Skip to content
Visit on GitHub
Set theme to dark (⇧+D)

Running a DNS over HTTPS client

There are several DNS over HTTPS (DoH) clients you can use to connect to in order to protect your DNS queries from privacy intrusions and tampering.


We've open sourced a golang DoH client you can use to get started. Follow this quick guide to start a DNS over HTTPS proxy to

Step 1: Download the cloudflared daemon. You can find it here.

Step 2: Verify that the cloudflared daemon is installed

cloudflared --versioncloudflared version 2018.3.11 (built 2018-03-30-1849 UTC)

Step 3: Start the DNS proxy on an address and port in your network. If you don't specify an address and port, it will start listening on localhost:53. DNS (53) is a privileged port, so you need to run the daemon as a privileged user in order to be able to bind to it.

sudo cloudflared proxy-dnsINFO[0000] Adding DNS upstream                           url=""INFO[0000] Starting metrics server                       addr=""INFO[0000] Starting DNS over HTTPS proxy server          addr="dns://localhost:53"

Step 4: You can verify that it's running using a dig, kdig, host, or any other DNS client.

dig +short @ AAAA2400:cb00:2048:1::c629:d6a22400:cb00:2048:1::c629:d7a2

Step 5: Set up cloudflared as a service so it starts on user login. You can use numeric addresses, to avoid circular dependency on system resolver. First generate a configuration file, see the configuration reference for the list of all possible variables. Here's an example:

mkdir -p /usr/local/etc/cloudflaredcat << EOF > /usr/local/etc/cloudflared/config.ymlproxy-dns: trueproxy-dns-upstream: - -

Step 6: Install cloudflared as a service so it starts on user login. See the Automatically starting Argo Tunnel for reference. Since proxy-dns requires to bind to privileged port 53, it needs to be installed with admin privileges:

sudo cloudflared service installINFO[0000] Applied configuration from /usr/local/etc/cloudflared/config.ymlINFO[0000] Installing Argo Tunnel as an user launch agentINFO[0000] Outputs are logged in /tmp/com.cloudflare.cloudflared.out.log and /tmp/com.cloudflare.cloudflared.err.log

Step 7: Verify that it's running, then switch your DNS servers to

dig +short @ AAAA2400:cb00:2048:1::c629:d6a22400:cb00:2048:1::c629:d7a2


The dnscrypt-proxy 2.0+ supports DoH out of the box. It supports both, and other services. It includes more advanced features, such as load balancing and local filtering.

Step 1: Install the dnscrypt-proxy. You can find the instructions here.

Step 2: Verify that the dnscrypt-proxy is installed, and at least version 2.0

dnscrypt-proxy -version2.0.8

Step 3: Set up the configuration file using the official instructions, and add 'cloudflare' and 'cloudflare-ipv6' to the server list in dnscrypt-proxy.toml

server_names = ['cloudflare', 'cloudflare-ipv6']

Step 4: Make sure that nothing else is running on localhost:53, and check that everything works as expected

dnscrypt-proxy -resolve cloudflare-dns.comResolving []
Domain exists:  yes, 3 name servers foundCanonical name: addresses:   2400:cb00:2048:1::6810:6f19, 2400:cb00:2048:1::6810:7019,, records:    -Resolver IP:

Step 5: Register it as a system service using the instructions here