From cad757a8e230404134516e19beb90b82a6463e43 Mon Sep 17 00:00:00 2001 From: nuclearcat Date: Mon, 24 Mar 2025 00:03:05 +0000 Subject: [PATCH] Add dns-over-https.md --- dns-over-https.md | 88 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 dns-over-https.md diff --git a/dns-over-https.md b/dns-over-https.md new file mode 100644 index 0000000..b932af0 --- /dev/null +++ b/dns-over-https.md @@ -0,0 +1,88 @@ +# DoH Server + +# Note! + +This setup verified partially only. It is slightly better than blocking, but likely DOH clients will refuse to work due certificate mismatch. + +# Installing/updating unbound + +1. Update typical docker image `docker pull alpinelinux/unbound` +2. You might beed to do in some cases `docker-compose build --no-cache` in directory of unbound docker-compose.yml +3. Generate certificates, same directory where unbound.conf is located + +```bash +openssl genrsa -out key.pem 4096 +openssl req -new -x509 -key key.pem -out cert.pem -days 3650 \ + -subj "/C=US/ST=State/L=City/O=Organization/CN=spinesystems.solutions" +``` +4. Add the following to unbound.conf to `server:` section + +``` +server: + ... + interface: 0.0.0.0@443 + tls-service-key: "/etc/unbound/key.pem" + tls-service-pem: "/etc/unbound/cert.pem" +``` + +5. Run the container `docker-compose up -d` + +Your unbound ready now to accept DoH requests on port 443 + +## IPTables on nat/pppoe + + +``` +ipset create dohservers hash:net family inet + +# Cloudflare DNS (1.1.1.1, 1.0.0.1) +ipset add dohservers 1.1.1.1/32 +ipset add dohservers 1.0.0.1/32 +#ipset add dohservers 2606:4700:4700::1111/128 +#ipset add dohservers 2606:4700:4700::1001/128 + +# Google DNS (8.8.8.8, 8.8.4.4) +ipset add dohservers 8.8.8.8/32 +ipset add dohservers 8.8.4.4/32 +#ipset add dohservers 2001:4860:4860::8888/128 +#ipset add dohservers 2001:4860:4860::8844/128 + +# Quad9 DNS (9.9.9.9, 149.112.112.112) +ipset add dohservers 9.9.9.9/32 +ipset add dohservers 149.112.112.112/32 +#ipset add dohservers 2620:fe::fe/128 +#ipset add dohservers 2620:fe::9/128 + +# NextDNS (45.90.28.0 - 45.90.31.255) +ipset add dohservers 45.90.28.0/22 +#ipset add dohservers 2a07:a8c0::/29 + +# AdGuard DNS (94.140.14.14, 94.140.15.15) +ipset add dohservers 94.140.14.14/32 +ipset add dohservers 94.140.15.15/32 +#ipset add dohservers 2a10:50c0::ad1:ff/128 +#ipset add dohservers 2a10:50c0::ad2:ff/128 + +# OpenDNS (Cisco Umbrella) (208.67.222.222, 208.67.220.220) +ipset add dohservers 208.67.222.222/32 +ipset add dohservers 208.67.220.220/32 +#ipset add dohservers 2620:119:35::35/128 +#ipset add dohservers 2620:119:53::53/128 + +# DNS.SB (185.222.222.222, 185.184.222.222) +ipset add dohservers 185.222.222.222/32 +ipset add dohservers 185.184.222.222/32 +#ipset add dohservers 2a09::/32 + +# cloudflare-dns.com +dig +short cloudflare-dns.com A | xargs -n1 ipset add dohservers +# dns.google +dig +short dns.google A | xargs -n1 ipset add dohservers +# dns9.quad9.net +dig +short dns9.quad9.net A | xargs -n1 ipset add dohservers + + +# Here goes other ipset stuff and maybe iptables rules... + +iptables -t nat -A PREROUTING -p tcp --dport 53 -m set --match-set dohservers dst -j DNAT --to-destination 10.0.100.6:443 +``` \ No newline at end of file