Cloudflared (DoH) resolving addresses that are blocked by 1.1.1.3

When configuring cloudflared (DoH) for PI-hole, I ran the defaults in config.yml hitting 1.1.1.1/1.0.0.1 for the longest time. My config.yml looked like this:

proxy-dns: true
proxy-dns-port: 5053
proxy-dns-upstream:

-https://1.1.1.1/dns-query
-https://1.0.0.1/dns-query
-https://[2606:4700:4700::1111]/dns-query
-https://[2606:4700:4700::1001]/dns-query

I then decided to try using Cloudflare’s DNS for Families by pointing to 1.1.1.3/1.0.0.3 to see if it would work. I decided to take the route of editing config.yml and intuitively editing it to point to DNS for Families as follows:

proxy-dns: true
proxy-dns-port: 5053
proxy-dns-upstream:

-https://1.1.1.3/dns-query
-https://1.0.0.3/dns-query
-https://[2606:4700:4700::1113]/dns-query
-https://[2606:4700:4700::1003]/dns-query

No matter what I did, it would not work…

After researching this site, I found this URL: https://developers.cloudflare.com/1.1.1.1/1.1.1.1-for-families#dns-over-https-doh

It basically states that, when using DNS for Families, you need to configure your client (i.e. config.yml in Pi-hole) as follows:

proxy-dns: true
proxy-dns-port: 5053
proxy-dns-upstream:
- https ://family.cloudflare-dns.com/dns-query

Once I did this, everything started working perfectly.

PS H:> nslookup phishing.testcategory.com 192.168.2.108
Server: pi.hole
Address: 192.168.2.108

Non-authoritative answer:
Name: phishing.testcategory.com
Addresses: ::
** 0.0.0.0**

My question is this, why didn’t just editing the original config.yml to 1.1.1.1/1.0.0.3 work? Why does DNS for Families require the FQDN in the client/config file? This would have made things so much easier…

Thanks.

Short answer: The DoH endpoints for 1.1.1.1 for families runs on different hosts than the DNS/DOT service.

Longer answer: :man_shrugging:

But 1.1.1.1/1.1.1.2/1.1.1.3 are all the same endpoints within a protocol, correct?

Actually I lied. The DOT endpoint is not 1.1.3/3 either. Same service, but services don’t have to listen on the same IP.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.