Back in April, Cloudflare announced a privacy-focused DNS server running at 22.214.171.124 (and 126.96.36.199), and that it supported DNS over HTTPS. A lot of regular traffic goes over HTTPS these days, but DNS queries to look up the IP address of a domain are still unencrypted, so your ISP can still snoop on which servers you’re visiting even if they can’t see the actual content. We have a Mac mini that runs macOS Server and does DHCP and DNS for our home network, among other things, and with the impending removal of those functions and their suggested replacements with regular non-UI tools with a upcoming version of it, I figured now would be a good time to look into moving us over to use Cloudflare’s shiny new DNS server at the same time.
Turns out it wasn’t that difficult!
- Install Homebrew.
brew install cloudflare/cloudflare/cloudflared dnsmasq
dnsmasqto point to
cloudflaredas its own DNS resolver.
cloudflaredto use DNS over HTTPS and run on port 54.
- Install both as services to run at system boot.
Edit the configuration file located at
/usr/local/etc/dnsmasq.conf and uncomment line 66 and change it from
server=127.0.0.1#54 to tell it to pass DNS requests onto localhost on port 54, which is where
cloudflared will be set up.
Create the directory
/usr/local/etc/cloudflared and create a file inside that called
config.yml with the following contents:
no-autoupdate: true proxy-dns: true proxy-dns-port: 54 proxy-dns-upstream: - https://188.8.131.52/dns-query - https://184.108.40.206/dns-query
Auto-update is disabled because that seems to break things when the update occurs, and the service doesn’t start back up correctly.
Configuring dnsmasq and cloudflared to start on system boot
sudo brew services start dnsmasq will both start it immediately and also set it to start at system boot.
sudo cloudflared service install, which installs it for
Updating your DNS servers
cloudflared are running, you need to actually tell your machines to use them as their DNS servers! Open up System Preferences > Network, hit Advanced, and in the DNS tab click the + button and put your computer’s local IP address in. (You’ll want to make sure your machine has a static IP address, of course). Repeat the process for everything else on your local network to have them all send their DNS traffic to 220.127.116.11 as well.
You can confirm that all your DNS traffic is going where it should be with dnsleaktest.
I was surprised at how straightforward this was. I also didn’t realise until I was doing all of this that
dnsmasq also does DHCP, so with the assistance of this blog post I’ve also replaced the built-in DHCP server on the Mac mini and continue to have full local hostname resolution as well!