Cloudflare Tunnel: proxy-dns Command Removal 2026 | What are some nice alternatives to encrypted DNS?
(mwpro.co.uk)
from xavier666@lemmy.umucat.day to selfhosted@lemmy.world on 02 Jan 00:06
https://lemmy.umucat.day/post/869758
from xavier666@lemmy.umucat.day to selfhosted@lemmy.world on 02 Jan 00:06
https://lemmy.umucat.day/post/869758
Hi everyone,
I have been using cloudflared for DNS-over-HTTPS for the past 5 years and it’s been working pretty well. One of the reasons for using it was because my ISP was hijacking my DNS queries and changing it to their own DNS server.
However, I saw this news where the proxy-dns feature in cloudflared is being closed and they are asking customers to shift to their WARP client instead.
I want to know what the community is using for encrypted DNS services (DoH, DoT, DoQ)
Thanks :)
threaded - newest
Since you’re posting in the self hosted community I’ll assume you’re looking for a self hosted alternative.
I’ve been meaning to try out Hickory DNS. I too want to use DoH on my clients, and will use native Android/Firefox options to enable it client side.
Haven’t settled settled on an upstream provider yet, so from Hickory DNS onwards I’ll still need to find something else.
I self-host the
cloudflaredwhich is used by my Pihole as the upstream provider.I shall check out Hickory DNS. Thanks!
Edit: Okay, the application is still in alpha-stage. I’m afraid I can’t use it, but I will be keeping an eye out for it.
There’s Technitium DNS, though I’m not an user hence no strong recommendation on my end.
I have seen this project popping up quite a bit. It seems like this natively supports a lot of encrypted DNS protocols, unlike Pihole. Looks very nice.
Technitium is very powerful and could perfectly handle being a DNS forwarder + DHCP provider for your LAN, replacing both Pihole + cloudflared. Though it does many other things too, which can make the UI overwhelming for starters. But in my opinion if you’d like to fine-tune a lot of things like cache and custom DNS logic (via installable applets), this would be the software for you
Edit: If you want something simpler to replace Pihole + cloudflared, AdGuard Home is pretty good too. It uses dnsproxy under the hood and has a nice UI
For the upstream provider I guess Quad9 is popular enough to give you fairly good geolocated IPs, but also has some sense of privacy. The main thing is to always validate your andwers with DNSSEC as to detect and refuse any DNS tampering attempts
I was checking the feature list of Technitium and it’s a bit … overwhelming. I may shift to it one day but I need to study it first :P
Pihole is fine for the time being.
I’ve been using Quad9 DoH for a few months now. Very happy with it so far.
AdGuard’s dnsproxy should fill the bill.
dnsproxy seems really good.
I’m checking their docker release (github.com/axeleroy/dnsproxy-docker/)
they have an official build too: hub.docker.com/r/adguard/dnsproxy
Are you trying to send the DNS request through the tunnel?
I use DoH, which sends DNS requests through https. It essentially looks like normal https traffic (encrypted), so your ISP shouldn’t be able to hijack it and no additional tunnels are required. CF supports doh at the usual 1.1.1.1 address, even, if you want to keep using them. Otherwise plenty of other providers support doh, as well.
I personally haven’t looked at all but I don’t fully understand doh. How can you have https before DNS? To get my first query I kind of need to validate through DNS records certificate authority for that site? So to even establish doh you need unencrypted DNS or blind trust of IP?
Yes you’ll need a way to query the domain of the DoH service in plaintext before using it. In many software you can define “bootstrap DNS addresses” to do exactly that. Or you can hardcode the DoH service’s IPs, which for most upstream providers are almost always the same as their “normal” IPs anyways
You define your dns by IP. you get the cert from that IP and automatically trust it.
The cert for validation the server only validate the hostname. It’s not useful for IP.
You’ll need a single DNS request, known as a “bootstrap” request. Your ISP will see a single DNS request to Google or Cloudflare or whatever, then everything after that will just look like normal https traffic.
That said, if your ISP is blocking and denying ALL dns requests for some reason (making the bootstrap request impossible), then you could still define the address locally. At that point, though, the ISP is likely blocking the IP addresses, too, so resolving the address is a bit moot.
Stubby.
There is also github.com/DNSCrypt/dnscrypt-proxy
You are most likely using Cloudflared together with pi-Hole.
You may want to check-out AdGuardHome (open source) which has out-of-the-box DOH support.
github.com/AdguardTeam/AdGuardHome
Which ISP? Name and shame!
Another approach would be setting up your own recursive revolver with e.g. Unbound. It’s debatable whether it’s more or less private than using DoH etc but it would bypass the DNS tampering by your ISP at the least.
I doubt it because I could see that my ISP is doing a MITM attack on my DNS queries. Encryption is the only way.