DNS over HTTPS is gaining significant traction as a more secure and private method of browsing the internet. It works by sending DNS queries over HTTPS, ensuring they remain encrypted and protected from malicious actors. Implementing this solution requires setting up a proxy DNS resolver that supports this protocol, such as Cloudflare’s cloudflared. This post will guide you through the installation process of cloudflared on Ubiquiti Edge Router 4.

Building cloudflared from Source

To get the latest version of cloudflared, you can build it from source with these steps:

git clone https://github.com/cloudflare/cloudflared.git
cd cloudflared
make cloudflared
go install github.com/cloudflare/cloudflared/cmd/cloudflared

If necessary, you can move cloudflared to a known path:

mv /root/cloudflared/cloudflared /usr/bin/cloudflared

Building cloudflared Binary for MIPS64 using Docker

If your host computer has Docker installed, you can compile cloudflared for the MIPS64 architecture by running the following Docker command in a new folder:

docker run --rm -v "$PWD":/usr/src/myapp -w /usr/src/myapp -e GOOS=linux -e GOARCH=mips64 golang bash -c "go get -v github.com/cloudflare/cloudflared/cmd/cloudflared; GOOS=linux GOARCH=mips64 go build -v -x github.com/cloudflare/cloudflared/cmd/cloudflared"

Installing cloudflared on the EdgeRouter

  1. Transfer the Binary: Copy over the cloudflared binary file to the EdgeRouter and move it to the correct location.

  2. Create a cloudflared User: Create a new user for cloudflared with no login shell:

sudo useradd -s /usr/sbin/nologin -r -M cloudflared
  1. Configure cloudflared: Edit the /etc/default/cloudflared configuration file by adding the following options to be passed to cloudflared at startup:
### Commandline args for cloudflared, using Cloudflare DNS
CLOUDFLARED_OPTS=--port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query --origincert /etc/cloudflared/cert.pem --no-autoupdate
  1. Update Permissions: Give the cloudflared user access to the configuration file and binary:
mkdir -v /usr/local/bin/
chmod +x cloudflared
mv cloudflared /usr/local/bin/
chown cloudflared:cloudflared /etc/default/cloudflared
chown cloudflared:cloudflared /usr/local/bin/cloudflared
mkdir /etc/cloudflared
/usr/bin/cloudflared service install
  1. Create a Systemd Service: Use a systemd service to automatically start cloudflared at boot:
[Unit]
Description=cloudflared DNS over HTTPS proxy
After=network.target

[Service]
TimeoutStartSec=0
Type=simple
User=cloudflared
EnvironmentFile=/etc/default/cloudflared
ExecStart=/usr/local/bin/cloudflared --config /etc/cloudflared/config.yml --origincert /etc/cloudflared/cert.pem --no-autoupdate
# ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTS
Restart=on-failure
RestartSec=5s
KillMode=process

[Install]
WantedBy=multi-user.target
  1. Configure cloudflared: Add a config.yml file to /etc/cloudflared:
proxy-dns: true
proxy-dns-upstream:
 - https://1.1.1.1/dns-query
 - https://1.0.0.1/dns-query
proxy-dns-port: 5053
  1. Install the Default Init Script: Use cloudflared’s service installation command:
/usr/local/bin/cloudflared service install --legacy

As we are using mips64, disable auto update by replacing the cmd line in /etc/init.d/cloudflared.

  1. Start the cloudflared Service: Use the init script to start cloudflared:
/etc/init.d/cloudflared start
  1. Redirect DNS to cloudflared: Finally, configure your DNS settings to use cloudflared as the resolver:
configure
set service dns forwarding options "no-resolv"
set service dns forwarding options "server=127.0.0.1#5053"
commit
save
exit

With these steps completed, your Ubiquiti Edge Router 4 should now be using DNS over HTTPS, improving the security and privacy of your network.

Refer to the following sources for more information:


Buy Me a Coffee