New Member
Posts: 4
Registered: ‎11-16-2016
Kudos: 1085

Countering plaintext DNS with

Hi all,


Cloudflare just today openly published their DNS resolvers, using the magic IPs and


This is not only great because they have the decent policy on not storing or selling user data, a global multicast network with presence in >150 data centers, or being among the very few entitites to already supporting TLS 1.3. They also support encrypted DNS queries using DNS-over-TLS as well as DNS-over-HTTPS. Both are great, because your ISP today can to basically the same thing as your DNS resolver: collect & sell all the websites everyone visits.


However, only Google has been so far able to encrypt their DNS traffic, using Android and/or Chrome. To counter this, I added two feature requests to support encrypted DNS queries to protect entire networks without having to wait for OS vendors to implement this - it would be great if you could upvote any of them, or both (since they use two different mechansisms):

New Member
Posts: 6
Registered: ‎04-29-2014
Kudos: 2

Re: Countering plaintext DNS with

There is a the beginings of a how-to here to get this working here:


I took that and got things working by doing the following:


- build MIPS version of cloudflared, I used docker:


docker run --rm -v "$PWD":/usr/src/myapp -w /usr/src/myapp -e GOOS=linux -e GOARCH=mips golang bash -c "go get -v; GOOS=linux GOARCH=mips go build -v -x"

- copy the MIPS cloudflared into /config/scripts/ on USG
- make sure it's executable: chmod +x /config/scripts/cloudflared
- create a startup script in /config/scripts/post-config.d, mine looks like:

================== =======================


# start DNS proxy to Cloud Flare

/usr/bin/pkill cloudflared

nohup /config/scripts/cloudflared --no-autoupdate --proxy-dns --proxy-dns-port 5053 &>/var/log/cloudflared.log &

- make sure startup script is executable: chmod +x /config/scripts/post-config.d/
- add a custom config.gateway.json file on your controller so DNS config carries over on provisioning, here is what the relevant section of mine is:
============================== config.gateway.json =================


"service": {
"dns": {
"forwarding": {
"options": [

- make sure the domain name in the file is the same as the one in Settings -> Network -> edit -> Domain Name, and the IP range matches as well.
- force a reprovision of your USG and reboot it to make sure everything starts up correctly


Few random notes:
- supposedly everything in /config/scripts survives a firmware upgrade so that's why I picked that location
- scripts in /config/scripts/post-config.d seem to run on boot
- since you're using no-resolv, resolv.conf won't be read at all, so you need to manually set domain name for short names to work
- I added direct connections to cloudflare's DNS servers as 2nd and 3rd, but use strict-order so they will only be used if there is a problem with the DoH proxy
- the log file flag to cloudflared doesn't seem to work when using it for dns-proxy so need to use redirect to capture log info
- haven't done anything about log rotation yet, but cloudflared doesn't seem to chatty