When configuring cloudflared (DoH) for PI-hole, I ran the defaults in config.yml hitting 1.1.1.1/1.0.0.1 for the longest time. My config.yml looked like this:
proxy-dns: true
proxy-dns-port: 5053
proxy-dns-upstream:
-https://1.1.1.1/dns-query
-https://1.0.0.1/dns-query
-https://[2606:4700:4700::1111]/dns-query
-https://[2606:4700:4700::1001]/dns-query
I then decided to try using Cloudflare’s DNS for Families by pointing to 1.1.1.3/1.0.0.3 to see if it would work. I decided to take the route of editing config.yml and intuitively editing it to point to DNS for Families as follows:
proxy-dns: true
proxy-dns-port: 5053
proxy-dns-upstream:
-https://1.1.1.3/dns-query
-https://1.0.0.3/dns-query
-https://[2606:4700:4700::1113]/dns-query
-https://[2606:4700:4700::1003]/dns-query
No matter what I did, it would not work…
After researching this site, I found this URL: Set up Cloudflare 1.1.1.1 resolver · Cloudflare 1.1.1.1 docs
It basically states that, when using DNS for Families, you need to configure your client (i.e. config.yml in Pi-hole) as follows:
proxy-dns: true
proxy-dns-port: 5053
proxy-dns-upstream:
- https ://family.Cloudflare-dns.com/dns-query
Once I did this, everything started working perfectly.
PS H:> nslookup phishing.testcategory.com 192.168.2.108
Server: pi.hole
Address: 192.168.2.108
Non-authoritative answer:
Name: phishing.testcategory.com
Addresses: ::
** 0.0.0.0**
My question is this, why didn’t just editing the original config.yml to 1.1.1.1/1.0.0.3 work? Why does DNS for Families require the FQDN in the client/config file? This would have made things so much easier…
Thanks.