December 29, 2025Dec 29 Hi ZappyZap, thank you for continuing to maintain this plugin. I wanted to use the holidays to finally take a look at it for using DoH. But I just happened to see that cloudflared proxy-dns will be discontinued at the beginning of next year: https://developers.cloudflare.com/changelog/2025-11-11-cloudflared-proxy-dns/ Do you have any plans to switch to a different client for your container, or will DoH simply be phased out?
December 31, 2025Dec 31 Author I did had time to look at it yet and found an alernative if exist, but it is planned.of course i will update what i foundbut i think i am going to use dnscrypt-proxy Edited December 31, 2025Dec 31 by ZappyZap
December 31, 2025Dec 31 Author On 12/29/2025 at 12:01 PM, taddaeus01 said:Hi ZappyZap, thank you for continuing to maintain this plugin. I wanted to use the holidays to finally take a look at it for using DoH. But I just happened to see that cloudflared proxy-dns will be discontinued at the beginning of next year: https://developers.cloudflare.com/changelog/2025-11-11-cloudflared-proxy-dns/ Do you have any plans to switch to a different client for your container, or will DoH simply be phased out?I need testers,@taddaeus01 I replace cloudflared-proxy-dns with dnscrypt-proxy for DoH and use cloudflare-securitythe tag : beta should be a dropin relacement Please test and let me know Summary note (yhis tag use)dnscrypt-proxy for DoH - 127.1.1.1#5153. Uses Cloudflare Security (1.1.1.2 )stubby for DoT - 127.2.2.2#5253 Uses google (8.8.8.8 / 8.8.4.4) by defaultunbound for recursive - 127.0.0.1#5335Please let me know and Happy new Year :)
January 2Jan 2 On 1/1/2026 at 11:00 AM, ZappyZap said:I need testers,@taddaeus01I replace cloudflared-proxy-dns with dnscrypt-proxy for DoH and use cloudflare-securitythe tag : beta should be a dropin relacement Please test and let me know Summary note (yhis tag use)dnscrypt-proxy for DoH - 127.1.1.1#5153. Uses Cloudflare Security (1.1.1.2 )stubby for DoT - 127.2.2.2#5253 Uses google (8.8.8.8 / 8.8.4.4) by defaultunbound for recursive - 127.0.0.1#5335Please let me know and Happy new Year :)Thanks for this update, I have deployed it in my environment and started sending all my prod traffic to it. It is handling requests OK and shows DOH tests passed on https://one.one.one.one/help/ While I cant test DOT externally, I have set it as a provider and that has worked fine. Seems to work just fine, I had to manually set the tag as the Unraid app doesn't offer a selection unlike others.@ZappyZap Does the local unbound instance also use DOH/DOT as its upstream, or still just requesting from root servers over generic 53 ? Maybe comment that in the template if still unencrypted traffic for that resolver.Hope this helps, let me know if you need anything specific tested. I imported my pi-hole config as well so blocklist/gravity etc is working too. Edited January 2Jan 2 by Zackey_TNT more detail
January 2Jan 2 Author 3 hours ago, Zackey_TNT said:Thanks for this update, I have deployed it in my environment and started sending all my prod traffic to it. It is handling requests OK and shows DOH tests passed on https://one.one.one.one/help/While I cant test DOT externally, I have set it as a provider and that has worked fine. Seems to work just fine, I had to manually set the tag as the Unraid app doesn't offer a selection unlike others.Thanks so mych for the feedback, i appreciate it, and yes you have to update the tag manually, wich "Others" are you referring to ? i am curious 3 hours ago, Zackey_TNT said:@ZappyZap Does the local unbound instance also use DOH/DOT as its upstream, or still just requesting from root servers over generic 53 ? Maybe comment that in the template if still unencrypted traffic for that resolver.It is using recursive, i will have to dig further to see how i can add DoT/DoH if it ever support it ....i have to admit i did not look at it3 hours ago, Zackey_TNT said:Hope this helps, let me know if you need anything specific tested. I imported my pi-hole config as well so blocklist/gravity etc is working too.Yes help a lot to make it even better.Thanks so much Edited January 2Jan 2 by ZappyZap
January 2Jan 2 On 12/31/2025 at 11:00 PM, ZappyZap said:I need testers, [...]Hi @ZappyZap ,Your response came much faster than I would have expected. Thank you very much for the quick implementation.I switched my test Pihole container to the beta version today and expanded it with a small list on the Quad9 servers. Since I suspect that later versions will also add further configuration options for you, I have left it at simple changes for now.So far, everything is running smoothly and quietly.
January 2Jan 2 Author 6 minutes ago, taddaeus01 said:Hi @ZappyZap ,Your response came much faster than I would have expected. Thank you very much for the quick implementation.I switched my test Pihole container to the beta version today and expanded it with a small list on the Quad9 servers. Since I suspect that later versions will also add further configuration options for you, I have left it at simple changes for now.So far, everything is running smoothly and quietly.Thanks for the feedbacki am also testing on my prod env for 2 days.... will gather more testing data before switch to latest.better earlier than later since the annoncement from cloudflare is out and dnscrypt-proxy seems a drop in replacement and solid as well.Thanks
January 3Jan 3 Author 19 hours ago, Zackey_TNT said:@ZappyZap Does the local unbound instance also use DOH/DOT as its upstream, or still just requesting from root servers over generic 53 ? Maybe comment that in the template if still unencrypted traffic for that resolver.i make some research and found : https://github.com/NLnetLabs/unbound/issues/308
January 9Jan 9 On 1/3/2026 at 2:06 AM, ZappyZap said:Thanks so mych for the feedback, i appreciate it, and yes you have to update the tag manually, wich "Others" are you referring to ? i am curious It is using recursive, i will have to dig further to see how i can add DoT/DoH if it ever support it ....i have to admit i did not look at itYes help a lot to make it even better.Thanks so muchHello,To respond about the "Others" with containers (docker apps) in unraid, some apps will let you pick tags or branches to use, like Latest, Default, Beta, and Nightly. This is done via the UI and not added as a tag to the repository.Update for you following days/weeks? of testing. Still having no issues myself though I note that on one of my two instances of pihole, it is reporting the following error:Connection error (127.1.1.1#5153): TCP connection failed while receiving payload length from upstream (Connection prematurely closed by remote server)I think this is just cloudflare momentarily not responding, but it does slow down dns response times significantly. Not sure if pihole can be set to just serve whichever provider responds first (DoT/DoH).Do let us know when to switch off the beta tag, thank you very much for your work!Cheers.
January 10Jan 10 Author 2 hours ago, Zackey_TNT said:Hello,To respond about the "Others" with containers (docker apps) in unraid, some apps will let you pick tags or branches to use, like Latest, Default, Beta, and Nightly. This is done via the UI and not added as a tag to the repository.Really interesting , if you can point me to some app, i think i will learn something and yes i will let everybody know....i am still gathering data on this testing , i want to make sure it is smooth, we do have some time.Thanks
January 10Jan 10 29 minutes ago, ZappyZap said:Really interesting , if you can point me to some app, i think i will learn something and yes i will let everybody know....i am still gathering data on this testing , i want to make sure it is smooth, we do have some time.ThanksOne more question, do the DoH/DoT modules have a rate limit set, as I think that is what I am hitting with that previous error.
January 10Jan 10 Author 1 minute ago, Zackey_TNT said:One more question, do the DoH/DoT modules have a rate limit set, as I think that is what I am hitting with that previous error.i am almost positive the rate limit is with pihole
January 10Jan 10 1 minute ago, ZappyZap said:i am almost positive the rate limit is with pihole I set a higher rate limit for Pihole but the 127.1.1.1#5153 responder seems to still refuse requests, im wondering if its set to a rate limit as well in configs or built in? Maybe at cloudflare's end?
February 7Feb 7 On 12/31/2025 at 3:00 PM, ZappyZap said:I need testers,@taddaeus01I replace cloudflared-proxy-dns with dnscrypt-proxy for DoH and use cloudflare-securitythe tag : beta should be a dropin relacement Please test and let me know Summary note (yhis tag use)dnscrypt-proxy for DoH - 127.1.1.1#5153. Uses Cloudflare Security (1.1.1.2 )stubby for DoT - 127.2.2.2#5253 Uses google (8.8.8.8 / 8.8.4.4) by defaultunbound for recursive - 127.0.0.1#5335Please let me know and Happy new Year :)Hi! I missed the memo and cloudflared apparently stopped working for me today, but switching to beta works just dandy. Thanks!
February 7Feb 7 Today's update's broken, this may be it:[23:22:02.091486] STUBBY: Stubby version: Stubby 0.4.3 You did not specify any valid additional argument to the cloudflared tunnel command. If you are trying to run a Quick Tunnel then you need to explicitly pass the --url flag. Eg. cloudflared tunnel --url localhost:8080/. Please note that Quick Tunnels are meant to be ephemeral and should only be used for testing purposes. For production usage, we recommend creating Named Tunnels. (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/)Had to revert to previous "2025.11.1-z02" tag. Edited February 8Feb 8 by Kilrah
February 8Feb 8 Thank you for your continued work on this ZappyZap.I noticed with the "latest" release both "127.1.1.1#5153" and "127.2.2.2#5335" are returning the following error:WARNING Connection error (127.2.2.2#5335): TCP connection failed (Connection refused)The issue seems to be specific to these unbound addresses, and only on the "latest" release. If I switch to a different DNS server like "1.1.1.1" or "8.8.8.8" on "latest" it works as expected. The same is true if I stay on "127.1.1.1#5153" or "127.2.2.2#5335" on the "beta" release.I assume "127.1.1.1#5153" fails on "latest" because Cloudflare removed the "proxy-dns" command, but I'm not sure about "127.2.2.2#5335".
February 8Feb 8 6 hours ago, Zilonis said:Thank you for your continued work on this ZappyZap.I noticed with the "latest" release both "127.1.1.1#5153" and "127.2.2.2#5335" are returning the following error:WARNING Connection error (127.2.2.2#5335): TCP connection failed (Connection refused)The issue seems to be specific to these unbound addresses, and only on the "latest" release. If I switch to a different DNS server like "1.1.1.1" or "8.8.8.8" on "latest" it works as expected. The same is true if I stay on "127.1.1.1#5153" or "127.2.2.2#5335" on the "beta" release.I assume "127.1.1.1#5153" fails on "latest" because Cloudflare removed the "proxy-dns" command, but I'm not sure about "127.2.2.2#5335".I see what I did wrong for the errors being returned by "127.2.2.2#5335". The overview/description when editing the docker says "you must set FTLCONF_dns_upstreams variables to 127.1.1.1#5153 (DoH) and/or 127.2.2.2#5335 (DoT)", but looking at "stubby.yml" it should be "127.2.2.2#5253" for DoT. The issue still stands with "127.1.1.1"5153".
February 8Feb 8 Author 18 hours ago, Kilrah said:Today's update's broken, this may be it:[23:22:02.091486] STUBBY: Stubby version: Stubby 0.4.3 You did not specify any valid additional argument to the cloudflared tunnel command. If you are trying to run a Quick Tunnel then you need to explicitly pass the --url flag. Eg. cloudflared tunnel --url localhost:8080/. Please note that Quick Tunnels are meant to be ephemeral and should only be used for testing purposes. For production usage, we recommend creating Named Tunnels. (https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/)Had to revert to previous "2025.11.1-z02" tag.interesting , need to verify what they did....did you found the culprit ?
February 8Feb 8 Author 10 hours ago, Zilonis said:I see what I did wrong for the errors being returned by "127.2.2.2#5335". The overview/description when editing the docker says "you must set FTLCONF_dns_upstreams variables to 127.1.1.1#5153 (DoH) and/or 127.2.2.2#5335 (DoT)", but looking at "stubby.yml" it should be "127.2.2.2#5253" for DoT. The issue still stands with "127.1.1.1"5153".Not sure i am understanding your error there .....but i will try conduct some extensive test
February 8Feb 8 2 minutes ago, ZappyZap said:Not sure i am understanding your error there .....but i will try conduct some extensive testSorry, to clarify on the "latest" docker release if the Pihole tries to use "127.1.1.1#5135" as its DNS server for DoH it will endless throw this error.WARNING Connection error (127.1.1.1#5153): TCP connection failed (Connection refused)I assume it's because Cloudflare removed the "proxy-dns" command which would explain why it works on the docker "beta" release that uses "dnscrypt-proxy" instead.For the same error with "127.2.2.2#5335" that looks like user error. The docker overview when editing it or installing says this:Following those instructions I set the second DNS server to "127.2.2.2#5335", but it looks like it should actually be "127.2.2.2#5235" if I take the value from "stubby.yml". I don't know if the overview needs to be updated to show the correct port for the DoT DNS server.
February 8Feb 8 Author forgive me all...i learn my lesson: do not try read the forum on a cell, and not fully concentrated .....@Zilonis wich tag are you using ?@Kilrah i think you are correct After thinking and reread all the report in a more calm env.... , i think all those issue is due to the cloudflare update removing proxy-dns i will be back home in about 1h and i push the beta version to prod....since i am testing it from a month now without issue.
February 8Feb 8 @ZappyZap both "latest" and "beta". I provided more information in my reply just before you replied.
February 8Feb 8 Author 21 minutes ago, Zilonis said:Following those instructions I set the second DNS server to "127.2.2.2#5335", but it looks like it should actually be "127.2.2.2#5235" if I take the value from "stubby.yml". I don't know if the overview needs to be updated to show the correct port for the DoT DNS server.I need to update the Overview : dnscrypt-proxy for DoH - 127.1.1.1#5153. Uses Cloudflare Security (1.1.1.2 )stubby for DoT - 127.2.2.2#5253 Uses google (8.8.8.8 / 8.8.4.4) by defaultunbound for recursive - 127.0.0.1#5335
February 8Feb 8 Author pushed.hopefully this will end up the saga with cloudflared.let me know still need to update Overviewa nd others.....
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.