logoalt Hacker News

jeroenhdlast Sunday at 12:46 AM3 repliesview on HN

My DoH server ended up on a random list on Github at some point. I noticed when I saw what seemed like a small country suddenly use my DoH server.

Blacklisting the entire country worked, after that I moved my actual DoH resolver to a subpath. Because it's HTTPS, you can just run your DoH server at https://my-doh.example.com/066c591f-c976-4095-85fe-a49e62577.... Not as easy to remember, but you can send yourself and anyone you want to share the server with a link.

Other things to consider when setting up your own DoH server: setting up HTTP3 with HTTPS records and the like, 0-rtt TLS for the query server, ODoH support (upstream or as an endpoint directly), and of course DNSSEC validation (because you can't trust your clients to the validation themselves).

For DoT this is a lot harder. A random IPv6 address should work, but then you're stuck having to fall back to something else on networks with only legacy IP support.


Replies

1718627440yesterday at 2:20 PM

> I saw what seemed like a small country suddenly use my DoH server.

Wouldn't that mean that your requests are more hidden, instead of sticking out and being more susceptible to a side channel attack?

show 2 replies
gruezlast Sunday at 1:19 AM

>ODoH support (upstream or as an endpoint directly)

Is there client support without installing third party apps? Such apps usually use a VPN connection to operate, which means you can't use another VPN at the same time as oDOH, which is a major disadvantage.

show 2 replies
pixel_poppingyesterday at 8:52 PM

You can actually just move it to a subdomain and wildcard TLS cert as well.

show 1 reply