khodor/documentation
0
0
Fork 0
forked from spinesystemspublic/documentation
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
491edb0e68b3d9a74cfe4994adf10e84e7b9e8bc
documentation/dns-over-https.md
T
nuclearcat c02b852f1f Update dns-over-https.md
2025-03-24 00:03:31 +00:00

88 lines
2.6 KiB
Markdown
Raw Blame History

# DoH Server
## Note!
This setup verified partially only. It is slightly better than blocking, but likely DOH clients will refuse to work due certificate mismatch.
## Installing/updating unbound
1. Update typical docker image `docker pull alpinelinux/unbound`
2. You might beed to do in some cases `docker-compose build --no-cache` in directory of unbound docker-compose.yml
3. Generate certificates, same directory where unbound.conf is located
```bash
openssl genrsa -out key.pem 4096
openssl req -new -x509 -key key.pem -out cert.pem -days 3650 \
-subj "/C=US/ST=State/L=City/O=Organization/CN=spinesystems.solutions"
```
4. Add the following to unbound.conf to `server:` section
```
server:
...
interface: 0.0.0.0@443
tls-service-key: "/etc/unbound/key.pem"
tls-service-pem: "/etc/unbound/cert.pem"
```
5. Run the container `docker-compose up -d`
Your unbound ready now to accept DoH requests on port 443
## IPTables on nat/pppoe
```
ipset create dohservers hash:net family inet
# Cloudflare DNS (1.1.1.1, 1.0.0.1)
ipset add dohservers 1.1.1.1/32
ipset add dohservers 1.0.0.1/32
#ipset add dohservers 2606:4700:4700::1111/128
#ipset add dohservers 2606:4700:4700::1001/128
# Google DNS (8.8.8.8, 8.8.4.4)
ipset add dohservers 8.8.8.8/32
ipset add dohservers 8.8.4.4/32
#ipset add dohservers 2001:4860:4860::8888/128
#ipset add dohservers 2001:4860:4860::8844/128
# Quad9 DNS (9.9.9.9, 149.112.112.112)
ipset add dohservers 9.9.9.9/32
ipset add dohservers 149.112.112.112/32
#ipset add dohservers 2620:fe::fe/128
#ipset add dohservers 2620:fe::9/128
# NextDNS (45.90.28.0 - 45.90.31.255)
ipset add dohservers 45.90.28.0/22
#ipset add dohservers 2a07:a8c0::/29
# AdGuard DNS (94.140.14.14, 94.140.15.15)
ipset add dohservers 94.140.14.14/32
ipset add dohservers 94.140.15.15/32
#ipset add dohservers 2a10:50c0::ad1:ff/128
#ipset add dohservers 2a10:50c0::ad2:ff/128
# OpenDNS (Cisco Umbrella) (208.67.222.222, 208.67.220.220)
ipset add dohservers 208.67.222.222/32
ipset add dohservers 208.67.220.220/32
#ipset add dohservers 2620:119:35::35/128
#ipset add dohservers 2620:119:53::53/128
# DNS.SB (185.222.222.222, 185.184.222.222)
ipset add dohservers 185.222.222.222/32
ipset add dohservers 185.184.222.222/32
#ipset add dohservers 2a09::/32
# cloudflare-dns.com
dig +short cloudflare-dns.com A | xargs -n1 ipset add dohservers
# dns.google
dig +short dns.google A | xargs -n1 ipset add dohservers
# dns9.quad9.net
dig +short dns9.quad9.net A | xargs -n1 ipset add dohservers
# Here goes other ipset stuff and maybe iptables rules...
iptables -t nat -A PREROUTING -p tcp --dport 53 -m set --match-set dohservers dst -j DNAT --to-destination 10.0.100.6:443
```
Reference in New Issue View Git Blame Copy Permalink