macOS DNS-over-HTTPS installation error


#1

Using these directions:

I installed cloudflare as a service on my laptop, running macOS 10.13.4. It did not launch on the next reboot.

Even running “sudo cloudflare service install” is not sufficient, because of where it puts the .plist.

This command installs it in ~/Library/LaunchAgents - but things in this directory are launched by the unprivileged user. As your instructions say, proxy-dns needs to bind to privileged port 53, and it cannot do this when launched by the unprivileged user. My log at /tmp/com.cloudlflare.cloudflared.err.log would get “permission denied” every 20 seconds for the attempts to bind to the port.

The solution was simply to move the .plist to /Library/LaunchDaemons. These are launched by root before logging in, so this makes it accessible by all users on the system.

Works like a charm now!


Proxy-dns as service on macOS
#2

Thanks! This should be a default now in the current version (2018.4.3).


#3

Updated via Brew:

$ cloudflared --version
cloudflared version 2018.4.3 (built 2018-04-05-2254 UTC)

and reinstalled.

Nope! Still did not survive reboot. Every 20 seconds I get:

time=“2018-04-06T08:56:16-04:00” level=info msg=“Applied configuration from /usr/local/etc/cloudflared/config.yaml”
time=“2018-04-06T08:56:16-04:00” level=info msg=“Adding DNS upstream” url=“https://1.1.1.1/dns-query
time=“2018-04-06T08:56:16-04:00” level=info msg=“Adding DNS upstream” url=“https://1.0.0.1/dns-query
time=“2018-04-06T08:56:16-04:00” level=info msg=“Starting DNS over HTTPS proxy server” addr=“dns://localhost:53”
time=“2018-04-06T08:56:16-04:00” level=fatal msg=“Cannot start the DNS over HTTPS proxy server” error=“failed to create a UDP listener: listen udp 127.0.0.1:53: bind: permission denied”

I see you now drop the .plist into /Library/LaunchAgents, instead of /Library/LaunchDaemons. That location, although global rather than per-user, also appears to not launch with sufficient privileges to work here.


#4

Can you make sure the plist is uninstalled from ~/Library/LaunchAgents and that the one in /Library/LaunchAgents is installed with sudo (the plist should have a root owner)?


#5

Right. Like this:

$ ls -al ~/Library/LaunchAgents/com.cloud*
ls: /Users/ddiller/Library/LaunchAgents/com.cloud*: No such file or directory

$ ls -al /Library/LaunchAgents/com.cloud*
-rw-r--r--  1 root  wheel  702 Apr  6 08:57 /Library/LaunchAgents/com.cloudflare.cloudflared.plist

Does not work.

Reboot and:

time="2018-04-07T10:06:54-04:00" level=fatal msg="Cannot start the DNS over HTTPS proxy server" error="failed to create a UDP listener: listen udp 127.0.0.1:53: bind: permission denied”

but if I

$ sudo mv /Library/LaunchAgents/com.cloudflare.cloudflared.plist /Library/LaunchDaemons/

and reboot, then it works fine:

time="2018-04-07T10:14:39-04:00" level=info msg="Starting DNS over HTTPS proxy server" addr="dns://localhost:53"