cjscrofani.com
11 min read

Cloudflare Zero Trust DNS over HTTPS (DoH) Setup on Ubiquiti:UniFi

NetworkingSecurityCloud

Configure Cloudflare Zero Trust DNS over HTTPS (DoH) on your Ubiquiti UniFi network for enhanced privacy and security. This guide walks through setting up encrypted DNS queries to protect your network traffic from eavesdropping.

Cloudflare Docs

Why DNS over HTTPS?

Privacy Protection

Encrypts DNS queries to prevent ISPs and network observers from seeing which websites you visit

DNS Hijacking Prevention

Protects against man-in-the-middle attacks and DNS spoofing by encrypting the connection

Zero Trust Integration

Leverages Cloudflare's Zero Trust platform for advanced filtering and security policies

Threat Protection

Automatically blocks malicious domains and phishing attempts before they reach your network

Prerequisites

  • Cloudflare Zero Trust Account: Free tier available
  • UniFi Network Application: Version 7.0 or later
  • Admin Access: To your UniFi Controller

Setup Guide

Step 1: Configure Cloudflare Zero Trust
  1. Log in to your Cloudflare Zero Trust dashboard
  2. Navigate to Gateway → DNS Locations
  3. Create a new DNS location or use the default
  4. Note down your DoH endpoint URL (format: https://<subdomain>.cloudflare-gateway.com/dns-query)
Step 2: Configure Gateway Policies (Optional)

Before configuring UniFi, set up your filtering policies:

  • Navigate to Gateway → Firewall Policies
  • Create DNS policies for content filtering
  • Set up security threat categories to block
  • Configure allowed/blocked domains
Step 3: Install Cloudflare Certificate on UniFi
  1. Download the Cloudflare root certificate
  2. SSH into your UniFi device (UDM/UDM-Pro/USG)
  3. Upload and install the certificate to system trust store
  4. Verify certificate installation
Step 4: Configure DNS Settings in UniFi
  1. Open UniFi Network Application
  2. Navigate to Settings → Internet → WAN Networks
  3. Select your WAN connection
  4. Under DNS Server, choose "Manual"
  5. Enter Cloudflare Gateway IP addresses:
    • Primary: Your Gateway DNS IPv4 address
    • Secondary: Backup Gateway DNS IPv4 address
Step 5: Enable DoH/DoT

Configure the UniFi device to use DoH:

# SSH into UniFi device
ssh [email protected]

# Configure DNS over HTTPS
set service dns forwarding name-server <gateway-ip>
set service dns forwarding options server=/*/<gateway-ip>
commit
save
Step 6: Verify Configuration
  • Test DNS resolution from a client device
  • Check Cloudflare Zero Trust dashboard for query logs
  • Verify encrypted DNS queries are appearing
  • Test blocked domains to ensure filtering works

Testing Your Configuration

DNS Leak Test

Visit dnsleaktest.com to verify your DNS queries are routing through Cloudflare

Run DNS Leak Test
Gateway Logs

Check your Cloudflare Zero Trust dashboard under Gateway → Analytics to see DNS queries in real-time

Troubleshooting

DNS Not Resolving
  • Verify Cloudflare Gateway DNS IPs are correct
  • Check certificate installation on UniFi device
  • Ensure firewall rules allow outbound port 443
  • Try flushing DNS cache on client devices
Queries Not Appearing in Dashboard
  • Confirm DNS location is properly configured
  • Check that source IP matches your network
  • Allow up to 5 minutes for initial queries to appear
Performance Issues
  • Enable DNS caching on UniFi device
  • Use Cloudflare's anycast network for lowest latency
  • Consider setting up secondary DNS for redundancy

Additional Resources

Cloudflare Zero Trust DocsUniFi DocumentationUniFi Community