In the previous blog entry [Pi-hole with DNS-over-TLS] I set up stubby for dns-over-tls on the pi-hole. I want to do the same now for DNS-over-HTTPS (DoH), but neither Stubby nor Unbound support the young protocol which answers DNS queries via HTTPS. Some browsers have now integrated DoH, but I would like to protect all DNS queries from my home network. Therefore I use the client of cloudflare written in Go: cloudflared.

More about the pi-hole and installation instructions can be found here:


Basically there is an existing documentation at how to set up DNS-over-HTTPS with cloudflared, but I would like to optimize the installation for me so that I can use multiple clients at the same time.
cloudflared can be downloaded at Cloudflare as binary and is ready for use after a small configuration.

On the Raspberry Pi:

tar -xvzf cloudflared-stable-linux-arm.tgz
cp ./cloudflared /usr/local/bin
chmod +x /usr/local/bin/cloudflared

For the service we use our own user:

sudo useradd -s /usr/sbin/nologin -r -M cloudflared
sudo chown cloudflared:cloudflared /usr/local/bin/cloudflared # auto-update the binary


Your DNS Choose
Carefully choose your DNS provider because you are exposing your data to it. Who you trust is your decision.
There are many alternatives and probably better options than Quad9.

Cloudflare also offers DNS-over-HTTPS, but I would rather use the service of Quad9, so I use the IP as upstream.

sudo vi /lib/systemd/system/cloudflared.service

Description=cloudflared DNS over HTTPS proxy

ExecStart=/usr/local/bin/cloudflared proxy-dns --address --port 5353 --upstream


And activate and restart the restart service:

sudo systemctl daemon-reload
sudo systemctl enable cloudflared
sudo systemctl start cloudflared

To make the pi-hole statistics easier to see which DNS queries are now answered via stubby or unbound or cloudflared, the IP of the service can be entered in /etc/hosts. Thus cloudflared appears instead of The same, can of course, be done for all other clients.

echo " cloudflared" >> /etc/hosts

The active cloudflared service can now be configured in the pi-hole as custom DNS server. To do this, enter the local IP of the service and the port of the service under "Settings > DNS" for Upstream DNS Servers under "custom": e.g.
After saving, the pi-hole should now forward DNS requests that are not cached or blocked to cloudflared:

Query Client Service Names


pi@pi-hole:~ $ dig @ -p 5353

; <<>> DiG 9.10.3-P4-Raspbian <<>> @ -p 5353
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7383
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
;      IN  A

;; ANSWER SECTION:   900 IN  CNAME    900 IN  A

;; Query time: 245 msec
;; WHEN: Fri Jan 18 15:54:23 UTC 2019
;; MSG SIZE  rcvd: 129

It works. 🎉

Maybe I'll do an evaluation which of the clients (Unbound with DoT, Stubby with DoT or Cloudflared with DoH) has a better performance, so I can continue surfing fast as possible 🙂.

Previous Post

Add a comment


Du hast eine tolle Anleitung geschrieben und die Verlinkung zu Kuketz Blog hast du auch mit dabei. Du willst also deinen Datenverkehr schützen. Du liest wahrscheinlich ab und zu bei Herr Kuketz die Artikel. Warum werden dann beim Besuch deiner Seite dann Google Dienste angefragt? Ich möchte auch meine Privatsphäre schutzen und vermeide diese Dienste. Ebenso ist Quad9 nicht so gut für die Privatsphäre. siehe hier: Absichern, Verschlüsseln und Schützen ist gut. Mach weiter so. Betrachte dabei immer das Gesamtpaket.
Written on Sat, 19 Jan 2019 20:38:10 by Horst