The server binds onto default ports 8080 (HTTP), 9090 (UDP), 9091 (TCP) and provides the serialized DNS resolver responses to the clients.
Clients can test with the custom validating client or test with default dig commands as follows:
$ dig @127.0.0.1 -p 9090 cloudflare.com A +dnssec # to send a UDP DNS query requiring a serialized DNS proof
$ dig @127.0.0.1 -p 9091 cloudflare.com A +dnssec +tcp # to send a TCP DNS query requiring a serialized DNS proofPlease use the validating client to send ODoH requests, which are sent to the HTTP server listener and differentiated based on the Content-Type header.
To deploy the server locally, first acquire a TLS certificate using mkcert as follows:
$ mkcert -key-file key.pem -cert-file cert.pem 127.0.0.1 localhost
Then build and run the server as follows:
$ make all
$ CERT=cert.pem KEY=key.pem PORT=4567 ./server
By default, the proxy listens on /proxy and the target listens on /dns-query.
You may then run the corresponding client as follows:
$ ./odoh-client odoh --proxy localhost:4567 --target odoh.cloudflare-dns.com --domain cloudflare.com
;; opcode: QUERY, status: NOERROR, id: 14306
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;cloudflare.com. IN AAAA
;; ANSWER SECTION:
cloudflare.com. 271 IN AAAA 2606:4700::6810:84e5
cloudflare.com. 271 IN AAAA 2606:4700::6810:85e5
This section describes deployment instructions for odoh-server-go.
This server can also be manually deployed on any bare metal machine, or in cloud providers such as GCP. Instructions for both follow.
Deployment on bare metal servers, such as Equinix, can be done following
the instructions below. These steps assume that git and go are both installed on the metal.
- Configure a certificate on the metal using certbot. Once complete, the output should be something like the following, assuming the server domain name is "example.com":
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/example.com/privkey.pem
You must configure certbot to renew this certificate periodically. The simplest way to do this is via a cron job:
$ 00 00 1 * 1 certbot renew
- Configure two environment variables to reference these files:
$ export CERT=/etc/letsencrypt/live/example.com/fullchain.pem
$ export KEY=/etc/letsencrypt/live/example.com/privkey.pem
- Clone and build the server:
$ git clone git@github.com:cloudflare/odoh-server-go.git
$ cd odoh-server-go
$ go build ./...
- Run the server:
$ PORT=443 ./odoh-server &
This will run the server until completion. You must configure the server to restart should it terminate prematurely.
You need to deploy a reverse proxy with a valid TLS server certificate for clients to be able to authenticate the target or proxy.
The simplest option for this is using Caddy. Caddy will automatically provision a TLS certificate using ACME from Let's Encrypt.
For instance:
caddy reverse-proxy --from https://odoh.example.net:443 --to 127.0.0.1:8080
Alternatively, use a Caddyfile similar to:
odoh.example.net
reverse_proxy localhost:8080
and run caddy start.