So in a litte while Google Chrome is going to enable DNS over HTTPs, and Firefox has already enabled it, by default!
So I think to myself “myself, do you want cloudflare watching all your DNS queries?” - nope is the the answer!
Right, so I’ll build my own DNS over HTTPs (DoH) server.
This doc assumes you have a working DNS server (I use bind9), and you can sort your own SSL certs for nginx.
It also assumes you know your way around a command line 🤪
Set up nginx
So I’m not going to talk you through how to install nginx, or get it running, that is beyond the scope of this doc.
I’m also not going to tell you how to setup Let’s Encrypt, that is also outside the scope of this doc.
So let’s get straight into the config:
So let me talk you through the config:
I start by creating a config that points to our, not yet installed, doh-server. That server is going to be running on port 8053:
Next I’ve got a server block for port 80 (non-secure / non https).
It has some config for my Let’s Encrypt SSL cert bot (dehydrated), and redirects everthing to the SSL version of the website (return 301):
and lastly, the SSL version config, includng the reverse proxy bit which I will repeat here (because it is the important bit):
So assuming that you have your SSL certs sorted, and your nginx config is all good you should be able to start nginx 🥰
so you’ll need some build packages, so let’s install some build tools: aptitude install curl software-properties-common build-essential git
Now let’s config the DoH server:
The DoH server has a config in /etc/dns-over-https/doh-server.conf
You want to change the upstream to use 127.0.0.1:53 and that’s about it, here’s what I’ve got:
Once you’ve got that saved you can restart the DoH server with systemctl restart doh-server
Testing the install
So let’s recap:
Configured nginx and got it running nicely, forwarding DoH requests
Installed a DoH server
We already had a DNS resolver installed and running, right? 🧐
Now let’s do some testing.
The DoH server returns JSON, so you can just test in your browser:
Or, since you’re already working in a terminal (and this website is called Terminal Addict 😇)
You should get a JSON response like the following:
Configure your browser
Well in Firefox this is pretty easy.
Search your preferences / settings in Firefox for DNS.
In Google Chrome the setting will be released in version 78 I’m told, I guess I’ll keep an eye out 🙃
So, maybe you’re super sentive about people spying on you, maybe you like playing with new gadgets / tech. Who knows.
But, I certainly don’t trust cloudflare enough to be giving them my browser DNS queries!
So we’ve now got DNS over HTTPs to use, and we own all our own history / data 👍