Evaggelos Balaskas - System Engineer

Cloudflare has released an Argo Tunnel client named: cloudflared. It’s also a DNS over HTTPS (DoH) client and in this blog post, I will describe how to use cloudflared with LibreDNS, a public encrypted DNS service that people can use to maintain the secrecy of their DNS traffic, but also circumvent censorship.

Notes based on ubuntu 20.04, as root

Download and install latest stable version

curl -sLO https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.tgz

tar xf cloudflared-stable-linux-amd64.tgz

ls -l
total 61160
-rwxr-xr-x 1 root root 43782944 May  6 03:45 cloudflared
-rw-r--r-- 1 root root 18839814 May  6 19:42 cloudflared-stable-linux-amd64.tgz

mv cloudflared /usr/local/bin/

check version

# cloudflared --version
cloudflared version 2020.5.0 (built 2020-05-06-0335 UTC)

doh support

# cloudflared proxy-dns --help
NAME:
   cloudflared proxy-dns - Run a DNS over HTTPS proxy server.

USAGE:
   cloudflared proxy-dns [command options]

LibreDNS Endpoints

LibreDNS has two endpoints:

• dns-query
• ads

The latest blocks trackers/ads etc.

standalone

We can use cloudflared as standalone for testing, here is on a non standard TCP port:

cloudflared proxy-dns --upstream https://doh.libredns.gr/ads --port 5454

INFO[0000] Adding DNS upstream                   url="https://doh.libredns.gr/ads"
INFO[0000] Starting DNS over HTTPS proxy server  addr="dns://localhost:5454"
INFO[0000] Starting metrics server               addr="127.0.0.1:41717/metrics"

Testing ads endpoint

$ dig @127.0.0.1 -p 5454 +short analytics.google.com
0.0.0.0
$ dig @127.0.0.1 -p 5454 +short google.com
216.58.210.14
$ dig @127.0.0.1 -p 5454 +short test.libredns.gr
116.202.176.26

conf

We have verified that cloudflared works with libredns, so let us create a configuration file.

By default, cloudflared is trying to find one of the below files (replace root with your user):

• /root/.cloudflared/config.yaml
• /root/.cloudflared/config.yml
• /root/.cloudflare-warp/config.yaml
• /root/cloudflare-warp/config.yaml
• /root/.cloudflare-warp/config.yml
• /root/cloudflare-warp/config.yml
• /usr/local/etc/cloudflared/config.yml

The most promising file is:

• /usr/local/etc/cloudflared/config.yml

Create the configuration file

mkdir -pv /usr/local/etc/cloudflared
cat > /usr/local/etc/cloudflared/config.yml << EOF
proxy-dns: true
proxy-dns-upstream:
 - https://doh.libredns.gr/dns-query
EOF

or for ads endpoint

mkdir -pv /usr/local/etc/cloudflared
cat > /usr/local/etc/cloudflared/config.yml << EOF
proxy-dns: true
proxy-dns-upstream:
 - https://doh.libredns.gr/ads
EOF

Testing

# cloudflared

INFO[0000] Version 2020.5.0
INFO[0000] GOOS: linux, GOVersion: go1.12.7, GoArch: amd64
INFO[0000] Flags                                         proxy-dns=true proxy-dns-upstream="https://doh.libredns.gr/ads"
INFO[0000] Adding DNS upstream                           url="https://doh.libredns.gr/ads"
INFO[0000] Starting DNS over HTTPS proxy server          addr="dns://localhost:53"
INFO[0000] Starting metrics server                       addr="127.0.0.1:33519/metrics"
INFO[0000] cloudflared will not automatically update when run from the shell. To enable auto-updates, run cloudflared as a service: https://developers.cloudflare.com/argo-tunnel/reference/service/

$ dig test.libredns.gr +short
116.202.176.26

Service

if you are a use of Argo Tunnel and you have a cloudflare account, then you login and get your cert.pem key. Then (and only then) you can install cloudflared as a service by:

 cloudflared service install

and you can use /etc/cloudflared or /usr/local/etc/cloudflared/ and must have two files:

• cert.pem and
• config.yml (the above file)

That’s it !