# DoH Server # Note! This setup verified partially only. It is slightly better than blocking, but likely DOH clients will refuse to work due certificate mismatch. # Installing/updating unbound 1. Update typical docker image `docker pull alpinelinux/unbound` 2. You might beed to do in some cases `docker-compose build --no-cache` in directory of unbound docker-compose.yml 3. Generate certificates, same directory where unbound.conf is located ```bash openssl genrsa -out key.pem 4096 openssl req -new -x509 -key key.pem -out cert.pem -days 3650 \ -subj "/C=US/ST=State/L=City/O=Organization/CN=spinesystems.solutions" ``` 4. Add the following to unbound.conf to `server:` section ``` server: ... interface: 0.0.0.0@443 tls-service-key: "/etc/unbound/key.pem" tls-service-pem: "/etc/unbound/cert.pem" ``` 5. Run the container `docker-compose up -d` Your unbound ready now to accept DoH requests on port 443 ## IPTables on nat/pppoe ``` ipset create dohservers hash:net family inet # Cloudflare DNS (1.1.1.1, 1.0.0.1) ipset add dohservers 1.1.1.1/32 ipset add dohservers 1.0.0.1/32 #ipset add dohservers 2606:4700:4700::1111/128 #ipset add dohservers 2606:4700:4700::1001/128 # Google DNS (8.8.8.8, 8.8.4.4) ipset add dohservers 8.8.8.8/32 ipset add dohservers 8.8.4.4/32 #ipset add dohservers 2001:4860:4860::8888/128 #ipset add dohservers 2001:4860:4860::8844/128 # Quad9 DNS (9.9.9.9, 149.112.112.112) ipset add dohservers 9.9.9.9/32 ipset add dohservers 149.112.112.112/32 #ipset add dohservers 2620:fe::fe/128 #ipset add dohservers 2620:fe::9/128 # NextDNS (45.90.28.0 - 45.90.31.255) ipset add dohservers 45.90.28.0/22 #ipset add dohservers 2a07:a8c0::/29 # AdGuard DNS (94.140.14.14, 94.140.15.15) ipset add dohservers 94.140.14.14/32 ipset add dohservers 94.140.15.15/32 #ipset add dohservers 2a10:50c0::ad1:ff/128 #ipset add dohservers 2a10:50c0::ad2:ff/128 # OpenDNS (Cisco Umbrella) (208.67.222.222, 208.67.220.220) ipset add dohservers 208.67.222.222/32 ipset add dohservers 208.67.220.220/32 #ipset add dohservers 2620:119:35::35/128 #ipset add dohservers 2620:119:53::53/128 # DNS.SB (185.222.222.222, 185.184.222.222) ipset add dohservers 185.222.222.222/32 ipset add dohservers 185.184.222.222/32 #ipset add dohservers 2a09::/32 # cloudflare-dns.com dig +short cloudflare-dns.com A | xargs -n1 ipset add dohservers # dns.google dig +short dns.google A | xargs -n1 ipset add dohservers # dns9.quad9.net dig +short dns9.quad9.net A | xargs -n1 ipset add dohservers # Here goes other ipset stuff and maybe iptables rules... iptables -t nat -A PREROUTING -p tcp --dport 53 -m set --match-set dohservers dst -j DNAT --to-destination 10.0.100.6:443 ```