homeall/cloudflared

By homeall

Updated 3 days ago

Cloudflared in Docker image for DNS over HTTPS useful for privacy.

Image
Web Servers

4.3K

cloudflaredLicense: MITpullpullcontributions welcome

Docker image with cloudflared for DNS over HTTPS

Table of Contents
  1. About The Project
  2. Getting Started
  3. Usage
  4. PiHole
  5. License
  6. Contact
  7. Acknowledgements

About The Project

You can check the repo on GitHub.

The primary purpose of creating a custom docker image with only cloudflared was to use DNS over HTTPS with only security upstreams including four DNSs (very good for fail over).

It will be very useful in Docker environment or Kubernetes where High Availability is a must.

I am using GitHub actions weekly where it will update cloudflared binary in order to keep up to date the docker image and the package.

You will find on the readme page how to use the commands with images.

It is advantageous for setting up together with PiHole.

If you need ADs protection and privacy, this may help you in long term.

Getting Started

It will work on any Linux box amd64 or Raspberry Pi with arm64 or arm32.

Prerequisites

You will need to have:

Usage

Default Settings

It will come with the following security upstreams in this order:

  1. 1.1.1.3
  2. security.cloudflare-dns.com
  3. 1.1.1.2
  4. 1.0.0.2

Please review this link in order to get more details about the upstreams above.

The default port is 54.

The IP addres is 0.0.0.0

Docker run command:

docker run -d --name cloudflare -p "54:54" homeall/cloudflared:latest

On the status column of the docker, you will notice the healthy word.

This is telling you that docker is running healtcheck itself in order to make sure it is working properly.

Please test yourself using the following command:

> docker inspect --format "{{json .State.Health }}" cloudflare | jq
{
  "Status": "healthy",
  "FailingStreak": 0,
  "Log": [
    {
      "Start": "2021-01-04T10:42:21.5982274Z",
      "End": "2021-01-04T10:42:21.6848715Z",
      "ExitCode": 0,
      "Output": "Server:\t\t127.0.0.1\nAddress:\t127.0.0.1#54\n\nName:\tcloudflare.com\nAddress: 104.16.133.229\nName:\tcloudflare.com\nAddress: 104.16.132.229\nName:\tcloudflare.com\nAddress: 2606:4700::6810:84e5\nName:\tcloudflare.com\nAddress: 2606:4700::6810:85e5\n\n"
    }
  ]
}

Docker logs output:

INFO[2021-01-01T20:03:37Z] Adding DNS upstream - url: https://1.1.1.3/dns-query
INFO[2021-01-01T20:03:37Z] Adding DNS upstream - url: https://security.cloudflare-dns.com/dns-query
INFO[2021-01-01T20:03:37Z] Adding DNS upstream - url: https://1.1.1.2/dns-query
INFO[2021-01-01T20:03:37Z] Adding DNS upstream - url: https://1.0.0.2/dns-query
INFO[2021-01-01T20:03:37Z] Starting metrics server on 127.0.0.1:8080/metrics
INFO[2021-01-01T20:03:37Z] Starting DNS over HTTPS proxy server on: dns://0.0.0.0:54

Simple tests:

❯ dig google.com @127.0.0.1 -p 54 +short
216.58.211.174
❯ dig google.com @127.0.0.1 +tcp -p 54 +short
216.58.211.174

Custom upstreams and custom port number:

You can change only the first two upstreams DNS1 and DNS2 and port number.

Change to fit your needs:

docker run -d --name cloudflared -p "5454:5454" -e "DNS1=dns.google" -e "DNS2=1.1.1.1" -e "PORT=5454" -p "5454:5454/udp" homeall/cloudflared:latest

Output result:

INFO[2021-01-01T20:08:36Z] Starting metrics server on 127.0.0.1:8080/metrics
INFO[2021-01-01T20:08:36Z] Adding DNS upstream - url: https://dns.google/dns-query
INFO[2021-01-01T20:08:36Z] Adding DNS upstream - url: https://1.1.1.1/dns-query
INFO[2021-01-01T20:08:36Z] Adding DNS upstream - url: https://1.1.1.2/dns-query
INFO[2021-01-01T20:08:36Z] Adding DNS upstream - url: https://1.0.0.2/dns-query
INFO[2021-01-01T20:08:36Z] Starting DNS over HTTPS proxy server on: dns://0.0.0.0:5454

Dualstack IPv4/IPv6

docker run --name cloudflared -d -p "54:54" -p "54:54/udp" -e "ADDRESS=::" homeall/cloudflared

Output result:

INFO[2021-01-02T14:38:53Z] Adding DNS upstream - url: https://1.1.1.3/dns-query
INFO[2021-01-02T14:38:53Z] Adding DNS upstream - url: https://security.cloudflare-dns.com/dns-query
INFO[2021-01-02T14:38:53Z] Adding DNS upstream - url: https://1.1.1.2/dns-query
INFO[2021-01-02T14:38:53Z] Adding DNS upstream - url: https://1.0.0.2/dns-query
INFO[2021-01-02T14:38:53Z] Starting metrics server on 127.0.0.1:8080/metrics
INFO[2021-01-02T14:38:53Z] Starting DNS over HTTPS proxy server on: dns://[::]:54

Simple tests:

❯ dig google.com @::1 +tcp -p 54 +short
216.58.213.14
❯ dig google.com @::1 -p 54 +short
216.58.213.14

PiHole

PiHole with cloudflared is a match in heaven for privacy and ADs protection.

Check out this docker-compose.yml:

services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    hostname: pihole
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "80:80/tcp"
    environment:
      TZ: 'Europe/London'
      WEBPASSWORD: 'admin'
      ServerIP: '172.18.0.2'
      DNS1: '172.18.0.3#54'
      DNS2: 'no'
    volumes:
      - './etc-pihole/:/etc/pihole/'
    cap_add:
      - NET_ADMIN
    restart: unless-stopped
    networks:
      pihole_net:
        ipv4_address: 172.18.0.2

  cloudflare:
    restart: unless-stopped
    container_name: cloudflare
    image: homeall/cloudflared:latest
    environment:
      TZ: 'Europe/London'
    links:
      - pihole
    ports:
      - "54:54/tcp"
      - "54:54/udp"
    networks:
      pihole_net:
        ipv4_address: 172.18.0.3

networks:
  pihole_net:
    driver: bridge
    ipam:
     config:
       - subnet: 172.18.0.0/24

You will have to use the network mode and hardcoded IP address to forward correctly queries to Cloudflare for each container.

Otherwise, you may get issues config from dnsmask on PiHole.

If you use networking host mode, it will forward correctly queries to localhost on 54 port.

Licence

Distributed under the MIT license. See LICENSE for more information.

Contact

Please free to open a ticket on Github.

Acknowledgements

Docker Pull Command

docker pull homeall/cloudflared