DNS over TLS

Greetings,

In modern days security is a mandatory point on every agenda. This post will cover how you can secure your DNS requests with TLS.

---

What do you need:

• Cloudflared (The ARGO tunnel application by Cloudflare Inc.)
• a Linux host is recommended, but MacOS or Windows should work too

Download cloudflared via https://developers.cloudflare.com/argo-tunnel/downloads/
If you use Linux you then can install it via sudo dpkg -i cloudflared-stable-linux-amd64.deb

Then create a user to run the service later on:
sudo useradd -s /usr/sbin/nologin -r -m cloudflared

Next step to do is to create a config file for the service:
sudo mkdir /home/cloudflared/.cloudflared

sudoedit /home/cloudflared/.cloudflared/cf

Next step add a service script:

sudoedit /lib/systemd/system/cloudflared.service

Once that is done you can enable the service:

sudo systemctl enable cloudflared
sudo systemctl start cloudflared
And check the status:
sudo systemctl status cloudflared

---

You can check that the DNS server works via dig:

dig @127.0.0.1 -p 7359 google.ca

Next thing you might wanna do is to create a autostart script for the new service.
Create a file called cloudflared at /etc/init.d/ Inside the file you write: systemctl start cloudflared

Last thing you need to do is:

• either point your devices to the new DNS port
• or set your existing dns-upstream in e.g. pi-hole to the new port.