Connect to 1.1.1.1 using DoH clients
There are several DoH clients you can use to connect to 1.1.1.1.
cloudflared
Verify that the
cloudflared
daemon is installed by entering the following command:$ cloudflared --versioncloudflared version 2020.11.11 (built 2020-11-25-1643 UTC)Start the DNS proxy on an address and port in your network. If you do not specify an address and port, it will start listening on
localhost:53
. DNS (53) is a privileged port, so for the initial demo we will use a different port:$ cloudflared proxy-dns --port 5553INFO[2020-12-04T19:58:57Z] Adding DNS upstream - url: https://1.1.1.1/dns-queryINFO[2020-12-04T19:58:57Z] Adding DNS upstream - url: https://1.0.0.1/dns-queryINFO[2020-12-04T19:58:57Z] Starting metrics server on 127.0.0.1:44841/metricsINFO[2020-12-04T19:58:57Z] Starting DNS over HTTPS proxy server on: dns://localhost:5553You can verify that
cloudflared
is running using adig
,kdig
,host
, or any other DNS client.$ dig +short @127.0.0.1 -p5553 cloudflare.com AAAA2606:4700::6810:85e52606:4700::6810:84e5Run
cloudflared
as a service so it starts on user login. On many Linux distributions, this can be done with:$ sudo tee /etc/systemd/system/cloudflared-proxy-dns.service >/dev/null <<EOF[Unit]Description=DNS over HTTPS (DoH) proxy clientWants=network-online.target nss-lookup.targetBefore=nss-lookup.target[Service]AmbientCapabilities=CAP_NET_BIND_SERVICECapabilityBoundingSet=CAP_NET_BIND_SERVICEDynamicUser=yesExecStart=/usr/local/bin/cloudflared proxy-dns[Install]WantedBy=multi-user.targetEOF$ sudo systemctl enable --now cloudflared-proxy-dnsChange your system DNS servers to use
127.0.0.1
. On Linux, you can modify/etc/resolv.conf
:$ sudo rm -f /etc/resolv.conf$ echo nameserver 127.0.0.1 | sudo tee /etc/resolv.conf >/dev/nullFinally, verify it locally with:
$ dig +short @127.0.0.1 cloudflare.com AAAA2606:4700::6810:85e52606:4700::6810:84e5
DNSCrypt-Proxy
The DNSCrypt-Proxy 2.0+ supports DoH out of the box. It supports both 1.1.1.1 and other services. It also includes more advanced features, such as load balancing and local filtering.
Verify that
dnscrypt-proxy
is installed and the version is 2.0 or later:$ dnscrypt-proxy -version2.0.8Set up the configuration file using the official instructions, and add
cloudflare
andcloudflare-ipv6
to the server list indnscrypt-proxy.toml
:server_names = ['cloudflare', 'cloudflare-ipv6']Make sure that nothing else is running on
localhost:53
, and check that everything works as expected:$ dnscrypt-proxy -resolve cloudflare-dns.comResolving [cloudflare-dns.com]Domain exists: yes, 3 name servers foundCanonical name: cloudflare-dns.com.IP addresses: 2400:cb00:2048:1::6810:6f19, 2400:cb00:2048:1::6810:7019, 104.16.111.25, 104.16.112.25TXT records: -Resolver IP: 172.68.140.217Register it as a system service according to the DNSCrypt-Proxy installation instructions.