安装配置步骤
安装 cloudflared
sudo pacman -S cloudflared
创建 systemd 服务文件
sudo vim /etc/systemd/system/cloudflared.service
[Unit]
Description=DNS over HTTPS proxy client
Wants=network-online.target nss-lookup.target
Before=nss-lookup.target
[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
DynamicUser=yes
ExecStart=/usr/bin/cloudflared proxy-dns --port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query
[Install]
WantedBy=multi-user.target
启动 cloudflared 服务
# 重载 systemd 配置
sudo systemctl daemon-reload
# 启用开机自启
sudo systemctl enable cloudflared
# 立即启动服务
sudo systemctl start cloudflared
# 检查服务状态
sudo systemctl status cloudflared
确认服务显示为 active (running) 。
配置 systemd-resolved
创建 drop-in 配置目录
sudo mkdir -p /etc/systemd/resolved.conf.d
创建配置文件
sudo vim /etc/systemd/resolved.conf.d/cloudflare-doh.conf
[Resolve]
DNS=127.0.0.1:5053
FallbackDNS=1.1.1.1 1.0.0.1
DNSOverTLS=no
Domains=~.
重启 systemd-resolved
sudo systemctl restart systemd-resolved
验证配置
检查 cloudflared 端口监听
sudo ss -tulpn | grep 5053
应该看到类似输出:
udp UNCONN 0 0 127.0.0.1:5053 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:5053 0.0.0.0:*
查看 DNS 配置状态
resolvectl status
应该看到:
Global
DNS Servers: 127.0.0.1:5053
Fallback DNS Servers: 1.1.1.1
1.0.0.1
DNS Domain: ~.
测试 DNS 解析
# 测试普通域名
resolvectl query google.com
# 测试 Cloudflare
resolvectl query cloudflare.com
# 测试 Tailscale 域名
resolvectl query something.tail4ef8f.ts.net
查看合并后的完整配置
systemd-analyze cat-config systemd/resolved.conf
在浏览器中验证 DoH
查看页面显示:
- Using DNS over HTTPS (DoH) : Yes ✓
- Connected to : 1.1.1.1
查看服务日志(可选)
查看 cloudflared 日志
# 查看最近 50 条日志
sudo journalctl -u cloudflared -n 50
# 实时查看日志
sudo journalctl -u cloudflared -f
查看 systemd-resolved 日志
sudo journalctl -u systemd-resolved -n 50
故障排查
cloudflared 服务无法启动
排查步骤
# 查看详细错误信息
sudo journalctl -u cloudflared -n 50 --no-pager
# 检查端口占用
sudo ss -tulpn | grep 5053
# 手动测试 cloudflared
sudo cloudflared proxy-dns --port 5053 --upstream https://1.1.1.1/dns-query
常见原因
- 端口 5053 被占用
- 网络连接问题
DNS 解析不工作
排查步骤
# 检查两个服务状态
systemctl status cloudflared
systemctl status systemd-resolved
# 检查端口监听
sudo ss -tulpn | grep -E ':(53|5053)'
# 测试本地 DNS
resolvectl query example.com
解决方法
# 重启服务
sudo systemctl restart cloudflared
sudo systemctl restart systemd-resolved
# 清除 DNS 缓存
resolvectl flush-caches
Tailscale 域名无法解析
检查 Tailscale 接口
resolvectl status tailscale0
Tailscale 应该自动配置其 DNS,如果有问题:
# 重启 Tailscale
sudo systemctl restart tailscaled
# 重启 systemd-resolved
sudo systemctl restart systemd-resolved
性能优化(可选)
调整 DNS 缓存时间
编辑配置:
sudo vim /etc/systemd/resolved.conf.d/cloudflare-doh.conf
添加缓存设置:
[Resolve]
DNS=127.0.0.1:5053
FallbackDNS=1.1.1.1 1.0.0.1
DNSOverTLS=no
Domains=~.
Cache=yes
CacheFromLocalhost=yes
重启服务:
sudo systemctl restart systemd-resolved
卸载配置
如需恢复默认配置:
# 停止并禁用 cloudflared
sudo systemctl stop cloudflared
sudo systemctl disable cloudflared
# 删除服务文件
sudo rm /etc/systemd/system/cloudflared.service
# 删除 resolved 配置
sudo rm /etc/systemd/resolved.conf.d/cloudflare-doh.conf
# 重载 systemd
sudo systemctl daemon-reload
# 重启 systemd-resolved
sudo systemctl restart systemd-resolved
# 验证恢复
resolvectl status
配置文件位置总结
| 文件/目录 | 作用 |
|---|---|
/etc/systemd/system/cloudflared.service | cloudflared 服务配置 |
/etc/systemd/resolved.conf.d/cloudflare-doh.conf | systemd-resolved DNS 配置 |
/etc/systemd/resolved.conf | 主配置文件(未修改) |
/etc/resolv.conf | 符号链接(无需修改) |
工作原理示意图
应用程序
↓
systemd-resolved (127.0.0.53:53)
↓
cloudflared (127.0.0.1:5053)
↓
Cloudflare DoH (HTTPS 加密)
↓
1.1.1.1 / 1.0.0.1
感谢您的耐心阅读!来选个表情,或者留个评论吧!