I recently setup a Dns over HTTP server. I use the excellent article from Stéphane Bortzmeyer : Documentation technique de mon résolveur DoH[FR].
The setup use dnsdist in 1.4 version, which support DoH.
Here is a docker composition to run the setup : https://github.com/RemiDesgrange/dnsdist-config/
It run for 2 months on one of my machine without any problem. I didn’t put any TLS config on
dnsdist, instead a nginx config takes care of it. It’s pretty standard nginx reverse proxy
config from
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name doh.desgran.ge;
ssl on;
ssl_certificate fullchain.pem;
ssl_certificate_key privkey.pem;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
location / {
proxy_pass http://localhost:8053;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Since it’s for my personal use, I don’t bother supporting TLS prior to 1.3.
Once done you can switch your resolver in the Firefox settings. On Chrome it’s not (yet) that straight forward.