Back in April, Cloudflare announced a privacy-focused DNS server running at 1.1.1.1 (and 1.0.0.1), and that it supported DNS over HTTPS. A lot of regular traffic goes over HTTPS these days, but DNS queries to look up the IP address of a domain are still unencrypted, so your ISP can still snoop on which servers you’re visiting even if they can’t see the actual content. We have a Mac mini that runs macOS Server and does DHCP and DNS for our home network, among other things, and with the impending removal of those functions and their suggested replacements with regular non-UI tools with a upcoming version of it, I figured now would be a good time to look into moving us over to use Cloudflare’s shiny new DNS server at the same time.
Turns out it wasn’t that difficult!
Overview
- Install Homebrew.
- Install
cloudflaredanddnsmasq:brew install cloudflare/cloudflare/cloudflared dnsmasq - Configure
dnsmasqto point tocloudflaredas its own DNS resolver. - Configure
cloudflaredto use DNS over HTTPS and run on port 54. - Install both as services to run at system boot.
Configuring dnsmasq
Edit the configuration file located at /usr/local/etc/dnsmasq.conf and uncomment line 66 and change it from server=/localnet/192.168.0.1 to server=127.0.0.1#54 to tell it to pass DNS requests onto localhost on port 54, which is where cloudflared will be set up.
Configuring cloudflared
Create the directory /usr/local/etc/cloudflared and create a file inside that called config.yml with the following contents:
no-autoupdate: true proxy-dns: true proxy-dns-port: 54 proxy-dns-upstream: - https://1.1.1.1/dns-query - https://1.0.0.1/dns-query
Auto-update is disabled because that seems to break things when the update occurs, and the service doesn’t start back up correctly.
Configuring dnsmasq and cloudflared to start on system boot
dnsmasq: sudo brew services start dnsmasq will both start it immediately and also set it to start at system boot.
cloudflared: sudo cloudflared service install, which installs it for launchctl at /Library/LaunchDaemons/com.cloudflare.cloudflared.plist.
Updating your DNS servers
Now that dnsmasq and cloudflared are running, you need to actually tell your machines to use them as their DNS servers! Open up System Preferences > Network, hit Advanced, and in the DNS tab click the + button and put your computer’s local IP address in. (You’ll want to make sure your machine has a static IP address, of course). Repeat the process for everything else on your local network to have them all send their DNS traffic to 1.1.1.1 as well.
You can confirm that all your DNS traffic is going where it should be with dnsleaktest.
And done!
I was surprised at how straightforward this was. I also didn’t realise until I was doing all of this that dnsmasq also does DHCP, so with the assistance of this blog post I’ve also replaced the built-in DHCP server on the Mac mini and continue to have full local hostname resolution as well!
how do you make MacoS t resove dns cloudflare though, ive done the above, but my dns resolves via google’s 8.8.8.8 still
Oh crap, I neglected to put that crucial last step into the blog post! I’ll update it, but you need to go into System Preferences > Network and set your DNS server to the IP address of the machine that’s running dnsmasq. 🙂
Would this conflict with my VPN settings? Is there a way to graphically manage these settings, or is always through terminal? I tend to forget what settings I make in terminal and if it’s not right in front of my face these settings become invisible to me.
Hmm, it’d depend on what specifically you’re doing… you’re referring to having your machine connected to a VPN and routing all your traffic through it? I’d think that this setup would be completely ignored and all your traffic would be tunnelled through the VPN connection anyway. If it’s a split-horizon DNS setup where only specific routes go through the VPN, you’d have all the stuff that ISN’T going via the VPN being sent to Cloudflare instead.
Hah, I know that feeling. As far as I know there’s no graphical front-end for it, unfortunately. 🙁
Sorry for the possibly stupid question. Why are you using dnsmasq? The alternative in https://gist.github.com/soderlind/6a440cd3c8e017444097cf2c89cc301d seems to ignore it (actually the OP explicitly says that one should uninstall dnsmasq). I’m very ignorant about the function of dnsmasq in general by the way…
Not stupid at all! 🙂 I have dnsmasq because it’s also doing the DHCP and DNS for my local network as well, so rather than having to remember IP addresses when I’m connecting to various machines, I can just use their hostname.
(Well, I did have dnsmasq, I’ve since moved this whole setup to OpenWRT on our router).