Sometimes, when you’re browsing the web, your DNS requests are like postcards—easy to read by anyone along the way. In this guide, I’ll show you how to wrap those postcards in an envelope using DNS over HTTPS, or DoH for short. We’ll set it up on a Linux server, step by step, using clear instructions and some light humor to keep it fun.
What’s DNS Again?
DNS stands for Domain Name System. It’s what turns easy names like google.com into hard-to-remember IP addresses like 142.250.72.78.
You can think of DNS like your phone’s contact list. Instead of memorizing everyone’s number, you just tap on “Mom” or “Pizza Place.”
And What Is DNS over HTTPS (DoH)?
Normal DNS is plain text. That means anyone snooping on your connection—like your internet provider, or even someone on public Wi-Fi—can see the sites you visit.
DNS over HTTPS solves that. It encrypts your DNS requests using HTTPS, the same thing that secures your online banking or email. So your DNS lookups get a security upgrade.
I like to say: it’s like whispering instead of shouting across the internet.
Why I Use DNS over HTTPS
A while back, I noticed my DNS provider was logging too much. I didn’t like that. I wanted something more private. I also run a couple of servers at home, so I figured—why not protect them too?
It wasn’t too hard, and now my servers don’t leak DNS info like a cheap colander.
Benefits of Using DoH on a Server
Here’s what you’ll gain:
- Privacy: Keeps your DNS lookups hidden from prying eyes.
- Security: Stops attackers from tampering with DNS replies.
- Control: You choose your DNS provider—one that respects your privacy.
What You’ll Need
- A Linux server (any distro will do, but I’ll use Ubuntu/Debian in this guide).
- Root access (or
sudoprivileges). - A bit of terminal knowledge.
- A warm drink if you like cozying up while working.
The Tools We’ll Use
We’ll set up a local DNS resolver using a tool called Cloudflared, which connects to Cloudflare’s DoH service. There are other tools out there, like dnscrypt-proxy, but Cloudflared is simple and works well.
Cloudflared is the DoH client made by Cloudflare. It’s lightweight and fast.
Step-by-Step Setup Using Cloudflared
Step 1: Download Cloudflared
Open your terminal and run:
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64
sudo mv cloudflared-linux-amd64 /usr/local/bin/cloudflared
sudo chmod +x /usr/local/bin/cloudflared
Now check if it works:
cloudflared --version
If it shows a version number, you’re good to go.
Step 2: Create a Systemd Service
Let’s make Cloudflared run in the background on every boot.
Create a new config file:
sudo mkdir -p /etc/cloudflared
sudo nano /etc/cloudflared/config.yml
Paste this:
proxy-dns: true
proxy-dns-port: 5053
proxy-dns-upstream:
- https://1.1.1.1/dns-query
- https://1.0.0.1/dns-query
What this does:
- Enables DNS proxying.
- Sets the local DNS port to
5053. - Sends DNS requests to Cloudflare’s encrypted DNS endpoints.
Save and exit the file.
Step 3: Add the Systemd Service
Create a service file:
sudo nano /etc/systemd/system/cloudflared.service
Paste this:
[Unit]
Description=Cloudflared DNS over HTTPS
After=network.target
[Service]
ExecStart=/usr/local/bin/cloudflared --config /etc/cloudflared/config.yml
Restart=on-failure
User=nobody
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
[Install]
WantedBy=multi-user.target
Now start and enable the service:
sudo systemctl daemon-reexec
sudo systemctl daemon-reload
sudo systemctl enable cloudflared
sudo systemctl start cloudflared
Step 4: Point Your System to Use It
Now that your DoH proxy is running on port 5053, tell your system to use it.
Edit your DNS settings:
sudo nano /etc/systemd/resolved.conf
Find this line (or add it):
DNS=127.0.0.1:5053
Then restart the resolver:
sudo systemctl restart systemd-resolved
Step 5: Test It
Run:
dig @127.0.0.1 -p 5053 example.com
If you see an answer section and no errors, it’s working.
Want to be sure it’s using HTTPS? Add this:
sudo tcpdump -i any port 53
Now browse a site. If you see no traffic on port 53 (the normal DNS port), your DNS is now encrypted.
Troubleshooting Tips
- Not resolving domains? Check that Cloudflared is running:
sudo systemctl status cloudflared - Port already in use? Change the
proxy-dns-portin the config to another free port. - Still leaking DNS? Make sure no other resolver is running.
Three Lists to Help You Out
DNS Providers That Support DoH:
- Cloudflare:
https://1.1.1.1/dns-query - Google:
https://dns.google/dns-query - NextDNS:
https://dns.nextdns.io/your-id
Benefits of DNS over HTTPS:
- Stops your ISP from tracking your DNS queries.
- Helps avoid DNS spoofing.
- Keeps your server’s traffic more private.
Things to Remember:
- You don’t have to switch DNS providers. DoH works with many.
- Cloudflared can also run as a reverse proxy—cool, but out of scope here.
- Always test after changes. A working internet beats a broken fancy config.
A Little Kernel Humor (Okay, DNS Humor)
- DNS without encryption is like shouting your password in a crowded room.
- Using DoH is like whispering through a megaphone… but in code.
- Want to impress your nerdy friends? Tell them your DNS talks in HTTPS now.
Final Thoughts
Setting up DNS over HTTPS on a Linux server is pretty straightforward once you get the hang of it. It’s like putting privacy glasses on your server—it can still see the web, but now no one else can easily see what it’s looking at.
I like this setup because it’s simple, flexible, and gives me more control over how my systems connect to the internet. It also just feels good knowing I’ve taken one more step to lock things down.
How about you—ready to give your DNS some privacy armor?
If you need help picking a DNS provider or want to try this on a home server or Raspberry Pi, I’m happy to help.
Want a version of this guide with fewer puns? Too bad, DNS jokes are hard to resolve.
