Docker image with cloudflared for DNS over HTTPS

Table of Contents

1. About The Project
2. Getting Started
   • Prerequisites
3. Usage
   • Default Settings
   • Docker run command
   • Custom upstreams and custom port number
   • Dualstack Ipv4/IPv6
4. PiHole
5. License
6. Contact
7. Acknowledgements

About The Project

The primary purpose of creating a custom docker image with only cloudflared was to use DNS over HTTPS with only security upstreams ⬇️ including three DNSs (very good for fail over).

❗It will be very useful in Docker environment or Kubernetes where High Availability is a must.

I am using GitHub actions weekly where it will update cloudflared binary in order to keep up to date the docker image and the package.

You will find on the readme page how to use the commands with images.

It is advantageous for setting up together with ©️ PiHole.

🚫 If you need ADs protection and privacy, this may help you in long term.

Getting Started

🔰 It will work on any Linux box amd64 or Raspberry Pi with arm64 or arm32.

Prerequisites

You will need to have:

• 🐳 Docker
• 🐋 docker-compose

This step is optional

Usage

Default Settings

It will come with the following security upstreams in this order:

• 1️⃣ 1.1.1.3
• 2️⃣ security.cloudflare-dns.com
• 3️⃣ 1.1.1.2

⚠️ Please review this link in order to get more details about the upstreams above.

The default port is 54.

The IP addres is 0.0.0.0

Docker run command:

Unless you need to change the default setting, it will work as expected with the command below:

docker run -d --name cloudflare -p "54:54" -p "54:54/udp" homeall/cloudflared:latest

♥️ On the status column of the docker, you will notice the healthy word. This is telling you that docker is running healtcheck itself in order to make sure it is working properly.

⬇️ Please test yourself using the following command:

> docker inspect --format "{{json .State.Health }}" cloudflare | jq
{
  "Status": "healthy",
  "FailingStreak": 0,
  "Log": [
    {
      "Start": "2021-01-04T10:42:21.5982274Z",
      "End": "2021-01-04T10:42:21.6848715Z",
      "ExitCode": 0,
      "Output": "Server:\t\t127.0.0.1\nAddress:\t127.0.0.1#54\n\nName:\tcloudflare.com\nAddress: 104.16.133.229\nName:\tcloudflare.com\nAddress: 104.16.132.229\nName:\tcloudflare.com\nAddress: 2606:4700::6810:84e5\nName:\tcloudflare.com\nAddress: 2606:4700::6810:85e5\n\n"
    }
  ]
}

⬇️ Docker logs output:

INFO[2021-01-01T20:03:37Z] Adding DNS upstream - url: https://1.1.1.3/dns-query
INFO[2021-01-01T20:03:37Z] Adding DNS upstream - url: https://security.cloudflare-dns.com/dns-query
INFO[2021-01-01T20:03:37Z] Adding DNS upstream - url: https://1.1.1.2/dns-query
INFO[2021-01-01T20:03:37Z] Starting metrics server on 127.0.0.1:8080/metrics
INFO[2021-01-01T20:03:37Z] Starting DNS over HTTPS proxy server on: dns://0.0.0.0:54

⬇️ Simple tests:

❯ dig google.com @127.0.0.1 -p 54 +short
216.58.211.174
❯ dig google.com @127.0.0.1 +tcp -p 54 +short
216.58.211.174

⬆️ Go on TOP ☝️

Custom upstreams and custom port number:

You can change first two upstreams DNS1 and DNS2 and port number.

Change to fit your needs:

docker run -d --name cloudflare -p "5454:5454" -p "5454:5454/udp" -e "DNS1=dns.google" -e "DNS2=1.1.1.1" -e "PORT=5454" homeall/cloudflared:latest

⬇️ Output result:

INFO[2021-01-01T20:08:36Z] Starting metrics server on 127.0.0.1:8080/metrics
INFO[2021-01-01T20:08:36Z] Adding DNS upstream - url: https://dns.google/dns-query
INFO[2021-01-01T20:08:36Z] Adding DNS upstream - url: https://1.1.1.1/dns-query
INFO[2021-01-01T20:08:36Z] Adding DNS upstream - url: https://1.1.1.2/dns-query
INFO[2021-01-01T20:08:36Z] Starting DNS over HTTPS proxy server on: dns://0.0.0.0:5454

⬆️ Go on TOP ☝️

Dualstack Ipv4 IPv6

⚠️ You also can use:

docker run --name cloudflare -d -p "54:54" -p "54:54/udp" -e "ADDRESS=::" homeall/cloudflared

⬇️ Output result:

INFO[2021-01-02T14:38:53Z] Adding DNS upstream - url: https://1.1.1.3/dns-query
INFO[2021-01-02T14:38:53Z] Adding DNS upstream - url: https://security.cloudflare-dns.com/dns-query
INFO[2021-01-02T14:38:53Z] Adding DNS upstream - url: https://1.1.1.2/dns-query
INFO[2021-01-02T14:38:53Z] Starting metrics server on 127.0.0.1:8080/metrics
INFO[2021-01-02T14:38:53Z] Starting DNS over HTTPS proxy server on: dns://[::]:54

⬇️ Simple tests:

❯ dig google.com @::1 +tcp -p 54 +short
216.58.213.14
❯ dig google.com @::1 -p 54 +short
216.58.213.14

⬆️ Go on TOP ☝️

PiHole

©️ PiHole with cloudflared is a match in heaven for privacy and ADs protection ‼️

⬇️ Check out this docker-compose.yml:

services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    hostname: pihole
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "80:80/tcp"
    environment:
      TZ: 'Europe/London'
      WEBPASSWORD: 'admin'
      ServerIP: '172.18.0.2'
      DNS1: '172.18.0.3#54'
      DNS2: 'no'
    volumes:
      - './etc-pihole/:/etc/pihole/'
    cap_add:
      - NET_ADMIN
    restart: unless-stopped
    networks:
      pihole_net:
        ipv4_address: 172.18.0.2

  cloudflare:
    restart: unless-stopped
    container_name: cloudflare
    image: homeall/cloudflared:latest
    links:
      - pihole
    ports:
      - "54:54/tcp"
      - "54:54/udp"
    environment:
      TZ: 'Europe/London'
    networks:
      pihole_net:
        ipv4_address: 172.18.0.3

networks:
  pihole_net:
    driver: bridge
    ipam:
     config:
       - subnet: 172.18.0.0/24

You will have to use the network mode and hardcoded IP address on each container to forward correctly queries to Cloudflare. Otherwise, you may get issues config from dnsmask.d on PiHole. If you use networking host mode, it will forward correctly queries to localhost on 54 port.

License

🗞️ Distributed under the MIT license. See LICENSE for more information.

Contact

🔴 Please free to open a ticket on Github.

Acknowledgements

• 🎉 @Visibilityspots 🏆

• 🎉 @Cloudflared 🥇

• 🎉 ©️ @PiHole 🏅

⬆️ Go on TOP ☝️