run you own DNS over HTTP2S server
to run quickly run it:
1- make doh directory
2- copy doh-server.conf and edit to suit your needs
3- copy certificate ad private key, for example if you used Letsencrypt with certbot
cp /etc/letsencrypt/live/doh.yapily.com/cert.pem doh/ cp /etc/letsencrypt/live/doh.yapily.com/privkey.pem doh/
4- run docker docker run -it -p 443:443 -v /home/mauro/doh:/svc:ro privatesurfing/doh
Docker images available here:
https://hub.docker.com/repository/docker/privatesurfing/doh
Info on browser setup:
https://support.mozilla.org/en-US/kb/firefox-dns-over-https
https://windowsloop.com/enable-dns-over-https-chrome/
https://daniel.haxx.se/blog/2018/06/03/inside-firefoxs-doh-engine/
https://pypi.org/project/doh-cli/
-
Can I use plain HTTP? No, by design you need HTTPS with a proper certificate
-
Shall I run as a service or as container? Being a service exposed over Internet, you should use a container to isolate from the OS, in case you want to run on the plain OS consider to use FireJail.
-
Do you think my code is crappy? Help me to write a better one!
-
Is it a secure 'container'? The server, a static hardened Go binary, is the only process and it does not perform any outgoing connections other than dns queries
- I use the standard HTTPS port (443) to run this service so my Firefox can use it even behind a corporate firewall (even if having a proxy they can see my surfing activity anyway)
(https://github.com/m13253/dns-over-https):
-
use of the strongest TLS ciphers, random SessionTicket for every connection *
-
ability to Skip Ipv6 dns queries to speed up resolution (details here m13253/dns-over-https#19)
-
instead of DNS roundrobin I implemented a primitive algorithm to use the fastest DNS server out of the specified pool and continually monitor which server is the fastest
-
IP whitelisting, only authorized IP/networks can use it
-
/stat page provides upstream DNS latency and relative usage
- write some test code