Pihole using DOH not working

Toby · January 16, 2020, 8:08pm

Please follow the below template, it will help us to help you!

Expected Behaviour:

Trying to get the DNS over HTTPS to work using Cloudflare and pihole guide:
https://docs.pi-hole.net/guides/dns-over-https/#configuring-cloudflared-to-run-on-startup

Actual Behaviour:

Cloudflare service is running but I can't seem to connect to the port 5053 using telnet from another computer to the pihole, so there is something wrong and the https://1.1.1.1/help also is showing that I'm not using DNS over HTTPS.
Is there something that I haven't configured? Shouldn't the 5053 port be responding to a telnet call from same network? The 53 ports responds.

Debug Token:

It failed to upload the log

Toby · January 17, 2020, 6:40am

I just did a fresh install but when I try to setup the doh I get stuck at same place.
When I run the DIG command:

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> @127.0.0.1 -p 5053 google.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

I followed the turorial to every point and no errors when doing the steps. Any ideas?

Status is showing:

pi@nilsbacka:~ $ sudo systemctl status cloudflared
● cloudflared.service - cloudflared DNS over HTTPS proxy
   Loaded: loaded (/etc/systemd/system/cloudflared.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2020-01-17 08:41:44 EET; 2min 24s ago
 Main PID: 412 (cloudflared)
    Tasks: 11 (limit: 4915)
   Memory: 23.8M
   CGroup: /system.slice/cloudflared.service
           └─412 /usr/local/bin/cloudflared proxy-dns --port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query

Jan 17 08:41:44 nilsbacka systemd[1]: Started cloudflared DNS over HTTPS proxy.
Jan 17 08:41:45 nilsbacka cloudflared[412]: time="2020-01-17T08:41:45+02:00" level=info msg="Adding DNS upstream" url="https://1.1.1.1/dns-query"
Jan 17 08:41:45 nilsbacka cloudflared[412]: time="2020-01-17T08:41:45+02:00" level=info msg="Starting metrics server" addr="[::1]:36719"
Jan 17 08:41:45 nilsbacka cloudflared[412]: time="2020-01-17T08:41:45+02:00" level=info msg="Adding DNS upstream" url="https://1.0.0.1/dns-query"
Jan 17 08:41:45 nilsbacka cloudflared[412]: time="2020-01-17T08:41:45+02:00" level=info msg="Starting DNS over HTTPS proxy server" addr="dns://localhost:5053"

Toby · January 17, 2020, 7:48pm

Could my router / firewall have something to do with the port 5053 not answering?
I have allowed everything from the LAN but do I need to open anything else?

Toby · January 17, 2020, 10:37pm

Okay so this is strange when using dig like this:
dig -p 5053 google.com @127.0.0.1
it will not work but when I use locahost it answers the call:
dig -p 5053 google.com @localhost
So there must be a setting wrong somewhere.. hosts?

pi@nil:~ $ dig -p 5053 google.com  @localhost

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> -p 5053 google.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10451
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
; PAD: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (".....................................................................")
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		10	IN	A	172.217.20.46

;; Query time: 5 msec
;; SERVER: ::1#5053(::1)
;; WHEN: Sat Jan 18 00:34:31 EET 2020
;; MSG SIZE  rcvd: 138

Same with telnet:
This works:
telnet localhost 5053

but this wont work:
telnet 127.0.0.1 5053

jfb · January 18, 2020, 2:44am

This will temporarily reset the nameserver on the Pi to bypass Pi-Hole DNS.

sudo nano /etc/resolv.conf

edit nameserver 127.0.0.1 to nameserver 9.9.9.9 or your preferred third party DNS service, save and exit

Run pihole -d and upload the debug log

Toby · January 18, 2020, 8:29am

Hi @jfb,

thanks changed the conf and here's the debug after the change:
https://pastebin.com/nP8G5dqe

-Toube

Toby · January 18, 2020, 9:28am

Running: netstat -pantu |grep LIST will output the below

(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:4711          0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::53                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 ::1:5053                :::*                    LISTEN      -                   
tcp6       0      0 ::1:42885               :::*                    LISTEN      -                   
tcp6       0      0 ::1:4711                :::*                    LISTEN      -

Does this mean the the DoH 5053 only listens to ipv6 and is why it's not working as it should be?

Toby · January 18, 2020, 10:07am

Update I edited the cloudflared config file and added --address 0.0.0.0
and that solved it
CLOUDFLARED_OPTS=--port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query --address 0.0.0.0

Result after change:
https://1.1.1.1/help#eyJpc0NmIjoiWWVzIiwiaXNEb3QiOiJObyIsImlzRG9oIjoiWWVzIiwicmVzb2x2ZXJJcC0xLjEuMS4xIjoiWWVzIiwicmVzb2x2ZXJJcC0xLjAuMC4xIjoiWWVzIiwicmVzb2x2ZXJJcC0yNjA2OjQ3MDA6NDcwMDo6MTExMSI6Ik5vIiwicmVzb2x2ZXJJcC0yNjA2OjQ3MDA6NDcwMDo6MTAwMSI6Ik5vIiwiZGF0YWNlbnRlckxvY2F0aW9uIjoiSEVMIiwiaXNXYXJwIjoiTm8iLCJpc3BOYW1lIjoiQ2xvdWRmbGFyZSIsImlzcEFzbiI6IjEzMzM1In0=

Let the safe surfing begin

Toby · January 18, 2020, 10:27am

One more Question using DoH.. does using DoH mean that the isp will not be able to see where our devices are going, at least not directly?
Or at least it will stop or make the man in the middle attack harder.

jfb · January 25, 2020, 7:38pm

Yes and no. They won't see your DNS traffic, but once you have the IP in hand, you will ask the ISP for that IP in clear text and they can fairly easily figure out where you are browsing.

This is true. Since the DNS traffic is encapsulated in the SSL tunnel, only you and the upstream resolver can see it, and it is hidden from intermediate parties.

Toby · January 25, 2020, 7:44pm

Thanks appreciate it!

system · February 15, 2020, 7:45pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.