Pi-hole with dns-over-https

In the previous blog entry [Pi-hole with DNS-over-TLS] I set up stubby for dns-over-tls on the pi-hole. I want to do the same now for DNS-over-HTTPS (DoH), but neither Stubby nor Unbound support the young protocol which answers DNS queries via HTTPS. Some browsers have now integrated DoH, but I would like to protect all DNS queries from my home network. Therefore I use the client of cloudflare written in Go: cloudflared.

More about the pi-hole and installation instructions can be found here:


Basically there is an existing documentation at pi-hole.net how to set up DNS-over-HTTPS with cloudflared, but I would like to optimize the installation for me so that I can use multiple clients at the same time.
cloudflared can be downloaded at Cloudflare as binary and is ready for use after a small configuration.

On the Raspberry Pi:

wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-arm.tgz
tar -xvzf cloudflared-stable-linux-arm.tgz
cp ./cloudflared /usr/local/bin
chmod +x /usr/local/bin/cloudflared

For the service we use our own user:

sudo useradd -s /usr/sbin/nologin -r -M cloudflared
sudo chown cloudflared:cloudflared /usr/local/bin/cloudflared # auto-update the binary


Your DNS Choose
Carefully choose your DNS provider because you are exposing your data to it. Who you trust is your decision.
There are many alternatives and probably better options than Quad9.

Cloudflare also offers DNS-over-HTTPS, but I would rather use the service of Quad9, so I use the IP as upstream.

sudo vi /lib/systemd/system/cloudflared.service

Description=cloudflared DNS over HTTPS proxy
After=syslog.target network-online.target

ExecStart=/usr/local/bin/cloudflared proxy-dns --address --port 5353 --upstream


And activate and restart the restart service:

sudo systemctl daemon-reload
sudo systemctl enable cloudflared
sudo systemctl start cloudflared

To make the pi-hole statistics easier to see which DNS queries are now answered via stubby or unbound or cloudflared, the IP of the service can be entered in /etc/hosts. Thus cloudflared appears instead of The same, can of course, be done for all other clients.

echo " cloudflared" >> /etc/hosts

The active cloudflared service can now be configured in the pi-hole as custom DNS server. To do this, enter the local IP of the service and the port of the service under “Settings > DNS” for Upstream DNS Servers under “custom”: e.g.
After saving, the pi-hole should now forward DNS requests that are not cached or blocked to cloudflared:

Query Client Service Names


pi@pi-hole:~ $ dig @ -p 5353 blog.sandchaschte.ch

; <<>> DiG 9.10.3-P4-Raspbian <<>> @ -p 5353 blog.sandchaschte.ch
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7383
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
;blog.sandchaschte.ch.		IN	A

blog.sandchaschte.ch.	900	IN	CNAME	sandchaschte.ch.
sandchaschte.ch.	900	IN	A

;; Query time: 245 msec
;; WHEN: Fri Jan 18 15:54:23 UTC 2019
;; MSG SIZE  rcvd: 129

It works. ๐ŸŽ‰

Maybe I’ll do an evaluation which of the clients (Unbound with DoT, Stubby with DoT or Cloudflared with DoH) has a better performance, so I can continue surfing fast as possible ๐Ÿ™‚.