dnsmasq with dnscrypt-proxy + cloudflared

cloudflared

# /etc/logrotate.d/cloudflared
/var/log/cloudflared/cloudflared.log {
  rotate 7
  daily
  compress
  missingok
  notifempty
}

cloudflared.conf

# /etc/dnsmasq.d/cloudflared.conf
server=127.0.0.1#53000
proxy-dnssec
no-resolv

cloudflared.service

# /lib/systemd/system/cloudflared.service
[Unit]
Description=Cloudflare DNS over HTTPS proxy
After=network.target
Before=nss-lookup.target
Wants=nss-lookup.target

[Service]
User=cloudflared
ExecStart=/usr/sbin/cloudflared --no-autoupdate --logfile /var/log/cloudflared/cloudflared.log --config /etc/cloudflared/config.yaml
Restart=on-failure

[Install]
WantedBy=multi-user.target

config.yaml

# /etc/cloudflared/config.yaml
proxy-dns: true
proxy-dns-port: 53000
proxy-dns-upstream:
 - https://1.1.1.1/dns-query
 - https://1.0.0.1/dns-query

dnscrypt-proxy

# /etc/logrotate.d/dnscrypt-proxy
/var/log/dnscrypt-proxy/*.log {
  rotate 7
  daily
  compress
  missingok
  notifempty
}

dnscrypt-proxy.conf

# /etc/dnsmasq.d/dnscrypt-proxy
server=127.0.0.1#53001
proxy-dnssec
no-resolv

dnscrypt-proxy.service

# /lib/systemd/system/dnscrypt-proxy.service
[Unit]
Description=DNSCrypt and DNS over HTTPS proxy
After=network.target
Before=nss-lookup.target
Wants=nss-lookup.target

[Service]
User=dnscrypt-proxy
ExecStart=/usr/sbin/dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
Restart=on-failure

[Install]
WantedBy=multi-user.target

dnscrypt-proxy.toml

#/etc/dnscrypt-proxy/dnscrypt-proxy.toml
listen_addresses = ['127.0.0.1:53001', '[::1]:53001']
max_clients = 250
ipv4_servers = true
ipv6_servers = false
dnscrypt_servers = true
doh_servers = true
require_dnssec = true
require_nolog = true
require_nofilter = true
force_tcp = false
timeout = 2500
keepalive = 30
log_file = '/var/log/dnscrypt-proxy/dnscrypt-proxy.log'
cert_refresh_delay = 240
fallback_resolver = '9.9.9.9:53'
ignore_system_dns = false
netprobe_timeout = 30
block_ipv6 = false
cache = true
cache_size = 512
cache_min_ttl = 600
cache_max_ttl = 86400
cache_neg_min_ttl = 60
cache_neg_max_ttl = 600
[query_log]
  # log_file = '/var/log/dnscrypt-proxy/query.log'
  format = 'tsv'
[nx_log]
  file = '/var/log/dnscrypt-proxy/nx.log'
  format = 'tsv'
[blacklist]
  # log_file = '/var/log/dnscrypt-proxy/blocked.log'
[ip_blacklist]
  # log_file = '/var/log/dnscrypt-proxy/ip-blocked.log'
[whitelist]
  # log_file = '/var/log/dnscrypt-proxy/whitelisted.log'
[sources]
  [sources.'public-resolvers']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
  cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 72
  prefix = ''

dnsmasq.conf

# /etc/dnsmasq.conf
domain-needed
bogus-priv
#server=/localnet/192.168.0.1
conf-file=/usr/share/dnsmasq-base/trust-anchors.conf
dnssec
cache-size=512
conf-dir=/etc/dnsmasq.d/,*.conf

setup.sh

#!/bin/sh

## Install dnsmasq
apt-get install dnsmasq

## Install dnscrypt-proxy from https://github.com/DNSCrypt/dnscrypt-proxy/releases
## Copy binary to /usr/sbin

## Install cloudflared from https://github.com/cloudflare/cloudflared/releases
## or https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation
## Copy binary to /usr/sbin

useradd -s /usr/sbin/nologin -r -M cloudflared

mkdir /var/log/cloudflared
chown cloudflared.cloudflared /var/log/cloudflared

systemctl enable cloudflared

useradd -s /usr/sbin/nologin -r -M dnscrypt-proxy

mkdir /var/log/dnscrypt-proxy
chown dnscrypt-proxy.dnscrypt-proxy /var/log/dnscrypt-proxy

mkdir /var/cache/dnscrypt-proxy
chown dnscrypt-proxy.dnscrypt-proxy /var/cache/dnscrypt-proxy

systemctl enable dnscrypt-proxy