Cloudflared

Cloudflared may be used to run a local DNS over HTTPS server (DoH), i.e., a stub resolver.

Installation

Install the cloudflared package.

Usage

Run cloudflared proxy-dns to run a DNS over HTTPS proxy server.

Use the --address and --port options to specify the address and port cloudflared listens to. They default to localhost and 53 respectively. For a list of available command line options, see here.

You can create a systemd service file, for example:

/etc/systemd/system/cloudflared.service

[Unit]
Description=DNS over HTTPS proxy client
Wants=network-online.target nss-lookup.target
Before=nss-lookup.target

[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
DynamicUser=yes
ExecStart=/usr/bin/cloudflared proxy-dns --port 5300

[Install]
WantedBy=multi-user.target

After starting the service, you can test that it works by using drill(1) (provided by the ldns package):

$ drill archlinux.org @127.0.0.1 -p 5300

Checking

Use 1.1.1.1/help to check if browser is using Cloudflare DoH.

Endpoints

By default cloudflared uses 1.1.1.1 and 1.0.0.1, the IPv4 addresses of Cloudflare's DNS servers, as upstream endpoint URLs.

You can specify different upstream endpoint URLs with the --upstream option.

As per upstream documentation, the available endpoints are:

https://1.0.0.1/dns-query
https://1.1.1.1/dns-query
https://2606:4700:4700::1111/dns-query
https://2606:4700:4700::1001/dns-query

https://security.cloudflare-dns.com/dns-query

https://family.cloudflare-dns.com/dns-query

https://9.9.9.9/dns-query

See also

• Official guide
• Command line options
• Running a DNS over HTTPS Client - Cloudflare Resolver
• Introducing 1.1.1.1 for families