Cloudflare Docs
Edit this page
Give us feedback
Set theme to dark (⇧+D)

Connect to using DoH clients

There are several DoH clients you can use to connect to

​​ cloudflared

  1. Download and install the cloudflared daemon.

  2. Verify that the cloudflared daemon is installed by entering the following command:

    $ cloudflared --version
    cloudflared version 2020.11.11 (built 2020-11-25-1643 UTC)
  3. Start the DNS proxy on an address and port in your network. If you do not specify an address and port, it will start listening on localhost:53. DNS (53) is a privileged port, so for the initial demo we will use a different port:

    $ cloudflared proxy-dns --port 5553
    INFO[2020-12-04T19:58:57Z] Adding DNS upstream - url:
    INFO[2020-12-04T19:58:57Z] Adding DNS upstream - url:
    INFO[2020-12-04T19:58:57Z] Starting metrics server on
    INFO[2020-12-04T19:58:57Z] Starting DNS over HTTPS proxy server on: dns://localhost:5553
  4. You can verify that cloudflared is running using a dig, kdig, host, or any other DNS client.

    $ dig +short @ -p5553 AAAA
  5. Run cloudflared as a service so it starts on user login. On many Linux distributions, this can be done with:

    $ sudo tee /etc/systemd/system/cloudflared-proxy-dns.service >/dev/null <<EOF
    Description=DNS over HTTPS (DoH) proxy client
    ExecStart=/usr/local/bin/cloudflared proxy-dns
    $ sudo systemctl enable --now cloudflared-proxy-dns
  6. Change your system DNS servers to use On Linux, you can modify /etc/resolv.conf:

    $ sudo rm -f /etc/resolv.conf
    $ echo nameserver | sudo tee /etc/resolv.conf >/dev/null
  7. Finally, verify it locally with:

    $ dig +short @ AAAA

​​ DNSCrypt-Proxy

The DNSCrypt-Proxy 2.0+ supports DoH out of the box. It supports both and other services. It also includes more advanced features, such as load balancing and local filtering.

  1. Install DNSCrypt-Proxy.

  2. Verify that dnscrypt-proxy is installed and the version is 2.0 or later:

    $ dnscrypt-proxy -version
  3. Set up the configuration file using the official instructions, and add cloudflare and cloudflare-ipv6 to the server list in dnscrypt-proxy.toml:

    server_names = ['cloudflare', 'cloudflare-ipv6']
  4. Make sure that nothing else is running on localhost:53, and check that everything works as expected:

    $ dnscrypt-proxy -resolve
    Resolving []
    Domain exists: yes, 3 name servers found
    Canonical name:
    IP addresses: 2400:cb00:2048:1::6810:6f19, 2400:cb00:2048:1::6810:7019,,
    TXT records: -
    Resolver IP:
  5. Register it as a system service according to the DNSCrypt-Proxy installation instructions.