Heads up if you use Pi-hole with DNS-over-HTTPS via cloudflared.
Cloudflare have removed the old cloudflared proxy-dns feature from newer versions of cloudflared. If your Pi-hole is configured to forward DNS to 127.0.0.1#5053, and cloudflared updates to a new version, DNS can partially break.
The awkward bit is that Pi-hole may still look healthy. The dashboard can still show queries, blocked domains, active clients, and normal-looking graphs, because Pi-hole is still receiving requests and can still block domains locally. But normal allowed lookups may fail or time out because Pi-hole is forwarding them to cloudflared on port 5053, and cloudflared is no longer running that service.
Quick checks:
On the Pi-hole, run:
grep -n "^PIHOLE_DNS" /etc/pihole/setupVars.conf
If you see:
127.0.0.1#5053
then check whether anything is listening there:
sudo ss -lntup | grep ':5053'
If nothing is listening, DNS-over-HTTPS is broken and Pi-hole’s upstream resolver is dead.
Also check:
systemctl status cloudflared --no-pager
If the log says DNS Proxy is no longer supported since version 2026.2.0, that’s the problem.
The simplest fix is to stop using cloudflared for Pi-hole DNS and set Pi-hole back to normal upstream DNS servers such as Google, Quad9, Cloudflare, OpenDNS, etc. In the Pi-hole web interface, go to Settings → DNS, remove 127.0.0.1#5053, choose normal upstream DNS servers, save, then disable cloudflared:
sudo systemctl disable --now cloudflared
Then test:
dig @PIHOLE_IP google.com
If that returns an answer instead of timing out, it’s fixed.
Thanks to chatgpt for helping me find this (and writing that summary above).
