DNS-over-HTTPS on Pi-hole

Install cloudflared

cd ~
wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-arm.tgz
mkdir argo-tunnel
tar -xvzf cloudflared-stable-linux-arm.tgz -C ./argo-tunnel
rm cloudflared-stable-linux-arm.tgz
cd argo-tunnel
./cloudflared --version

It should return something like: cloudflared version 2019.1.0 (built 2019-01-28-2335 UTC)

Daemonize

Filename: /etc/systemd/system/dnsproxy.service

[Unit]
Description=DNS over HTTPS Proxy
Wants=network-online.target
After=network.target network-online.target

[Service]
ExecStart=/home/pi/argo-tunnel/cloudflared proxy-dns --port 54 --upstream https://doh.securedns.eu/dns-query --upstream https://dns.adguard.com/dns-query
Restart=on-abort

[Install]
WantedBy=multi-user.target

Replace path of cloudflared binary if applicable. If you want, replace upstreams with ones you prefer.

Start

sudo systemctl daemon-reload
sudo systemctl enable --now dnsproxy.service

Test

dig www.google.com @127.0.0.1 -p 54 +noall +answer

This should return something like this:

; <<>> DiG 9.10.3-P4-Raspbian <<>> www.google.com @127.0.0.1 -p 54 +noall +answer
;; global options: +cmd
www.google.com.		626	IN	A	172.217.20.100

Add DNS Server IP addresses to /etc/hosts

Filename /etc/hosts:

# DNS-over-HTTPS
176.103.130.131 dns.adguard.com
146.185.167.43  ads.securedns.eu ads-doh.securedns.eu

Replace them with your resolvers’ IP addresses & domains.

Set Pi-hole to use DNS-over-HTTPS

Go to http://pi.hole/admin/settings.php?tab=dns and set “Upstream DNS Servers” to 127.0.0.1#54. Disable every other DNS upstream.

Further reading