This guide explains how to set up DNS over HTTPS (DoH) on a Linux system using `cloudflared`. DoH ensures that your DNS queries are encrypted and secure, protecting your online privacy and preventing third-party monitoring of your internet activity.

DoH Setup with cloudflared.md

Setting Up DNS over HTTPS (DoH) Using cloudflared

This guide explains how to set up DNS over HTTPS (DoH) on a Linux system using cloudflared. DoH ensures that your DNS queries are encrypted and secure, protecting your online privacy and preventing third-party monitoring of your internet activity.

Table of Contents

1. Prerequisites
2. Step-by-Step Installation and Configuration
   • Install cloudflared
   • Set Up DoH Proxy
3. Configure DNS Resolution
4. Verify the Setup
5. Optional Configuration
6. Example DNS over HTTPS (DoH) Providers
7. Conclusion

Prerequisites

• A Linux-based system (Debian, Ubuntu, etc.).
• cloudflared (Cloudflare's DoH proxy) installed.

Step-by-Step Installation and Configuration

Installation and setup

1. Download and Install cloudflared

1. Download the latest cloudflared Debian package:

   wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb

2. Install the package:

   sudo dpkg -i cloudflared-linux-amd64.deb
   sudo apt-get install -f

3. Verify the installation:

   cloudflared --version

This installs cloudflared and ensures all dependencies are met. You can verify the installation by checking the version with cloudflared --version.

2. Set Up DoH Proxy

1. Create a Service User To run cloudflared securely, create a dedicated service user:

   sudo useradd -r -s /usr/sbin/nologin cloudflared

   This command creates a system user cloudflared with no login permissions.

2. Configure the Service Create a systemd service file to run cloudflared automatically:

   sudo nano /etc/systemd/system/cloudflared.service

   Add the following configuration to the service file:

   [Unit]
   Description=cloudflared DNS over HTTPS proxy
   After=network-online.target
   Wants=network-online.target
   StartLimitIntervalSec=60
   StartLimitBurst=10
   
   [Service]
   Type=simple
   ExecStart=/usr/bin/cloudflared proxy-dns --port 53 --upstream  <your_DoH>
   User=cloudflared
   Restart=always
   RestartSec=2
   TimeoutStopSec=20
   LimitNOFILE=4096
   
   [Install]
   WantedBy=multi-user.target

   Replace <your_DoH> with the URL of your chosen DNS over HTTPS provider (refer to the list below).

3. Grant Permission to Bind to Port 53:

   On Linux, non-root processes cannot bind to ports below 1024 by default. You can use setcap to allow Cloudflared to bind to port 53 without requiring root privileges:

   sudo setcap 'cap_net_bind_service=+ep' /usr/bin/cloudflared

4. Reload the systemd daemon and start the service:

   sudo systemctl daemon-reload
   sudo systemctl enable cloudflared
   sudo systemctl start cloudflared

   This reloads the systemd configuration, enables the cloudflared service to start on boot, and starts the service immediately.

3. Configure DNS Resolution

To ensure the system uses your DoH proxy for DNS resolution:

1. Stop and Disable systemd-resolved

   The systemd-resolved service may conflict with cloudflared:

   sudo systemctl stop systemd-resolved
   sudo systemctl disable systemd-resolved

2. Create a New /etc/resolv.conf

   Set up resolv.conf to direct DNS queries to cloudflared:

   sudo rm /etc/resolv.conf
   echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf

   This configuration routes DNS queries through cloudflared running on localhost.

3. Configure Firewall:

   If your system uses a firewall, allow traffic on ports 53:

   sudo iptables -I INPUT -p tcp --dport 53 -j ACCEPT
   sudo iptables -I INPUT -p udp --dport 53 -j ACCEPT

4. Verify the Setup

To confirm that cloudflared is working correctly:

1. Check if cloudflared is Listening on the Correct Ports Run the following commands:

   sudo lsof -i :53

   You should see cloudflared listed as the service listening on both ports.

2. Test DNS Resolution Use the dig command to test DNS resolution through cloudflared:

   dig @127.0.0.1 example.com

   The output should show a successful DNS query resolution.

5. (optional)

Auto-Restart on Network Changes

setup to restart the cloudflared service whenever the system connects to a new network:

1. Install networkd-dispatcher.

   On Debian-based systems (like Ubuntu), use:

   sudo apt update
   sudo apt install networkd-dispatcher

2. Create a Script to Restart cloudflared on Network Change.

   You need to create a script that networkd-dispatcher will call when a new network connection is detected.

   • Create the script:

     sudo nano /etc/networkd-dispatcher/routable.d/restart-cloudflared.sh

   • Add the following content to the script:

     #!/bin/bash
     
     # Restart the cloudflared service
     systemctl restart cloudflared

   • Make the script executable:

     sudo chmod +x /etc/networkd-dispatcher/routable.d/restart-cloudflared.sh

3. Reload Systemd and Network Dispatcher.

   sudo systemctl daemon-reload
   sudo systemctl restart networkd-dispatcher
   sudo systemctl restart cloudflared

4. Verify the Configuration.

   • Check the status of the cloudflared service:

   sudo systemctl status cloudflared

   • Monitor network events and check if cloudflared restarts when connecting to a new network:

   journalctl -u cloudflared -f

Example DNS over HTTPS (DoH) Providers

You can choose any of the following DNS providers for your DoH setup:

Provider	URL	IPv4	IPv6	Best For	Homepage	More Info	Pricing
Google Public DNS	https://dns.google/dns-query	8.8.8.8, 8.8.4.4	2001:4860:4860::8888, 2001:4860:4860::8844	General use, fast global coverage	Google Public DNS	No filtering or blocking, focuses on speed and reliability	Free
Cloudflare DNS	https://cloudflare-dns.com/dns-query	1.1.1.1, 1.0.0.1	2606:4700:4700::1111, 2606:4700:4700::1001	Privacy-focused, fast performance	Cloudflare DNS	DNS over HTTPS (DoH), DNS over TLS (DoT), strong privacy protection, supports ESNI	Free
AdGuard DNS	https://dns.adguard.com/dns-query	94.140.14.14, 94.140.15.15	2a10:50c0::ad1:ff, 2a10:50c0::ad2:ff	Ad-blocking, privacy protection	AdGuard DNS	Blocks ads, trackers, phishing sites, malware, and adult content, customizable filtering	Available Free (basic), Paid (premium filtering options)
Quad9 DNS	https://dns.quad9.net/dns-query	9.9.9.9, 149.112.112.112	2620:fe::fe, 2620:fe::9	Security and malware protection	Quad9 DNS	Filters malicious domains, partners with security firms for threat intelligence, privacy-focused	Free
OpenDNS	https://doh.opendns.com/dns-query	208.67.222.222, 208.67.220.220	2620:0:ccc::2, 2620:0:ccd::2	Parental control and security	OpenDNS	Offers family shield for content filtering, customizable filters, anti-phishing	Available Free (basic), Paid (premium with custom filtering)
CleanBrowsing DNS	https://doh.cleanbrowsing.org/doh/family-filter/	185.228.168.168, 185.228.169.168	2a0d:2a00:1::, 2a0d:2a00:2::	Family-safe, content filtering	CleanBrowsing DNS	Family and adult filters, malware blocking, customizable plans for different use cases	Available Free (basic), Paid (advanced filters)
NextDNS	https://dns.nextdns.io	45.90.28.0, 45.90.30.0	2a07:a8c0::, 2a07:a8c1::	Highly customizable privacy and security	NextDNS	Fully customizable, blocks ads, trackers, malicious domains, and provides analytics	Available Free (limited queries), Paid (unlimited queries and advanced settings)
ControlD	https://freedns.controld.com/p0	76.76.2.0, 76.76.10.0	2606:1a40::, 2606:1a40:1::	Customizable filtering, blocking	ControlD	Multiple filtering modes (e.g., malware, ads, trackers), offers custom DNS profiles	Available Free (basic profiles), Paid (customizable profiles)
Comodo Secure DNS	https://doh.comodo.com/dns-query	8.26.56.26, 8.20.247.20	Not available	Security-focused, basic filtering	Comodo Secure DNS	Focuses on blocking malware and phishing, no custom filtering	Free
Yandex DNS	https://dns.yandex.com/dns-query	77.88.8.8, 77.88.8.1	2a02:6b8::feed:0ff, 2a02:6b8:0:1::feed:0ff	Security, content filtering	Yandex DNS	Offers basic, safe, and family filtering options, content protection, speed-optimized	Free

For a more comprehensive list of DNS providers, visit AdGuard DNS Providers.

DNS Provider comparison metrics

The table includes a comprehensive DNS provider comparison with performance metrics, features, and official links:

Provider	Latency	Privacy	Filtering	Logging	DNSSEC	Support	Features	DoH Endpoint	IPv4 Primary	IPv6 Primary
Cloudflare	✓✓✓	✓✓✓	Optional	No	Yes	24/7	Malware blocking, Family filter	https://dns.cloudflare.com/dns-query	1.1.1.1	2606:4700:4700::1111
Google	✓✓✓	✓✓	No	Limited	Yes	Business Hours	Global load balancing	https://dns.google/dns-query	8.8.8.8	2001:4860:4860::8888
Quad9	✓✓	✓✓✓	Yes	No	Yes	24/7	Threat blocking, EDNS	https://dns.quad9.net/dns-query	9.9.9.9	2620:fe::fe
AdGuard	✓✓	✓✓	Yes	Optional	Yes	Business Hours	Ad blocking, Custom filters	https://dns.adguard.com/dns-query	94.140.14.14	2a10:50c0::ad1:ff
OpenDNS	✓✓	✓✓	Yes	Yes	Yes	24/7	Parental controls, Phishing protection	https://doh.opendns.com/dns-query	208.67.222.222	2620:119:35::35
NextDNS	✓✓✓	✓✓✓	Yes	Optional	Yes	24/7	Custom blocklists, Analytics	https://dns.nextdns.io	45.90.28.0	2a07:a8c0::
ControlD	✓✓✓	✓✓✓	Yes	No	Yes	Business Hours	Custom profiles, Geographic filters	https://freedns.controld.com/p0	76.76.2.0	2606:1a40::
Mullvad	✓✓	✓✓✓	Optional	No	Yes	24/7	Ad blocking, No logging	https://doh.mullvad.net/dns-query	194.242.2.2	2a07:e340::2
BlahDNS	✓✓	✓✓✓	Yes	No	Yes	Community	Ad blocking, Privacy focused	https://doh-fi.blahdns.com/dns-query	45.91.92.121	2a0e:dc0:6:23::2
LibreDNS	✓✓	✓✓✓	Optional	No	Yes	Community	No filtering, Privacy focused	https://doh.libredns.gr/dns-query	116.202.176.26	2a01:4f8:c17:ec67::1
DuckDNS	✓✓	✓✓✓	No	No	Yes	Limited	Privacy focused	https://basic.duckdns.org/dns-query	185.199.108.153	2606:4700:3037::6815:8b99
Foundation for Applied Privacy	✓✓	✓✓✓	No	No	Yes	Limited	GDPR compliant	https://doh.applied-privacy.net/query	93.177.65.183	2a03:4000:38:53c::2
CZ.NIC ODVR	✓✓	✓✓	Optional	Limited	Yes	Business Hours	Czech Republic based	https://odvr.nic.cz/dns-query	193.17.47.1	2001:148f:ffff::1
DNS.SB	✓✓	✓✓	No	No	Yes	Limited	Simple, Privacy focused	https://doh.dns.sb/dns-query	185.222.222.222	2a09::
PowerDNS	✓✓	✓✓	Optional	Limited	Yes	Community	Self-hosted option	https://doh.powerdns.org	Variable	Variable

Legend

• Latency: ✓ (>100ms), ✓✓ (50-100ms), ✓✓✓ (<50ms)
• Privacy: ✓ (Basic), ✓✓ (Enhanced), ✓✓✓ (Maximum)
• Support: Community (Forum/Email), Limited (Email only), Business Hours (9-5 Support), 24/7 (Full Support)

Additional Provider Features

Security Features

• Malware Blocking: Cloudflare, Quad9, NextDNS, ControlD
• Phishing Protection: OpenDNS, AdGuard, NextDNS
• Threat Intelligence: Quad9, NextDNS, ControlD
• DDoS Protection: Cloudflare, Google, NextDNS

Privacy Features

• No-Log Policy: Cloudflare, Mullvad, BlahDNS, LibreDNS
• GDPR Compliance: All EU-based providers
• Anonymous Statistics: NextDNS (optional), AdGuard (optional)
• Privacy Audited: Cloudflare, Mullvad

Filtering Options

• Ad Blocking: AdGuard, NextDNS, BlahDNS, ControlD
• Family Filtering: OpenDNS, AdGuard, NextDNS, ControlD
• Custom Blocklists: NextDNS, AdGuard, ControlD
• Geographic Filtering: ControlD, NextDNS

Technical Features

• EDNS Client Subnet: Google, OpenDNS
• DNSSec Validation: All listed providers
• DNS64 Support: Cloudflare, Google, NextDNS
• ECS Support: Google, OpenDNS, PowerDNS

Provider Selection Considerations

1. Performance Priority

   • Local users: Cloudflare, Google, NextDNS
   • Global users: Cloudflare, Google, ControlD

2. Privacy Priority

   • Maximum privacy: Mullvad, LibreDNS, BlahDNS
   • No logging: Cloudflare, Mullvad, LibreDNS

3. Filtering Priority

   • Ad blocking: AdGuard, NextDNS, BlahDNS
   • Family protection: OpenDNS, ControlD, NextDNS

4. Enterprise Usage

   • Corporate environments: Google, Cloudflare, OpenDNS
   • Custom deployment: PowerDNS, OpenDNS, NextDNS

Conclusion

This guide provides a detailed method to set up DNS over HTTPS on your Linux machine using cloudflared, ensuring your DNS queries are encrypted and secure. Select a DNS provider from the examples above or from the AdGuard DNS Providers list to complete your setup.