DNS-over-HTTPS on an Edgerouter X using Cloudflare (compiled on Mac OS Mojave)

My motivation to write this guide WASN'T out of original ideas. It's simply a means of aggregating parts of SEVERAL articles I perused while searching for a solution to keeping my ISP from being able to collect/use/sell DNS information originating from my network.

Configure ER-X to use dnsmasq as default dns/dhcp

If you haven't already, configure your edgerouter x (hereafter ER-X) to use dnsmasq as the default for serving up DNS/DHCP services. We only want to complete (as root) the first portion of the article:

configure
set service dhcp-server use-dnsmasq enable
commit
save
exit

Prepare Mac OS Host for cloudflared compilation

Next up, obtain and build cloudflared for the ER-X. Most of the following steps are derived from this open issue in the cloudflared github project. I built the binary on Mac OS Mojave so I first needed to install Go via Homebrew.

Homebrew Install

/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Installing Go

brew install go

Download and compile cloudflared

go get -d github.com/cloudflare/cloudflared/cmd/cloudflared
GOOS=linux GOARCH=mipsle go build -v -x github.com/cloudflare/cloudflared/cmd/cloudflared

At this time to confirm you successfully built the binary you should see the following after running the file cloudflared command:
cfdcompile_filecmd

Transfer, chmod, create folder/config file

transfer to ER-X
scp cloudflared user@erx:/home/user/
on ER-X:

su
chmod +x cloudflared
mv cloudflared /usr/local/bin/

create /etc/cloudflared directory, config.yml file (download config)

mkdir /etc/cloudflared
cat << EOF >> /etc/cloudflared/config.yml
proxy-dns: true
proxy-dns-upstream:
 - https://1.1.1.1/dns-query
 - https://1.0.0.1/dns-query
proxy-dns-port: 8853
EOF

Install init script, modify line, start script

install init script from cloudflared binary
/usr/local/bin/cloudflared service install
change cmd line in /etc/init.d/cloudflared to show:
cfdinitd_cmd
start the cloudflared service
/etc/init.d/cloudflared start

Configure ER-X to use cloudflared service to forward DNS

set system name-server 127.0.0.1
set service dns forwarding listen-on eth0
set system domain-name erx.local 
set service dns forwarding options server=127.0.0.1#8853
commit
save
exit

Validate Port 53 not being used for DNS

When running the following command you shouldn't see output as the DNS should be forwarded as HTTPS (port 443) to Cloudflare
tcpdump -Xi eth0 port 53
To confirm the DNS-over-HTTPS is configured correctly, execute dig https://github.com while observing output via the following command:
tcpdump -nXi eth0 port 443 and dst host 1.1.1.1

cfdtcpdumpvalidout

Optional: Create a redirect NAT rule to force static DNS (8.8.8.8) over HTTPS (cloudflared)

(Assuming no other NAT rules. If #1 exists, use #2,#3, etc. Also make sure to change inbound interface to the appropriate one [in my case switch0] and the inside-address to your gateway IP)

set service nat rule 1 description "host static dns redirect to cloudflared"
set service nat rule 1 destination address 8.8.8.8
set service nat rule 1 destination port 53
set service nat rule 1 inbound-interface switch0
set service nat rule 1 inside-address address 192.168.1.1
set service nat rule 1 inside-address port 53
set service nat rule 1 log disable
set service nat rule 1 protocol tcp_udp
set service nat rule 1 type destination