Installing cloudflared on a Raspberry Pi

Installation

cloudflared is a CLI utility from cloudflare.com which can be used to set up DNS-over-HTTPS (DOH). Conventionally, DNS queries are sent over as plaintext and can be intercepted by prying eyes on your network (or on a public network). DOH encrypts DNS-traffic with HTTPS, thereby, circumventing this problem.

You can start by downloading a pre-compiled binary for pi Zero and move it to usr/local/bin.

On newer Pis you do not need this. However, on older Pis (PiZero, etc.) you need a pre-compiled binary if you want to save your time. However, for maximum security you should review the code and compile the binary on your machine.

wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm  
sudo cp ./cloudflared-linux-arm /usr/local/bin/cloudflared  
sudo chmod +x /usr/local/bin/cloudflared
cloudflared -v

Edit the /etc/hosts file to add a IP to receive queries to cloudflared by running sudo nano /etc/hosts and adding host e.g. 127.0.0.11 for cloudflared

127.0.0.1 localhost
127.0.1.1 DietPi
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
127.0.0.10 cloudf
127.0.0.11 ubound

Create a cloudflared user to run the daemon.

sudo useradd -s /usr/sbin/nologin -r -M cloudflared

Create a configuration file for cloudflared by copying the following in to.

sudo nano /etc/default/cloudflared

## Copy the following text to the file:

# Commandline args for cloudflared
CLOUDFLARED_OPTS=--address 127.0.0.10 \ 
 --port 5053 \ 
 --upstream https://doh.mullvad.net/dns-query \
 --upstream https://dns11.quad9.net/dns-query \
 --upstream https://doh.libredns.gr/dns-query \
 --upstream https://doh1.blahdns.com/uncensor \
 --upstream https://fi.doh.dns.snopyta.org/dns-query

alternative upstream resolvers:

# NixNet
https://uncensored.lux1.dns.nixnet.xyz/dns-query

# Libre DNS
https://doh.libredns.gr/dns-query

# https://snopyta.org/service/dns/index.html
https://fi.doh.dns.snopyta.org/dns-query

# PowerDNS
https://doh.powerdns.org/

#https://blahdns.com/
https://doh1.blahdns.com/uncensor

# CZ NIC
https://odvr.nic.cz/doh

Give the permission to cloudflared user to the files

sudo chown cloudflared:cloudflared /etc/default/cloudflared
sudo chown cloudflared:cloudflared /usr/local/bin/cloudflared

Create the systemd script to launch cloudflared at system startup:

sudo nano /lib/systemd/system/cloudflared.service
## Copy following text to the file:

[Unit]
Description=cloudflared DNS over HTTPS proxy
After=syslog.target network-online.target

[Service]
Type=simple
User=cloudflared
EnvironmentFile=/etc/default/cloudflared
ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTS
Restart=on-failure
RestartSec=10
KillMode=process

[Install]
WantedBy=multi-user.target

Enable the systemd service to run on startup, then start the service and check its status.

sudo systemctl enable cloudflared
sudo systemctl start cloudflared
sudo systemctl status cloudflared

# One-liner
sudo systemctl enable cloudflared && sudo systemctl start cloudflared && sudo systemctl status cloudflared

Testing

It is important to investigate whether cloudflared is working properly:

dig @127.0.0.10 -p 5053 google.com

## outpu
; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> @127.0.0.10 -p 5053 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52789
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 6779b2c9f5aecdc3 (echoed)
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		276	IN	A	216.58.207.206

;; Query time: 2 msec
;; SERVER: 127.0.0.10#5053(127.0.0.10)
;; WHEN: Sun Aug 18 10:18:04 EEST 2019
;; MSG SIZE  rcvd: 77

Now in the pihole interface add the following as a Custom DNS revolver:

127.0.0.10#5053

To Stop cloudflared:

sudo systemctl stop cloudflared && sudo systemctl disable cloudflared && sudo systemctl status cloudflared

To restart cloudflared:

sudo systemctl stop cloudflared && sudo systemctl disable cloudflared && sudo systemctl enable cloudflared && sudo systemctl start cloudflared && sudo systemctl status cloudflared