PiHole Cloudflared

# PiHole

PiHole Cloudflared in QubesOS with NextDNS (DNS over Https) [WIP but works excellent, although I don't provide any warranty]


1. Create a Standalone Service VM with sys-firewall as NetVM from debian template. 
   (All commands shown below are to be run in this qube only)

2. Disable systemd-resolved.

       systemctl stop systemd-resolved
       
       systemctl disable systemd-resolved
       
3. Update VM-

       sudo apt update && apt upgrade
       
4. Install curl and git if not already installed-

       sudo apt install git curl
       
5. Clone PiHole repository and run-

       git clone --depth 1 https://github.com/pi-hole/pi-hole.git Pi-hole
       cd "Pi-hole/automated install/"
       sudo bash basic-install.sh
       
6. Follow the instructions. Set any DNS. Note down the last page password and addresses.

7. Create a new VM and set PiHole VM as its NetVM. You can do this with one of your previous VM's also. Restart PiHole VM.

8. Installing cloudflared -

   Along with releasing their DNS service 1.1.1.1, Cloudflare implemented DNS-Over-HTTPS proxy functionality into one of their tools: cloudflared.

   In the following sections, we will be covering how to install and configure this tool on Pi-hole.

   Note: The cloudflared binary will work with other DoH providers (for example, you could use https://8.8.8.8/dns-query for Google's DNS-Over-HTTPS service).
   
   If anyone among readers have better tools than cloudflared in knowledge, Please let me know.

   # For Debian/Ubuntu
   
       wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.deb
       sudo apt-get install ./cloudflared-stable-linux-amd64.deb
       cloudflared -v
       
9. Configuring cloudflared to run on startup

   Method 1 (I haven't tried this one, method 2 is tested.)

   Create a cloudflared user to run the daemon:

       sudo useradd -s /usr/sbin/nologin -r -M cloudflared

   Proceed to create a configuration file for cloudflared:

       sudo nano /etc/default/cloudflared

   Edit configuration file by copying the following in to /etc/default/cloudflared.
   
   This file contains the command-line options that get passed to cloudflared on startup:

       # Commandline args for cloudflared
         CLOUDFLARED_OPTS=--port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query

   Update the permissions for the configuration file and cloudflared binary to allow access for the cloudflared user:

       sudo chown cloudflared:cloudflared /etc/default/cloudflared
       
       sudo chown cloudflared:cloudflared /usr/local/bin/cloudflared

   Then create the systemd script by copying the following into /etc/systemd/system/cloudflared.service.
   This will control the running of the service and allow it to run on startup:

       sudo nano /etc/systemd/system/cloudflared.service

       [Unit]
       Description=cloudflared DNS over HTTPS proxy
       After=syslog.target network-online.target

       [Service]
       Type=simple
       User=cloudflared
       EnvironmentFile=/etc/default/cloudflared
       ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTS
       Restart=on-failure
       RestartSec=10
       KillMode=process

       [Install]
       WantedBy=multi-user.target

    Enable the systemd service to run on startup, then start the service and check its status:

       sudo systemctl enable cloudflared
       sudo systemctl start cloudflared
       sudo systemctl status cloudflared
       
    Method 2
    
    Proceed to create a configuration file for cloudflared in /etc/cloudflared named config.yml:

       sudo mkdir /etc/cloudflared/
       sudo nano /etc/cloudflared/config.yml

    Copy the following configuration:

        proxy-dns: true
        proxy-dns-port: 5053
        proxy-dns-upstream:
          - https://dns1.nextdns.io/416faa
          - https://dns2.nextdns.io/416faa

    Replace 416faa (Bogus) with your NextDNS ID.
    
    Now install the service via cloudflared's service command:

         sudo cloudflared service install --legacy

    Start the systemd service and check its status:

         sudo systemctl start cloudflared
         sudo systemctl status cloudflared

       
10. Configuring Pi-hole

    Finally, configure Pi-hole to use the local cloudflared service as the upstream DNS server by specifying 127.0.0.1#5053 as the Custom DNS (IPv4):
    
    in upstream DNS servers and save.

8. Now in PiHole VM terminal-

       sudo nano /rw/config/qubes-ip-change-hook
       
9.  Copy and paste following-

        #!/bin/sh
        # This will Flush PR-QBS chain
        iptables -t nat -F PR-QBS

        # Redirects all the DNS traffic to localhost:53
        iptables -t nat -I PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to-destination 127.0.0.1

        # Accepts the traffic coming to localhost
        # from XEN's virtual interfaces on port 53
        iptables -I INPUT -i vif+ -p udp --dport 53 -d 127.0.0.1 -j ACCEPT

        # Enable the traffic coming from the virtual interfaces
        # forwarded to the loopback interface
        # enabling the route_localnet flag on them
        echo 1 > /proc/sys/net/ipv4/conf/default/route_localnet
         
    Press Ctrl+X then Y and Enter.
    
    Make it executable.
    
          sudo chmod +x /rw/config/qubes-ip-change-hook
         
10. Now in PiHole VM terminal-

          sudo nano /etc/dnsmasq.conf
          
   Enter following details-
 
          interface=lo
          bind-interfaces
          conf-dir=/etc/dnsmasq.d
          
   Save this file.
   
11. Reboot both VM (if both running) and reach PiHole webpage with written down details beforehand. Alter settings as you like, play with it.

12. Updating cloudflared next time
    Manual way

         wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-arm.tgz
         tar -xvzf cloudflared-stable-linux-arm.tgz
         sudo systemctl stop cloudflared
         sudo cp ./cloudflared /usr/local/bin
         sudo chmod +x /usr/local/bin/cloudflared
         sudo systemctl start cloudflared
         cloudflared -v
         sudo systemctl status cloudflared

Reviews and Corrections highly Appreciated as I consider it WIP.

Reference -

1. https://blog.tufarolo.eu/how-to-configure-pihole-in-qubesos-proxyvm/
2. https://docs.pi-hole.net/guides/dns-over-https/
3. https://nextdns.io/