%PDF-1.4 %âãÏÓ 1 0 obj << /Type /Catalog /Pages 2 0 R >> endobj 2 0 obj << /Type /Pages /Count 3 /Kids [5 0 R 7 0 R 9 0 R] >> endobj 3 0 obj << /Type /Font /Subtype /Type1 /BaseFont /Helvetica >> endobj 4 0 obj << /Type /Font /Subtype /Type1 /BaseFont /Helvetica-Bold >> endobj 5 0 obj << /Type /Page /Parent 2 0 R /MediaBox [0 0 595.28 841.89] /Resources << /Font << /F1 3 0 R /F2 4 0 R >> >> /Contents 6 0 R >> endobj 6 0 obj << /Length 4994 >> stream BT /F2 21 Tf 0.06 0.08 0.12 rg 1 0 0 1 46 789.89 Tm (How to Use DNS-over-HTTPS \(DoH\) with Pi-hole) Tj ET BT /F2 11 Tf 0.72 0.14 0.18 rg 1 0 0 1 46 753.89 Tm (TechRounder Help Center PDF) Tj ET BT /F1 9.5 Tf 0.36 0.39 0.46 rg 1 0 0 1 46 737.89 Tm (Live article: https://www.techrounder.com/help/how-to-use-dns-over-https-doh-with-pi-hole/) Tj ET q 0.82 0.85 0.9 RG 1 w 46 719.39 m 549.28 719.39 l S Q BT /F1 10 Tf 0.24 0.27 0.32 rg 1 0 0 1 46 707.39 Tm (By Vipin PG | Published July 1, 2026 | Updated July 1, 2026 | Topic: Networking | 3 min read) Tj ET BT /F2 13 Tf 0.72 0.14 0.18 rg 1 0 0 1 46 684.39 Tm (Quick answer) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 664.39 Tm (Because Cloudflare deprecated the proxy-dns feature in cloudflared, users seeking DNS-over-HTTPS) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 649.39 Tm (\(DoH\) for Pi-hole must now transition to dnscrypt-proxy. This guide provides a step-by-step migration) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 634.39 Tm (process to install and configure dnscrypt-proxy as a local encrypted forwarder to maintain privacy) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 619.39 Tm (and security for DNS queries.) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 594.39 Tm (If you landed here from one of the older cloudflared tutorials, stop before you follow it - that method) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 579.39 Tm (doesn't work anymore. Cloudflare deprecated the `proxy-dns` feature those guides rely on back in) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 564.39 Tm (November 2025, and as of July, 2026, it's gone from all new cloudflared builds entirely. If you've) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 549.39 Tm (got an old install still limping along, it'll eventually break too. The tool that actually does the job now is) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 534.39 Tm (dnscrypt-proxy, and honestly, it's not any harder to set up.) Tj ET BT /F2 13 Tf 0.08 0.1 0.14 rg 1 0 0 1 46 506.39 Tm (Why cloudflared stopped working) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 484.39 Tm (Pi-hole was never built to speak DNS-over-HTTPS on its own - it just forwards whatever queries it) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 469.39 Tm (gets to an upstream server you configure. For a long time, the easiest way to add encryption was) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 454.39 Tm (running cloudflared locally as a DoH proxy and pointing Pi-hole at it. Cloudflare pulled that functionality) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 439.39 Tm (due to a vulnerability in an underlying DNS library, and it's not coming back. dnscrypt-proxy does the) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 424.39 Tm (exact same job - sits locally, forwards your queries encrypted - and it's actively maintained, so that's) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 409.39 Tm (the tool to use going forward.) Tj ET BT /F2 13 Tf 0.08 0.1 0.14 rg 1 0 0 1 46 381.39 Tm (What You'll Need) Tj ET BT /F1 10.5 Tf 0.2 0.23 0.28 rg 1 0 0 1 46 359.39 Tm (- A working Pi-hole install \(this guide assumes Pi-hole 6\)) Tj ET BT /F1 10.5 Tf 0.2 0.23 0.28 rg 1 0 0 1 46 342.59 Tm (- SSH or terminal access to the machine running it) Tj ET BT /F1 10.5 Tf 0.2 0.23 0.28 rg 1 0 0 1 46 325.79 Tm (- Root or sudo privileges) Tj ET BT /F2 13 Tf 0.08 0.1 0.14 rg 1 0 0 1 46 302.99 Tm (Step 1: Stop cloudflared, If You Have It) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 280.99 Tm (Skip this if you're starting fresh. If you're migrating off an old cloudflared setup:) Tj ET BT /F1 9.5 Tf 0.18 0.2 0.24 rg 1 0 0 1 54 256.99 Tm (sudo systemctl stop cloudflared) Tj ET BT /F1 9.5 Tf 0.18 0.2 0.24 rg 1 0 0 1 54 240.115 Tm (sudo systemctl disable cloudflared) Tj ET BT /F1 9.5 Tf 0.18 0.2 0.24 rg 1 0 0 1 54 223.24 Tm (sudo cloudflared service uninstall) Tj ET BT /F2 13 Tf 0.08 0.1 0.14 rg 1 0 0 1 46 198.74 Tm (Step 2: Install dnscrypt-proxy) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 176.74 Tm (If you're on Debian 13 \(Trixie\) or Ubuntu 25.04 and later, there's an official package now:) Tj ET BT /F1 9.5 Tf 0.18 0.2 0.24 rg 1 0 0 1 54 152.74 Tm (sudo apt update) Tj ET BT /F1 9.5 Tf 0.18 0.2 0.24 rg 1 0 0 1 54 135.865 Tm (sudo apt install dnscrypt-proxy) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 117.365 Tm (On anything older - Raspberry Pi OS, Ubuntu 24.04, whatever - grab the binary straight from GitHub) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 102.365 Tm (instead. This example is for arm64 \(most modern Raspberry Pis\); swap the filename for `x86_64` on) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 87.365 Tm (a regular PC/VM or `arm` for an older 32-bit Pi:) Tj ET q 0.86 0.88 0.92 RG 1 w 46 42 m 549.28 42 l S Q BT /F1 8.4 Tf 0.42 0.45 0.5 rg 1 0 0 1 46 30 Tm (TechRounder Help Center | Page 1 of 3) Tj ET BT /F1 7.2 Tf 0.42 0.45 0.5 rg 1 0 0 1 46 19 Tm (https://www.techrounder.com/pdf/help/how-to-use-dns-over-https-doh-with-pi-hole.pdf) Tj ET endstream endobj 7 0 obj << /Type /Page /Parent 2 0 R /MediaBox [0 0 595.28 841.89] /Resources << /Font << /F1 3 0 R /F2 4 0 R >> >> /Contents 8 0 R >> endobj 8 0 obj << /Length 4612 >> stream BT /F1 9.5 Tf 0.18 0.2 0.24 rg 1 0 0 1 54 789.89 Tm (cd /opt) Tj ET BT /F1 9.5 Tf 0.18 0.2 0.24 rg 1 0 0 1 54 773.015 Tm (sudo wget) Tj ET BT /F1 9.5 Tf 0.18 0.2 0.24 rg 1 0 0 1 54 760.515 Tm (https://github.com/DNSCrypt/dnscrypt-proxy/releases/latest/download/dnscrypt-proxy-linux_arm64.tar.gz) Tj ET BT /F1 9.5 Tf 0.18 0.2 0.24 rg 1 0 0 1 54 743.64 Tm (sudo tar -xzf dnscrypt-proxy-linux_arm64.tar.gz) Tj ET BT /F1 9.5 Tf 0.18 0.2 0.24 rg 1 0 0 1 54 726.765 Tm (sudo mv linux-arm64 dnscrypt-proxy) Tj ET BT /F1 9.5 Tf 0.18 0.2 0.24 rg 1 0 0 1 54 709.89 Tm (cd dnscrypt-proxy) Tj ET BT /F1 9.5 Tf 0.18 0.2 0.24 rg 1 0 0 1 54 693.015 Tm (sudo cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml) Tj ET BT /F1 9.5 Tf 0.18 0.2 0.24 rg 1 0 0 1 54 676.14 Tm (sudo ./dnscrypt-proxy -service install) Tj ET BT /F1 9.5 Tf 0.18 0.2 0.24 rg 1 0 0 1 54 659.265 Tm (sudo ./dnscrypt-proxy -service start) Tj ET BT /F2 13 Tf 0.08 0.1 0.14 rg 1 0 0 1 46 634.765 Tm (Step 3: Set the DoH Upstream in the Config File) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 612.765 Tm (Open the config - `/etc/dnscrypt-proxy/dnscrypt-proxy.toml` if you installed via apt, or the path you) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 597.765 Tm (extracted it to if you went the manual route:) Tj ET BT /F1 9.5 Tf 0.18 0.2 0.24 rg 1 0 0 1 54 573.765 Tm (sudo nano /etc/dnscrypt-proxy/dnscrypt-proxy.toml) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 555.265 Tm (Two things to change. First, since Pi-hole's FTL service already owns port 53, dnscrypt-proxy needs) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 540.265 Tm (a different one:) Tj ET BT /F1 9.5 Tf 0.18 0.2 0.24 rg 1 0 0 1 54 516.265 Tm (listen_addresses = ['127.0.0.1:5053']) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 497.765 Tm (Second, pick your upstream DoH provider\(s\):) Tj ET BT /F1 9.5 Tf 0.18 0.2 0.24 rg 1 0 0 1 54 473.765 Tm (server_names = ['cloudflare', 'quad9-dnscrypt-ip4-filter-pri']) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 455.265 Tm (The full list of public resolvers to choose from is at dnscrypt.info/public-servers - Cloudflare,) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 440.265 Tm (Quad9, and a bunch of others are all fair game.) Tj ET BT /F1 10.5 Tf 0.28 0.31 0.36 rg 1 0 0 1 56 416.265 Tm (Quote: If you installed via apt on Debian 13 / Ubuntu 25.04+, the package uses systemd socket activation) Tj ET BT /F1 10.5 Tf 0.28 0.31 0.36 rg 1 0 0 1 56 402.265 Tm (and defaults to port 53, which will conflict with Pi-hole. Instead of editing `listen_addresses`, override) Tj ET BT /F1 10.5 Tf 0.28 0.31 0.36 rg 1 0 0 1 56 388.265 Tm (the socket directly: `sudo systemctl edit dnscrypt-proxy.socket` Paste this into the editor that opens, save,) Tj ET BT /F1 10.5 Tf 0.28 0.31 0.36 rg 1 0 0 1 56 374.265 Tm (and exit: `[Socket] ListenStream= ListenDatagram= ListenStream=127.0.0.1:5053) Tj ET BT /F1 10.5 Tf 0.28 0.31 0.36 rg 1 0 0 1 56 360.265 Tm (ListenDatagram=127.0.0.1:5053`) Tj ET BT /F2 13 Tf 0.08 0.1 0.14 rg 1 0 0 1 46 334.265 Tm (Step 4: Restart Everything) Tj ET BT /F1 9.5 Tf 0.18 0.2 0.24 rg 1 0 0 1 54 310.265 Tm (sudo systemctl restart dnscrypt-proxy.socket) Tj ET BT /F1 9.5 Tf 0.18 0.2 0.24 rg 1 0 0 1 54 293.39 Tm (sudo systemctl restart dnscrypt-proxy.service) Tj ET BT /F1 9.5 Tf 0.18 0.2 0.24 rg 1 0 0 1 54 276.515 Tm (sudo systemctl restart pihole-FTL.service) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 258.015 Tm (\(If you installed manually via the tarball method, it's just `sudo systemctl restart dnscrypt-proxy`) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 243.015 Tm (instead.\)) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 221.015 Tm (Confirm it actually started:) Tj ET BT /F1 9.5 Tf 0.18 0.2 0.24 rg 1 0 0 1 54 197.015 Tm (sudo systemctl status dnscrypt-proxy) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 178.515 Tm (You want to see active \(running\). If it's not, check the config file for typos - a bad TOML syntax will) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 163.515 Tm (silently kill the service.) Tj ET BT /F2 13 Tf 0.08 0.1 0.14 rg 1 0 0 1 46 135.515 Tm (Step 5: Point Pi-hole at It) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 113.515 Tm (Fastest way is the CLI:) Tj ET BT /F1 9.5 Tf 0.18 0.2 0.24 rg 1 0 0 1 54 89.515 Tm (sudo pihole-FTL --config dns.upstreams '["127.0.0.1#5053"]') Tj ET q 0.86 0.88 0.92 RG 1 w 46 42 m 549.28 42 l S Q BT /F1 8.4 Tf 0.42 0.45 0.5 rg 1 0 0 1 46 30 Tm (TechRounder Help Center | Page 2 of 3) Tj ET BT /F1 7.2 Tf 0.42 0.45 0.5 rg 1 0 0 1 46 19 Tm (https://www.techrounder.com/pdf/help/how-to-use-dns-over-https-doh-with-pi-hole.pdf) Tj ET endstream endobj 9 0 obj << /Type /Page /Parent 2 0 R /MediaBox [0 0 595.28 841.89] /Resources << /Font << /F1 3 0 R /F2 4 0 R >> >> /Contents 10 0 R >> endobj 10 0 obj << /Length 2599 >> stream BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 789.89 Tm (Or do it through the web interface: log into `http://pi.hole/admin`, go to Settings > DNS, uncheck any) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 774.89 Tm (default upstream providers that are ticked, scroll down to Custom DNS Servers \(IPv4\), type in) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 759.89 Tm (`127.0.0.1#5053`, and hit Save & Apply.) Tj ET BT /F2 13 Tf 0.08 0.1 0.14 rg 1 0 0 1 46 731.89 Tm (Step 6: Confirm the Queries Are Actually Encrypted) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 709.89 Tm (From any device that's using Pi-hole for DNS, open a browser and go to 1.1.1.1/help - under "Debug) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 694.89 Tm (Information" you should see Using DNS over HTTPS \(DoH\): Yes. Heads up, that checker only recognizes) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 679.89 Tm (Cloudflare - if you picked Quad9 or another provider, it won't show a match even though DoH is) Tj ET BT /F1 11 Tf 0.14 0.16 0.2 rg 1 0 0 1 46 664.89 Tm (working fine. In that case, dnsleaktest.com is a better sanity check.) Tj ET BT /F1 10.5 Tf 0.28 0.31 0.36 rg 1 0 0 1 56 640.89 Tm (Quote: Worth knowing before you assume you're fully anonymous now: DoH hides your DNS traffic) Tj ET BT /F1 10.5 Tf 0.28 0.31 0.36 rg 1 0 0 1 56 626.89 Tm (from your ISP, not from whichever provider you picked as the upstream. Cloudflare, Quad9, or whoever) Tj ET BT /F1 10.5 Tf 0.28 0.31 0.36 rg 1 0 0 1 56 612.89 Tm (you chose can still see every domain you're looking up. If that bothers you, the next step up is running) Tj ET BT /F1 10.5 Tf 0.28 0.31 0.36 rg 1 0 0 1 56 598.89 Tm (Unbound as a recursive resolver instead of forwarding to a third party - more setup involved, but it) Tj ET BT /F1 10.5 Tf 0.28 0.31 0.36 rg 1 0 0 1 56 584.89 Tm (skips outside DNS providers almost entirely.) Tj ET BT /F2 13 Tf 0.08 0.1 0.14 rg 1 0 0 1 46 558.89 Tm (Official sources and references) Tj ET BT /F1 10 Tf 0.18 0.2 0.24 rg 1 0 0 1 46 538.89 Tm (1. dnscrypt.info - public-servers - https://dnscrypt.info/public-servers/) Tj ET BT /F1 10 Tf 0.18 0.2 0.24 rg 1 0 0 1 46 521.39 Tm (2. 1.1.1.1 - help - https://1.1.1.1/help) Tj ET BT /F1 10 Tf 0.18 0.2 0.24 rg 1 0 0 1 46 503.89 Tm (3. dnsleaktest.com - https://www.dnsleaktest.com/) Tj ET q 0.86 0.88 0.92 RG 1 w 46 42 m 549.28 42 l S Q BT /F1 8.4 Tf 0.42 0.45 0.5 rg 1 0 0 1 46 30 Tm (TechRounder Help Center | Page 3 of 3) Tj ET BT /F1 7.2 Tf 0.42 0.45 0.5 rg 1 0 0 1 46 19 Tm (https://www.techrounder.com/pdf/help/how-to-use-dns-over-https-doh-with-pi-hole.pdf) Tj ET endstream endobj xref 0 11 0000000000 65535 f 0000000015 00000 n 0000000064 00000 n 0000000133 00000 n 0000000203 00000 n 0000000278 00000 n 0000000420 00000 n 0000005465 00000 n 0000005607 00000 n 0000010270 00000 n 0000010413 00000 n trailer << /Size 11 /Root 1 0 R >> startxref 13064 %%EOF