I have setup DoH using the Cloudflare proxy server as instructed on the docs website. '
It appears to work, I can resolve queries. I purposely broke it to make sure that it was working and wasn't able to resolve after that.
However when I go to:
Cloudflare doesn't tell me I am using DoH. Should it say that I am with this configuration? Or am I mistaken.
Thanks,
Have you fixed the "broken" part?
I did. I broke it to make sure I was using the proxy-dns. I fixed it and I am able to resolve again, with the PiHole, pointed at 127.0.0.1#5053
I no longer use cloud flared, but I don't think it should show you as using DoH, because technically "you" aren't. It's the cloud flared process that is running it.
Just my guess, and perhaps another cloudflared DoH user can check this.
Test when I have Pi-Hole pointed directly to Cloudflare:
Moved DNS on this computer to another Pi-Hole running unbound (local resolver):
Thanks for testing.
Like you said maybe another DoH user can chime in.
This from a Reddit user, who runs cloudflared DoH on 127.0.0.1#5053. He connected to the test site and found this:
| Connected to 1.1.1.1 | Yes |
|---|---|
| Using DNS over HTTPS (DoH) | Yes |
| Using DNS over TLS (DoT) | No |
I will check reddit. Did he use the guide or his config different?
I don't know. I asked on Reddit if anybody running Cloudflared on that port could check the website. You could comment and ask the replier.
https://www.reddit.com/r/pihole/comments/97x8ur/need_a_favor_from_a_cloudflared_dns_over_https/
Disabling DNSSEC on the DNS settings page. That seems to get it to test correctly.
Not sure why. Some DNSSEC tests fail after that.
But I would prefer DoH worked over DNSSEC.
Here is some related reading on DNSSEC.
I also replied in the Reddit thread. Disabling DNSSEC in Pi-hole also did the trick for me: it now shows multiple 'yes' on https://https;//1.1.1.1/help instead of only 'No'.
But the big question is: should i leave DNSSEC disabled, or can it be used together with DNS-over-HTTPS?
Because when i disable it, the help page of 1.1.1.1 looks OK, but pages like these two down below indicate i am not using DNSSEC:
Please advise as i am kinda lost on configuring the most optimal settings.
I'm having the same issue but disabling DNSSEC didn't change anything for me. Cloudflare's help site says No for everything except the bottom section, regardless.
I also cross referenced the official docs/guide against Ben Dews' guide (which I followed to setup the Pihole) and Ben's guide did not mention putting 127.0.0.1#5053 as the upstream DNS. However, when I did that the DNS server quit responding and pages would no longer load.
Sounds like the dns proxy isn't running correctly or you have it misconfigured.
What is the output of:
systemctl status clouldfared
Thank you for the reply. Here's what is shown for systemctl status cloudflared.
cloudflared.service - cloudflared DNS over HTTPS proxy
Loaded: loaded (/lib/systemd/system/cloudflared.service; enabled; vendor present: enabled)
Active: inactive (dead) since Fri 2018-08-24 04:06:01 UTC; 11h ago
Process: 310 ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTS (code=exited, status=0/SUCCESS)
Main PID: 310 (code=exited, status=0/SUCCESS)
Aug 24 04:05:58 raspberrypi systemd[1]: Started cloudflared DNS over HTTPS proxy.
Aug 24 04:06:01 raspberrypi cloudflared[310]: time="2018-08-24T04:06:01Z" level=warning msg="Cannot determine default configuration path. No file [config.yml config.yaml] in [~/.cloudflared ~/.cloudflare-warp ~/cloudflare-warp /usr/local/etc/cloudflared /etc/cloudflared]"
Aug 24 04:06:01 raspberrypi cloudflared[310]: time="2018-08-24T04:06:01Z" level=info msg="Adding DNS upstream" url=https://1.1.1.1/dns-query"
Aug 24 04:06:01 raspberrypi cloudflared[310]: time="2018-08-24T04:06:01Z" level=info msg="Adding DNS upstream" url=https://1.0.0.1/dns-query"
Aug 24 04:06:01 raspberrypi cloudflared[310]: time="2018-08-24T04:06:01Z" level=info msg="Starting DNS over HTTPS proxy status" addr="dns://localhost:53"
For what it's worth, the ad and tracker blocking is working network-wide. I went to several different websites with known advertising (on multiple devices) and the ads don't load. The Pi-hole admin shows ~3k blocked queries.
It says the service is inactive.
Run:
systemctl start cloudflared
Then you should be able to resolve DNS queries though 127.0.0.1#5053
It looks like something is killing the process. I have to run it with sudo but running:
sudo systemctl start cloudflared
Then
systemctl status cloudflared still shows "Active: inactive (dead)".
After multiple re-installs, I figured out the issue. Cloudflared uses a different configuration method (both files and syntax) compared to what's written in the guides.
It started working (CF + DoH) after I followed the syntax (and created the yaml file) from step 5 of this guide: Connect to 1.1.1.1 using DoH clients · Cloudflare 1.1.1.1 docs
For my future self (or anyone with the same issue), I fixed it by foregoing a configuration file. I put the command-line arguments inline inside "cloudflared.service" instead of using $CLOUDFLARED_OPTS and a separate configuration file.
If I figure out how to get it working with the configuration file instead I will add my findings at that time.
I have it working using the method on the guide.
The guide calls command line options to configure cloudflared. Works fine for me. But, if you got it working with a yaml file that's great.
I don't think not having it was causing your issue though if you followed the guide.
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.