forked from spinesystemspublic/documentation
Add dns-over-https.md
This commit is contained in:
@@ -0,0 +1,88 @@
|
|||||||
|
# DoH Server
|
||||||
|
|
||||||
|
# Note!
|
||||||
|
|
||||||
|
This setup verified partially only. It is slightly better than blocking, but likely DOH clients will refuse to work due certificate mismatch.
|
||||||
|
|
||||||
|
# Installing/updating unbound
|
||||||
|
|
||||||
|
1. Update typical docker image `docker pull alpinelinux/unbound`
|
||||||
|
2. You might beed to do in some cases `docker-compose build --no-cache` in directory of unbound docker-compose.yml
|
||||||
|
3. Generate certificates, same directory where unbound.conf is located
|
||||||
|
|
||||||
|
```bash
|
||||||
|
openssl genrsa -out key.pem 4096
|
||||||
|
openssl req -new -x509 -key key.pem -out cert.pem -days 3650 \
|
||||||
|
-subj "/C=US/ST=State/L=City/O=Organization/CN=spinesystems.solutions"
|
||||||
|
```
|
||||||
|
4. Add the following to unbound.conf to `server:` section
|
||||||
|
|
||||||
|
```
|
||||||
|
server:
|
||||||
|
...
|
||||||
|
interface: 0.0.0.0@443
|
||||||
|
tls-service-key: "/etc/unbound/key.pem"
|
||||||
|
tls-service-pem: "/etc/unbound/cert.pem"
|
||||||
|
```
|
||||||
|
|
||||||
|
5. Run the container `docker-compose up -d`
|
||||||
|
|
||||||
|
Your unbound ready now to accept DoH requests on port 443
|
||||||
|
|
||||||
|
## IPTables on nat/pppoe
|
||||||
|
|
||||||
|
|
||||||
|
```
|
||||||
|
ipset create dohservers hash:net family inet
|
||||||
|
|
||||||
|
# Cloudflare DNS (1.1.1.1, 1.0.0.1)
|
||||||
|
ipset add dohservers 1.1.1.1/32
|
||||||
|
ipset add dohservers 1.0.0.1/32
|
||||||
|
#ipset add dohservers 2606:4700:4700::1111/128
|
||||||
|
#ipset add dohservers 2606:4700:4700::1001/128
|
||||||
|
|
||||||
|
# Google DNS (8.8.8.8, 8.8.4.4)
|
||||||
|
ipset add dohservers 8.8.8.8/32
|
||||||
|
ipset add dohservers 8.8.4.4/32
|
||||||
|
#ipset add dohservers 2001:4860:4860::8888/128
|
||||||
|
#ipset add dohservers 2001:4860:4860::8844/128
|
||||||
|
|
||||||
|
# Quad9 DNS (9.9.9.9, 149.112.112.112)
|
||||||
|
ipset add dohservers 9.9.9.9/32
|
||||||
|
ipset add dohservers 149.112.112.112/32
|
||||||
|
#ipset add dohservers 2620:fe::fe/128
|
||||||
|
#ipset add dohservers 2620:fe::9/128
|
||||||
|
|
||||||
|
# NextDNS (45.90.28.0 - 45.90.31.255)
|
||||||
|
ipset add dohservers 45.90.28.0/22
|
||||||
|
#ipset add dohservers 2a07:a8c0::/29
|
||||||
|
|
||||||
|
# AdGuard DNS (94.140.14.14, 94.140.15.15)
|
||||||
|
ipset add dohservers 94.140.14.14/32
|
||||||
|
ipset add dohservers 94.140.15.15/32
|
||||||
|
#ipset add dohservers 2a10:50c0::ad1:ff/128
|
||||||
|
#ipset add dohservers 2a10:50c0::ad2:ff/128
|
||||||
|
|
||||||
|
# OpenDNS (Cisco Umbrella) (208.67.222.222, 208.67.220.220)
|
||||||
|
ipset add dohservers 208.67.222.222/32
|
||||||
|
ipset add dohservers 208.67.220.220/32
|
||||||
|
#ipset add dohservers 2620:119:35::35/128
|
||||||
|
#ipset add dohservers 2620:119:53::53/128
|
||||||
|
|
||||||
|
# DNS.SB (185.222.222.222, 185.184.222.222)
|
||||||
|
ipset add dohservers 185.222.222.222/32
|
||||||
|
ipset add dohservers 185.184.222.222/32
|
||||||
|
#ipset add dohservers 2a09::/32
|
||||||
|
|
||||||
|
# cloudflare-dns.com
|
||||||
|
dig +short cloudflare-dns.com A | xargs -n1 ipset add dohservers
|
||||||
|
# dns.google
|
||||||
|
dig +short dns.google A | xargs -n1 ipset add dohservers
|
||||||
|
# dns9.quad9.net
|
||||||
|
dig +short dns9.quad9.net A | xargs -n1 ipset add dohservers
|
||||||
|
|
||||||
|
|
||||||
|
# Here goes other ipset stuff and maybe iptables rules...
|
||||||
|
|
||||||
|
iptables -t nat -A PREROUTING -p tcp --dport 53 -m set --match-set dohservers dst -j DNAT --to-destination 10.0.100.6:443
|
||||||
|
```
|
||||||
Reference in New Issue
Block a user