Transition from OpenDNS to CF for Teams/Gateway

Trying to see about switching to Cloudflare from OpenDNS. Mostly because it doesn’t seem the OpenDNS/Cisco seems to want to support DNS over TLS.

I’ve been running unbound on my local network as a resolver fronting OpenDNS, but unbound only seems to support DoH, not DoT. Looking at Cloudflare’s information for 1.1.1.1, it seems like the option is there, but I don’t see any configuration options for how to set this up. Is it as simple as “use 1.1.1.1 from the Location IP address?”

Second issue: with OpenDNS, there’s an API to allow me to automatically update my location when my external IP changes (which unfortunately seems to happen with disturbing regularity). If the answer is to use 1.1.1.1 from my location, is there a similar process to automatically update my location for Gateway? I’m currently sending myself pushbullet alerts when it’s detected, but if I can do it automatically, that’s a much better process. I just can’t seem to find any documentation on that.

So… it doesn’t seem like Gateway supports DoT, only DoH.

There is also no API to update the IP, but as long as you use the specific DoH subdomain you don’t need to care.

The conundrum is that unbound does not support DoH. So I must either double-proxy using cloudflared (which wouldn’t be the end of the world) or give up using unbound.

The reason I’m hung up on using unbound is that it is trivial to add local-domain overrides. Using Pi-Hole (as an example, because I started there) I found that even compared to “only” OpenDNS, I was blocking WAY more ads. But it’s limited (mostly) to running on ARM-based hardware. Then I found a script for unbound that allows to populate the local zones directly into my unbound config. This allows me to use much better hardware, and still accomplish the same goal. By blocking before the forward request, I can even cut down on DNS traffic upstream :smiley:

It’s worth noting that DoT using port 853 does work on the Gateway resolvers.

I can also confirm that 1.1.1.1 and 1.1.1.2 and 1.1.1.3 do NOT link back to the gateway account, but that’s probably not needed considering that you CAN use port 853 on 172.64.36.1 and 172.64.36.2

That doesn’t solve the Dynamic IP issue, which if CloudFlare is serious about providing their service to homes, they probably need to address.

I’ve also discovered that Cloudflare’s proxy/anonymizer category does not block DoH providers (which honestly, isn’t that shocking, given that they are behind 1.1.1.1), but OpenDNS’s category does. If I’m attempting to protect my home (or work!) network from unauthorized use, I really should be able to block those. Blocking anything at DNS is worthless, if all that’s required to bypass it is to set up DoH in Firefox to 1.1.1.1.