Cloudflare Tunnel: proxy-dns Command Removal 2026
mwpro.co.uk
Learn about the removal of the cloudflared proxy-dns command in Cloudflare Tunnel, effective February 2, 2026. Stay updated on migration steps and alternatives. Visit https:mwpro.co.uk for more details.

Hi everyone,

I have been using cloudflared for DNS-over-HTTPS for the past 5 years and it’s been working pretty well. One of the reasons for using it was because my ISP was hijacking my DNS queries and changing it to their own DNS server.

However, I saw this news where the proxy-dns feature in cloudflared is being closed and they are asking customers to shift to their WARP client instead.

I want to know what the community is using for encrypted DNS services (DoH, DoT, DoQ)

Thanks :)

  • K3CAN@lemmy.radioEnglish
    51·
    15 hours ago

    Are you trying to send the DNS request through the tunnel?

    I use DoH, which sends DNS requests through https. It essentially looks like normal https traffic (encrypted), so your ISP shouldn’t be able to hijack it and no additional tunnels are required. CF supports doh at the usual 1.1.1.1 address, even, if you want to keep using them. Otherwise plenty of other providers support doh, as well.

    • biscuitswalrus@aussie.zoneEnglish
      1·
      14 hours ago

      I personally haven’t looked at all but I don’t fully understand doh. How can you have https before DNS? To get my first query I kind of need to validate through DNS records certificate authority for that site? So to even establish doh you need unencrypted DNS or blind trust of IP?

      • K3CAN@lemmy.radioEnglish
        4·
        9 hours ago

        You’ll need a single DNS request, known as a “bootstrap” request. Your ISP will see a single DNS request to Google or Cloudflare or whatever, then everything after that will just look like normal https traffic.

        That said, if your ISP is blocking and denying ALL dns requests for some reason (making the bootstrap request impossible), then you could still define the address locally. At that point, though, the ISP is likely blocking the IP addresses, too, so resolving the address is a bit moot.

      • stratself@lemdro.idEnglish
        4·
        14 hours ago

        Yes you’ll need a way to query the domain of the DoH service in plaintext before using it. In many software you can define “bootstrap DNS addresses” to do exactly that. Or you can hardcode the DoH service’s IPs, which for most upstream providers are almost always the same as their “normal” IPs anyways

      • surewhynotlem@lemmy.worldEnglish
        1·
        10 hours ago

        You define your dns by IP. you get the cert from that IP and automatically trust it.

        The cert for validation the server only validate the hostname. It’s not useful for IP.