/code]

Update permissions for the config file and the Cloudflared binary to permit access for the cloudflared user created eariler.

chown cloudflared:cloudflared /etc/default/cloudflared
chown cloudflared:cloudflared /usr/local/bin/cloudflared

Create a systemd script to control the service and allow it to run at startup.

nano /lib/systemd/system/cloudflared.service

Paste the following into buffer, then hit CTRL-X and Y (to save).

Description=Cloudflared DoH Proxy
After=syslog.target network-online.target

ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTIONS


Enable the new systemd script to run on startup, start the service, and finally check its status.

systemctl enable cloudflared
systemctl start cloudflared
systemctl status cloudflared

Edit the Pi-hole dnsmasq.d configuration file and add server= lines for the Cloudflared daemon for public queries, and your DCs for local domain(s) queries.

Note that : is not used in the configuration file to define the server port, instead # is used.

  • Cloudflared daemon: (we just set this up)
  • Primary DC:
  • Secondary DC:
  • Local domain name: shnosh.local
nano /etc/dnsmasq.d/01-pihole.conf



Comment out any PIHOLE_DNS lines in the Pi-hole configuration file with # to prevent Pi-hole from automatically regenerating the dnsmasq configuration files when reloaded.

nano /etc/pihole/setupVars.conf



This step can likely be skipped if this is a clean deployment; but to be safe, look through any other file in the /etc/dnsmasq.d directory and add a # before any line starting with server=; i.e.


Restart the Pi.

reboot now

Network clients can now be configured to use your newly configured Pi-flared server(s).

Tags: , , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.