khodor/documentation
0
0
Fork 0
forked from spinesystemspublic/documentation
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
668d44e6731f3fb3af813b097b405f28b90182eb
documentation/dns-over-https.md
T
nuclearcat 668d44e673 Update dns-over-https.md
2025-03-28 09:39:40 +00:00

2.6 KiB
Raw Blame History

DoH Server

Note!

This setup verified partially only. It is slightly better than blocking, but likely DOH clients will refuse to work due certificate mismatch.

Installing/updating unbound

  1. Update typical docker image docker pull alpinelinux/unbound
  2. You might beed to do in some cases docker-compose build --no-cache in directory of unbound docker-compose.yml
  3. Generate certificates, same directory where unbound.conf is located
openssl genrsa -out key.pem 4096
openssl req -new -x509 -key key.pem -out cert.pem -days 3650 \
  -subj "/C=US/ST=State/L=City/O=Organization/CN=spinesystems.solutions"
  1. Add the following to unbound.conf to server: section
server:
    ...
    interface: 0.0.0.0@443
    tls-service-key: "/etc/unbound/key.pem"
    tls-service-pem: "/etc/unbound/cert.pem"
  1. Run the container docker-compose up -d

Your unbound ready now to accept DoH requests on port 443

IPTables on nat/pppoe

ipset create dohservers hash:net family inet

# Cloudflare DNS (1.1.1.1, 1.0.0.1)
ipset add dohservers 1.1.1.1/32
ipset add dohservers 1.0.0.1/32
#ipset add dohservers 2606:4700:4700::1111/128
#ipset add dohservers 2606:4700:4700::1001/128

# Google DNS (8.8.8.8, 8.8.4.4)
ipset add dohservers 8.8.8.8/32
ipset add dohservers 8.8.4.4/32
#ipset add dohservers 2001:4860:4860::8888/128
#ipset add dohservers 2001:4860:4860::8844/128

# Quad9 DNS (9.9.9.9, 149.112.112.112)
ipset add dohservers 9.9.9.9/32
ipset add dohservers 149.112.112.112/32
#ipset add dohservers 2620:fe::fe/128
#ipset add dohservers 2620:fe::9/128

# NextDNS (45.90.28.0 - 45.90.31.255)
ipset add dohservers 45.90.28.0/22
#ipset add dohservers 2a07:a8c0::/29

# AdGuard DNS (94.140.14.14, 94.140.15.15)
ipset add dohservers 94.140.14.14/32
ipset add dohservers 94.140.15.15/32
#ipset add dohservers 2a10:50c0::ad1:ff/128
#ipset add dohservers 2a10:50c0::ad2:ff/128

# OpenDNS (Cisco Umbrella) (208.67.222.222, 208.67.220.220)
ipset add dohservers 208.67.222.222/32
ipset add dohservers 208.67.220.220/32
#ipset add dohservers 2620:119:35::35/128
#ipset add dohservers 2620:119:53::53/128

# DNS.SB (185.222.222.222, 185.184.222.222)
ipset add dohservers 185.222.222.222/32
ipset add dohservers 185.184.222.222/32
#ipset add dohservers 2a09::/32

# cloudflare-dns.com
dig +short cloudflare-dns.com A | xargs -n1 ipset add dohservers
# dns.google
dig +short dns.google A | xargs -n1 ipset add dohservers
# dns9.quad9.net
dig +short dns9.quad9.net A | xargs -n1 ipset add dohservers


# Here goes other ipset stuff and maybe iptables rules...

iptables -t nat -A PREROUTING -p tcp --dport 443 -m set --match-set dohservers dst -j DNAT --to-destination 10.0.100.6:443
Reference in New Issue View Git Blame Copy Permalink