DNS-over-HTTPS with Fedora based PiHole and Cloudflare
-
How to setup DNS-over-HTTPS on Fedora based PiHole.
Ref: https://bendews.com/posts/implement-dns-over-https/Now verified. Should be good, so let me know where I messed up.
I've also written a script, because I'll want to do this a few more times, and what IT person doesn't like automation?
https://github.com/travisdh1/FedPiHSecDNSDownload Cloudflared
wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.rpm
Install the downloaded rpm file
sudo dnf -y localinstall ./cloudflared-stable-linux-amd64.rpm
Add a user for cloudflared to run as
sudo useradd -s /usr/sbin/nologin -r -M cloudflared
Change the executable ownership
sudo chown cloudflared:cloudflared /usr/local/bin/cloudflared
Create /etc/default/cloudflared
sudo nano /etc/default/cloudflared # Commandline args for cloudflared CLOUDFLARED_OPTS=--proxy-dns=true --proxy-dns-upstream https://1.1.1.1/dns-query --proxy-dns-upstream https://1.0.0.1/dns-query --proxy-dns-port 5053
Change ownership on /etc/default/cloudflared to cloudflared
sudo chown cloudflared:cloudflared /etc/default/cloudflared
Create /lib/systemd/system/cloudflared.service
sudo nano /lib/systemd/system/cloudflared.service [Unit] Description=cloudflared DNS over HTTPS proxy After=syslog.target network-online.target [Service] Type=simple User=cloudflared EnvironmentFile=/etc/default/cloudflared ExecStart=/usr/local/bin/cloudflared $CLOUDFLARED_OPTS Restart=on-failure RestartSec=10 KillMode=process [Install] WantedBy=multi-user.target
Enable, start, and check that cloudflared is running
sudo systemctl enable cloudflared
sudo systemctl start cloudflared
sudo systemctl status cloudflared
Check that the cloudflared service is working
dig @127.0.0.1 -p 5053 google.com
Should look something like:
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @127.0.0.1 -p 5053 google.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65181 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1536 ;; QUESTION SECTION: ;google.com. IN A ;; ANSWER SECTION: google.com. 299 IN A 243.65.127.221 ;; Query time: 3 msec ;; SERVER: 127.0.0.1#5053(127.0.0.1) ;; MSG SIZE rcvd: 65
Edit /etc/dnsmasq.d/01-pihole.conf
Comment out with a # on the beginning of the line any existing 'server=' lines.sed -i 's/server/#server/' /etc/dnsmasq.d/01-pihole.conf
Add a line containing 'server=127.0.0.1:5053'
sudo nano /etc/dnsmasq.d/01-pihole.conf
Addserver=127.0.0.1:5053
on the last lineRestart the pihole-FTL service
sudo systemctl restart pihole-FTL.service
Your PiHole install is now using CloudFlare's DNS over HTTPS.
-
Another project to try out. Did you start with a minimal Fedora install? Any other requirements needed for this install to work?
-
@nashbrydges said in DNS-over-HTTPS with Fedora based PiHole and Cloudflare:
Another project to try out. Did you start with a minimal Fedora install? Any other requirements needed for this install to work?
This goes on the Pi-hole instance
so whereever you setup your pi-hole.
-
@nashbrydges said in DNS-over-HTTPS with Fedora based PiHole and Cloudflare:
Another project to try out. Did you start with a minimal Fedora install? Any other requirements needed for this install to work?
I start with a standard Fedora server install, not minimal. So things like wget should already be in place.
Fedora server with PiHole installed should be all that's required.
-
Hm....
I guess this doesn't really help me, since my PiHole is hosted outside my network, this would help with requests from the PiHole out to the internet however all requests from the router to the PiHole would be unencrypted.
-
Also, maybe PiHole will support in the future?
-
Also, take a look at this:
https://pi-hole.net/2018/04/08/psa-issue-with-pi-hole-doh-and-dnsmasq/
-
@aaronstuder said in DNS-over-HTTPS with Fedora based PiHole and Cloudflare:
Hm....
I guess this doesn't really help me, since my PiHole is hosted outside my network, this would help with requests from the PiHole out to the internet however all requests from the router to the PiHole would be unencrypted.
You can always tunnel that traffic. Although the value to point to point encryption is generally pretty minimal and DNS extremely low unless you are doing something super shady and are being tapped.
-
@aaronstuder said in DNS-over-HTTPS with Fedora based PiHole and Cloudflare:
Hm....
I guess this doesn't really help me, since my PiHole is hosted outside my network, this would help with requests from the PiHole out to the internet however all requests from the router to the PiHole would be unencrypted.
Yep. I wouldn't mind having a DNS server that supports this stuff from the client side, so this is as good as it gets right now.
-
@travisdh1 said in DNS-over-HTTPS with Fedora based PiHole and Cloudflare:
dig @127.0.0.1 -p 5053 google.com
So I finally got around to setting this up but how do I test if my DNS queries are truly over HTTPS now?
-
The assumption is that, now that there are no upstream DNS servers shown on Pi-Hole and I can still resolve all domains, that this is in fact working over HTTPS?
-
@nashbrydges said in DNS-over-HTTPS with Fedora based PiHole and Cloudflare:
The assumption is that, now that there are no upstream DNS servers shown on Pi-Hole and I can still resolve all domains, that this is in fact working over HTTPS?
Correct. The DNS queries are being sent through a proxy with this setup. Hopefully a more elegant and simple solution to doing secure DNS will be available in the future, but for now this is one of the few solutions available.
-
The entire concept is just stupid.
You cannot hide from your provider. -
@jaredbusch said in DNS-over-HTTPS with Fedora based PiHole and Cloudflare:
The entire concept is just stupid.
You cannot hide from your provider.Not about hiding from provider. It's about securing communications between every endpoint. Just another step to HTTPS everywhere.
-
Would enabling DNSSEC help with securing DNS?
-
@black3dynamite It helps protect your site from DNS spoofing. Here's an example site with DNSSEC.
https://en.internet.nl/site/www.internetsociety.org/303794/#sitednssec
If DNSSEC is improperly setup, the site will not resolve.
Don't think it's very widely used though.
-
@jaredbusch said in DNS-over-HTTPS with Fedora based PiHole and Cloudflare:
The entire concept is just stupid.
You cannot hide from your provider.I'd agree with you, at least for now. This is just one small step in the right direction. It won't really make much difference until it's supported by all endpoints.