crazy-max/docker-cloudflared

About

Docker image for Cloudflared, a proxy-dns service.

Note

Want to be notified of new releases? Check out 🔔 Diun (Docker Image Update Notifier) project!

• Build locally
• Image
• Environment variables
• Ports
• Usage
  • Docker Compose
  • Command line
• Upgrade
• Notes
  • Performance issues
  • Use with Pi-hole
• Contributing
• License

Build locally

git clone https://github.com/crazy-max/docker-cloudflared.git
cd docker-cloudflared

# Build image and output to docker (default)
docker buildx bake

# Build multi-platform image
docker buildx bake image-all

Image

Following platforms for this image are available:

$ docker run --rm mplatform/mquery crazymax/cloudflared:latest
Image: crazymax/cloudflared:latest
 * Manifest List: Yes
 * Supported platforms:
   - linux/amd64
   - linux/arm/v6
   - linux/arm/v7
   - linux/arm64
   - linux/386
   - linux/ppc64le

Environment variables

• TZ: The timezone assigned to the container (default UTC)
• TUNNEL_DNS_UPSTREAM: Upstream endpoint URL, you can specify multiple endpoints for redundancy. (default https://1.1.1.1/dns-query,https://1.0.0.1/dns-query)
• TUNNEL_DNS_PORT: DNS listening port (default 5053)
• TUNNEL_DNS_ADDRESS: DNS listening IP (default 0.0.0.0 "all interfaces")
• TUNNEL_METRICS: Prometheus metrics host and port. (default 0.0.0.0:49312)

Ports

• 5053/udp: Listen port for the DNS over HTTPS proxy server
• 49312/tcp: Listen port for metrics reporting

Usage

Docker Compose

Docker compose is the recommended way to run this image. You can use the following docker compose template, then run the container:

docker-compose up -d
docker-compose logs -f

Command line

You can also use the following minimal command :

docker run -d --name cloudflared \
  -p 5053:5053/udp \
  -p 49312:49312 \
  crazymax/cloudflared:latest

Notes

Performance issues

For a DNS server with lots of short-lived connections, you may wish to consider adding --net=host to the run command or network_mode: "host" in your compose file for performance reasons (see #22). However, it is not required and some shared container hosting services may not allow it. You should also be aware --net=host can be a security risk in some situations. The Center for Internet Security - Docker 1.6 Benchmark recommends against this mode since it essentially tells Docker to not containerize the container's networking, thereby giving it full access to the host machine's network interfaces. It also mentions this option could cause the container to do unexpected things such as shutting down the Docker host as referenced in moby/moby#6401. For the most secure deployment, unrelated services with confidential data should not be run on the same host or VPS. In such cases, using --net=host should have limited impact on security.

Use with Pi-hole

Pi-hole currently provides documentation to manually set up DNS-Over-HTTPS with Cloudflared.

With Docker and this image, it's quite easy to use it with Pi-hole. Take a look at this simple docker compose template and you're ready to go.

Upgrade

To upgrade, pull the newer image and launch the container :

docker-compose pull
docker-compose up -d

Contributing

Want to contribute? Awesome! The most basic way to show your support is to star the project, or to raise issues. You can also support this project by becoming a sponsor on GitHub or by making a Paypal donation to ensure this journey continues indefinitely!

Thanks again for your support, it is much appreciated! 🙏

License

MIT. See LICENSE for more details.