logoalt Hacker News

Set up your own DoH (DNS over HTTPS) service

63 pointsby Benderlast Saturday at 10:24 PM22 commentsview on HN

Comments

jeroenhdlast Sunday at 12:46 AM

My DoH server ended up on a random list on Github at some point. I noticed when I saw what seemed like a small country suddenly use my DoH server.

Blacklisting the entire country worked, after that I moved my actual DoH resolver to a subpath. Because it's HTTPS, you can just run your DoH server at https://my-doh.example.com/066c591f-c976-4095-85fe-a49e62577.... Not as easy to remember, but you can send yourself and anyone you want to share the server with a link.

Other things to consider when setting up your own DoH server: setting up HTTP3 with HTTPS records and the like, 0-rtt TLS for the query server, ODoH support (upstream or as an endpoint directly), and of course DNSSEC validation (because you can't trust your clients to the validation themselves).

For DoT this is a lot harder. A random IPv6 address should work, but then you're stuck having to fall back to something else on networks with only legacy IP support.

show 3 replies
WalterGRlast Sunday at 1:53 AM

DoH = DNS over HTTPS

https://en.wikipedia.org/wiki/DNS_over_HTTPS

show 1 reply
dpattilalast Sunday at 12:37 PM

I see you've mentioned using a VPS for this. Suppose I want a DoH server for private use; is there a reason for me not to host it on my homeserver instead? I suppose my ISP could see the server's DNS queries, but so could the VPS provider, and precaching Cloudflare's top 20k domains seems to provide some level of obfuscation anyways.

show 1 reply
Benderyesterday at 9:14 PM

Seems this got into the second chance pool or something like that. One thing I forgot to add to this is that if your Linux repo does not have a build of Unbound that contains the libnghttp2 library (required to enable the DoH HTTPS listener) please politely request the package maintainer build with that library so that more people can have their own DoH service without having to recompile Unbound.

show 1 reply
jedisct1yesterday at 10:16 PM

doh-server supports DoH but also ODoH: https://github.com/DNSCrypt/doh-server

ck2yesterday at 9:24 PM

but can DIY ever do Oblivious DoH

* https://blog.cloudflare.com/oblivious-dns/

solved the SNI problem

if this says SNI=plaintext your ISP knows where you are going anyway

* https://one.one.one.one/cdn-cgi/trace

show 1 reply