DNS-over-HTTPS on an Edgerouter X using Cloudflare (compiled on Mac OS Mojave)

My motivation to write this guide WASN'T out of original ideas. It's simply a means of aggregating parts of SEVERAL articles I perused while searching for a solution to keeping my ISP from being able to collect/use/sell DNS information originating from my network.

Configure ER-X to use dnsmasq as default dns/dhcp

If you haven't already, configure your edgerouter x (hereafter ER-X) to use dnsmasq as the default for serving up DNS/DHCP services. We only want to complete (as root) the first portion of the article:

set service dhcp-server use-dnsmasq enable

Prepare Mac OS Host for cloudflared compilation

Next up, obtain and build cloudflared for the ER-X. Most of the following steps are derived from this open issue in the cloudflared github project. I built the binary on Mac OS Mojave so I first needed to install Go via Homebrew.

Homebrew Install

/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Installing Go

brew install go

Download and compile cloudflared

go get -d github.com/cloudflare/cloudflared/cmd/cloudflared
GOOS=linux GOARCH=mipsle go build -v -x github.com/cloudflare/cloudflared/cmd/cloudflared

At this time to confirm you successfully built the binary you should see the following after running the file cloudflared command:

Transfer, chmod, create folder/config file

transfer to ER-X
scp cloudflared user@erx:/home/user/
on ER-X:

chmod +x cloudflared
mv cloudflared /usr/local/bin/

create /etc/cloudflared directory, config.yml file (download config)

mkdir /etc/cloudflared
cat << EOF >> /etc/cloudflared/config.yml
proxy-dns: true
proxy-dns-port: 8853

Install init script, modify line, start script

install init script from cloudflared binary
/usr/local/bin/cloudflared service install
change cmd line in /etc/init.d/cloudflared to show:
start the cloudflared service
/etc/init.d/cloudflared start

Configure ER-X to use cloudflared service to forward DNS

set system name-server
set service dns forwarding listen-on eth0
set system domain-name erx.local 
set service dns forwarding options server=

Validate Port 53 not being used for DNS

When running the following command you shouldn't see output as the DNS should be forwarded as HTTPS (port 443) to Cloudflare
tcpdump -Xi eth0 port 53
To confirm the DNS-over-HTTPS is configured correctly, execute dig https://github.com while observing output via the following command:
tcpdump -nXi eth0 port 443 and dst host


Optional: Create a redirect NAT rule to force static DNS ( over HTTPS (cloudflared)

(Assuming no other NAT rules. If #1 exists, use #2,#3, etc. Also make sure to change inbound interface to the appropriate one [in my case switch0] and the inside-address to your gateway IP)

set service nat rule 1 description "host static dns redirect to cloudflared"
set service nat rule 1 destination address
set service nat rule 1 destination port 53
set service nat rule 1 inbound-interface switch0
set service nat rule 1 inside-address address
set service nat rule 1 inside-address port 53
set service nat rule 1 log disable
set service nat rule 1 protocol tcp_udp
set service nat rule 1 type destination