Running a DNS over HTTPS Client

There are several DNS over HTTPS (DoH) clients you can use to connect to in order to protect your DNS queries from privacy intrusions and tampering.


We've open sourced a golang DoH client you can use to get started. Follow this quick guide to start a DNS over HTTPS proxy to

Step 1: Download the cloudflared daemon. You can find it here.

Step 2: Verify that the cloudflared daemon is installed

cloudflared --version
cloudflared version 2018.3.11 (built 2018-03-30-1849 UTC)

Step 3: Start the DNS proxy on an address and port in your network. If you don't specify an address and port, it will start listening on localhost:53. DNS (53) is a privileged port, so you need to run the daemon as a privileged user in order to be able to bind to it.

sudo cloudflared proxy-dns
INFO[0000] Adding DNS upstream                           url=""
INFO[0000] Starting metrics server                       addr=""
INFO[0000] Starting DNS over HTTPS proxy server          addr="dns://localhost:53"

Step 4: You can verify that it's running using a dig, kdig, host, or any other DNS client.

dig +short @ AAAA

Step 5: Set up cloudflared as a service so it starts on user login. You can use numeric addresses, to avoid circular dependency on system resolver. First generate a configuration file, see the configuration reference for the list of all possible variables. Here's an example:

mkdir -p /usr/local/etc/cloudflared
cat << EOF > /usr/local/etc/cloudflared/config.yml
proxy-dns: true

Step 6: Install cloudflared as a service so it starts on user login. See the Automatically starting Argo Tunnel for reference. Since proxy-dns requires to bind to privileged port 53, it needs to be installed with admin privileges:

sudo cloudflared service install
INFO[0000] Applied configuration from /usr/local/etc/cloudflared/config.yml
INFO[0000] Installing Argo Tunnel as an user launch agent
INFO[0000] Outputs are logged in /tmp/com.cloudflare.cloudflared.out.log and /tmp/com.cloudflare.cloudflared.err.log

Step 7: Verify that it's running, then switch your DNS servers to

dig +short @ AAAA


The dnscrypt-proxy 2.0+ supports DoH out of the box. It supports both, and other services. It includes more advanced features, such as load balancing and local filtering.

Step 1: Install the dnscrypt-proxy. You can find the instructions here.

Step 2: Verify that the dnscrypt-proxy is installed, and at least version 2.0

dnscrypt-proxy -version

Step 3: Set up the configuration file using the official instructions, and add 'cloudflare' and 'cloudflare-ipv6' to the server list in dnscrypt-proxy.toml

server_names = ['cloudflare', 'cloudflare-ipv6']

Step 4: Make sure that nothing else is running on localhost:53, and check that everything works as expected

dnscrypt-proxy -resolve
Resolving []

Domain exists:  yes, 3 name servers found
Canonical name:
IP addresses:   2400:cb00:2048:1::6810:6f19, 2400:cb00:2048:1::6810:7019,,
TXT records:    -
Resolver IP:

Step 5: Register it as a system service using the instructions here