Private DoH server via Cloudflare Tunnel

Hi All,

Currently my configuration is cloudflare tunnel use origin certificate and activate SSL/TLS mode in Full (strict). The system already serving well in exposing and securing all web services via https.

Then I would like to build private DoH server and expose it to the internet in order to use private dns in DoH client such as laptop or smartphone.

So I create public hostname on tunnel that proxy manager pointed mydns.example.com to the IP private of my DoH server.

The valid SSL certificates chain for mydns.example.com is using let’s encrypt with dns challenge cloudflare api token.

For your information, I already connect all resources private networks on the client device via WARP private network as this docs

developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/cloudflared/private-dns/

For now DoH client still can’t use to work in internal or external network, Is it possible to make it works?

Is your DOH client successfully exposed to the internet? When you send it a manual query does it resolve? How are you configuring your DoH client? Does that machine have Warp installed on it? If so, have you disabled Warp before testing?

@cscharff

the DoH client still not be able to access AdGuard DoH server under mydns.example.com

So means DoH server maybe still not exposed to the internet. How do we check if it successfully exposed?

In smartphone as DoH client, just configure add private dns to put DoH server url as the proxy host I configured earlier mydns.example.com

DoH have done warp installed and already try with enabled and disabled warp, but still not success.

So is this scenario and topology should be possible work? and how do we check and validate per segmen?

1 Like

@cscharff Use curl by utilizing the --doh-url option. Below the command and error respond couldn’t resolve:

C:\Users\curl\bin>curl --doh-url https://mydns.example.com/dns-query https://www.google.com
curl: (6) Couldn't resolve host name

if use dns cloudflare C:\Users\curl\bin>curl --doh-url https://cloudflare-dns.com/dns-query https://www.google.com successfully can resolve without any error

Is there any something need more check and debug?

Is this scenario should be work with enable or disable Warp?

If it doesn’t resolve you have a DNS issue. How have you exposed the DoH sever specifically to the Cloudflare tunnel? Does a DNS hostname exist in Cloudflare pointed to the tunnel? What is the hostname?

@cscharff As I mention before, hostname of DoH server mydns.example.com is already exist in the tunnel under wildcard *.example.com. cause all web services under wildcard *.example.com already serving well via https as well. All DNS records of my domain is CNAME records.

The tunnel already serving well to get all resources in my private network via warp client.

Any need more to check and debug to resolve DNS issue?

This error in curl means the hostname can’t be resolved by the machine performing the query. Does mydns.example.com resolve with dig or nslookup or any other public DNS lookup tool?

Warp private network is used to connect to resources on your internal network while using the Warp client. The Warp client has a DNS resolver built into it as an integral.

This referenced section on forwarding DNS queries it to forward them to an internal resolver using UDP. It’s not intended for, nor does Cloudflare currently support configuration of a DoH provider other than their own. So if

a. you’re trying to expose this for the Warp client to use a different DOH server for resolution that won’t work.
b. trying to expose the DoH endpoint for non Warp clients, it needs to be exposed as an application, not a private network.

1 Like