Setting up a DNS-Over-Https Raspberry Pi for your whole network

Setting up a DNS-Over-Https Raspberry Pi for your whole network

( last updated : February 05, 2020 )
security privacy pihole D-O-H

One of the major ways that ISP's gather information on users is by gathering information from their dns queries. This information can be useful for tracking a users shopping habits, their hobbies, etc. Encrypting these requests is actually pretty easy to accomplish, and solves a plethera of issues such as blocking malicious advertisements, and keeping internet service providers from monitoring your activities.

Build Requirements

Raspberry Pi 1-3 (This might be possible on a Zero, havent tested)
8-16 GB SD Card
Monitor that supports HDMI for inital install
A micro sd Card reader/writer
Internet Connection
USB power or Raspberry Pi power cable

Download the Raspian Buster Lite Image

Raspian Download

PiHole Dns-over-Https

Flash the image to the SD card

You can use whatever software you like, i go between:


After flashing the microsd insert it into the Raspberry Pi, and plug in the power

Once the OS is installed, change the username pi password

sudo passwd pi

Install Cloudflared

Download the cloudflared binary, depending on which raspberry pi you use you have some issues. The Raspberry Pi 2 seems to have a problem with never versions of CloudFlared. If this version of cloudflared seg faults for you then try the RPI 2 option

cd /tmp
dpkg -i cloudflared-stable-linux-amd64.deb
cloudflared -v

Raspberry Pi 2 Download if above seg faults

tar -zxvf cloudflared-2018.7.2-linux-arm.tar.gz -C /usr/local/bin/
cloudflared -v

If successful you should see something like this

cloudflared version 2018.7.2 (built 2018-07-13-1701 UTC)

Make the Cloudflared User

sudo useradd -r -M -s /usr/sbin/nologin -c "Cloudflared user" cloudflared
sudo passwd -l cloudflared
sudo chage -E 0 cloudflared

Make the default file

echo /etc/default/cloudflared >> "CLOUDFLARED_OPTS=--port 5053 --upstream --upstream"

Permission the the Files

sudo chown -v cloudflared:cloudflared /usr/local/bin/cloudflared
sudo chown -v cloudflared:cloudflared /etc/default/cloudflared

Make the Systemd File

sudo vi /lib/systemd/system/cloudflared.service

Copy this to the service file

Description=cloudflared DoH proxy
ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTS

Enable the Service and set it to autostart if device loses power or is restarted

sudo systemctl enable cloudflared
sudo systemctl start cloudflared
sudo systemctl status cloudflared

Install PiHole

Download the installer and run it

wget -O
sudo bash

Run through the installer making these selections

PiHole Dns-over-Https PiHole Dns-over-Https PiHole Dns-over-Https

Please Make sure you Select eth0

PiHole Dns-over-Https

Select cloudFlare for now, it will be changed in the Gui after install

PiHole Dns-over-Https

Make sure all are selected

PiHole Dns-over-Https

Select both, or at least IPv4. Depending on your setup

PiHole Dns-over-Https

This will show whatever IP address you are currently set as. For most of you this wont need to be changed, however if for any reason you need to change this.

   pihole -r
PiHole Dns-over-Https PiHole Dns-over-Https

Install the WebGui

PiHole Dns-over-Https PiHole Dns-over-Https PiHole Dns-over-Https

Ignore this for now, we are going to change the WebGui from Command line

PiHole Dns-over-Https

Once the script is done running, run this to change the webgui Password as root

pihole -a -p

Login into the webgui

http://<ip Address>/admin/
PiHole Dns-over-Https

UnCheck the Cloudflare section, and enter in the custom dns options below Also, make sure to select the Advanced DNS Settings Below.

PiHole Dns-over-Https

Wherever you are doing DHCP/Static entries update your DNS to the PiHole's Ip Address And that is it, you have setup the PiHole and your DNS queries should be private


For issues with PiHole, run this command which will reconfigure the pihole instance

pihole -r

If you need to set a static ip address for the Pi, please do this:

Edit /etc/network/interfaces. Change the address,network,netmask,broadcast,gateway to match you network

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static

run 'service networking restart', minus the ', to complete your change. Note: This wont disconnect you from ssh.

For issues with cloudflared, you might need to do some googling to find a cloudflared binary that works with your pi

Originally published
Latest update February 05, 2020

Related posts :