DNS over HTTPS (DoH) with Ubiquiti & Cloudflare Zero Trust

Your ISP is probably selling your DNS queries to data brokers, whether you’re at home or on mobile. A free Cloudflare Zero Trust account lets you encrypt that traffic with DNS over HTTPS (DoH) and block unwanted content at the network level.

1. Stop ads and malware: You block ad networks and malicious domains at the DNS level, before they load on connected devices.

2. Cut bandwidth waste: Blocked ad domains never resolve, so the data never flows. Pages load faster.

3. See your network activity: Your gateway logs each DNS request with the source device. You can spot issues and set custom rules per category or domain.

4. Encrypt your queries: DoH wraps DNS lookups in HTTPS. Your ISP sees encrypted traffic, not a plaintext record of the sites you visit.

Turnkey DoH with Customizable DNS Filtering #

In the past, I ran Unbound inside my home Kubernetes cluster, comparable to self-hosting Pi-hole or AdGuard Home: time-consuming to configure and maintain. UniFi Network Application 8.2.93 added DNS Stamp support to DNS Shield, letting you point your gateway at any custom DoH resolver, including Cloudflare Zero Trust.

Requirements #

• Ubiquiti UniFi DNS Shield: a UniFi Next-Gen Gateway or UniFi Gateway Console with version 3.2 or newer
  • UniFi Dream Machine (UDM)
  • UniFi Dream Machine Pro (UDM-Pro)
  • UniFi Dream Machine Special Edition (UDM-SE)
  • UniFi Security Gateway (USG)
  • UniFi Security Gateway Pro (USG-Pro)
  • UniFi Security Gateway XG (USG-XG)
  • UniFi Next-Generation Gateway (UXG-Pro)
• DNS Stamp: A DNS stamp is required for configuring a custom DNS Shield DOH configuration. It’s a compact, encoded representation of DNS server configuration information.
  • an Online DNS Stamp calculator is used to calculate this value
• Cloudflare Zero Trust: cloud-hosted customizable DNS filtering
  • Category filtering: Block domains by category: malware, phishing, ads, adult content, and more.
  • Custom lists: Add your own allow or block lists to override category rules per domain.
  • Query logging: Every DNS request is recorded with timestamp, source, and resolution result.
  • Analytics: Dashboard showing allowed and blocked query counts, top domains, and trends.
  • Threat intelligence: Cloudflare updates block lists from global threat data automatically.

Configuration #

• Cloudflare Zero Trust
  • Create a new account using the free plan.
  • Open the Zero Trust Dashboard
  • Under Gateway, DNS Locations, Select Add a DNS location
    • Enable DNS over HTTPS (DoH) and leave the other DNS endpoints disabled
    • After creating the DNS location, copy the URL of DNS over HTTPS (DoH), which will look something like https://example7l3.cloudflare-gateway.com/dns-query
    • Paste that value in a text editor, removing https:// and /dns-query, which will look something like example7l3.cloudflare-gateway.com
    • This URL is unique for your Cloudflare Zero Trust account and for this DNS Location
• Online DNS Stamp calculator
  • Select DNS over HTTPS (DoH) under Protocol
  • Paste the value from above under Host name (vhost+SNI) and optional port number
  • Ensure Path is /dns-query
  • Copy the calculated DNS Stamp available under the Stamp
• Ubiquiti Unifi Site Manager
  • Select your Network
  • Open Settings
  • Select Security
  • Select Custom under DNS Shield
    • Enter Cloudflare under Server Name
    • Enter the value of Stamp from above, which will look something like sdns://AgcAAAAexampleAAAAA9kbnMtcXVlcnk under DNS Stamp
  • Select Apply Changes

Cloudflare Zero Trust #

After a few minutes, you will receive secure visibility of your DNS queries in the Cloudflare Zero Trust Dashboard:

and any blocks:

Begin customizing by creating DNS policies and reviewing DNS logs

I set this up in about fifteen minutes. My network now gets filtered DNS with full query logging, and I decommissioned the Unbound pod from my Kubernetes cluster.