Cloudflare Docs
1.1.1.1
Edit this page on GitHub
Set theme to dark (⇧+D)

Connect to 1.1.1.1 using DoH clients

There are several DoH clients you can use to connect to 1.1.1.1.

​​ cloudflared

  1. Download and install the cloudflared daemon.

  2. Verify that the cloudflared daemon is installed by entering the following command:

    $ cloudflared --version
    cloudflared version 2020.11.11 (built 2020-11-25-1643 UTC)
  3. Start the DNS proxy on an address and port in your network. If you do not specify an address and port, it will start listening on localhost:53. DNS (53) is a privileged port, so for the initial demo we will use a different port:

    $ cloudflared proxy-dns --port 5553
    INFO[2020-12-04T19:58:57Z] Adding DNS upstream - url: https://1.1.1.1/dns-query
    INFO[2020-12-04T19:58:57Z] Adding DNS upstream - url: https://1.0.0.1/dns-query
    INFO[2020-12-04T19:58:57Z] Starting metrics server on 127.0.0.1:44841/metrics
    INFO[2020-12-04T19:58:57Z] Starting DNS over HTTPS proxy server on: dns://localhost:5553
  4. You can verify that cloudflared is running using a dig, kdig, host, or any other DNS client.

    $ dig +short @127.0.0.1 -p5553 cloudflare.com AAAA
    2606:4700::6810:85e5
    2606:4700::6810:84e5
  5. Run cloudflared as a service so it starts on user login. On many Linux distributions, this can be done with:

    $ sudo tee /etc/systemd/system/cloudflared-proxy-dns.service >/dev/null <<EOF
    [Unit]
    Description=DNS over HTTPS (DoH) proxy client
    Wants=network-online.target nss-lookup.target
    Before=nss-lookup.target
    [Service]
    AmbientCapabilities=CAP_NET_BIND_SERVICE
    CapabilityBoundingSet=CAP_NET_BIND_SERVICE
    DynamicUser=yes
    ExecStart=/usr/local/bin/cloudflared proxy-dns
    [Install]
    WantedBy=multi-user.target
    EOF
    $ sudo systemctl enable --now cloudflared-proxy-dns
  6. Change your system DNS servers to use 127.0.0.1. On Linux, you can modify /etc/resolv.conf:

    $ sudo rm -f /etc/resolv.conf
    $ echo nameserver 127.0.0.1 | sudo tee /etc/resolv.conf >/dev/null
  7. Finally, verify it locally with:

    $ dig +short @127.0.0.1 cloudflare.com AAAA
    2606:4700::6810:85e5
    2606:4700::6810:84e5

​​ DNSCrypt-Proxy

The DNSCrypt-Proxy 2.0+ supports DoH out of the box. It supports both 1.1.1.1 and other services. It also includes more advanced features, such as load balancing and local filtering.

  1. Install DNSCrypt-Proxy.

  2. Verify that dnscrypt-proxy is installed and the version is 2.0 or later:

    $ dnscrypt-proxy -version
    2.0.8
  3. Set up the configuration file using the official instructions, and add cloudflare and cloudflare-ipv6 to the server list in dnscrypt-proxy.toml:

    server_names = ['cloudflare', 'cloudflare-ipv6']
  4. Make sure that nothing else is running on localhost:53, and check that everything works as expected:

    $ dnscrypt-proxy -resolve cloudflare-dns.com
    Resolving [cloudflare-dns.com]
    Domain exists: yes, 3 name servers found
    Canonical name: cloudflare-dns.com.
    IP addresses: 2400:cb00:2048:1::6810:6f19, 2400:cb00:2048:1::6810:7019, 104.16.111.25, 104.16.112.25
    TXT records: -
    Resolver IP: 172.68.140.217
  5. Register it as a system service according to the DNSCrypt-Proxy installation instructions.