- Helm chart for kubernetes deployments (current chart is usable but not tied to the latest version of DOH)
- Automated CICD using Github Actions
- Kubernetes deployment examples
- DNS Over HTTP
- Custom upstream DNS server option
- Support for custom script execution (/app-config)
- Support for linux/amd64,linux/arm64,linux/arm/v7
- Alpine based tiny images. Ubuntu based image for those who can not use alpine.
- A great example of full DOH Server setup using Docker Compose
- Protect yourself from ISP. They know too much about you as you are using their DNS servers.
- You don't want to use DOH services from DOH providers. They are just replacing your ISP DNS service.
- https://www.netsparker.com/blog/web-security/pros-cons-dns-over-https/
- https://en.wikipedia.org/wiki/DNS_over_HTTPS
docker run -itd --name doh-server \
-p 8053:8053 \
-e UPSTREAM_DNS_SERVER=udp:208.67.222.222:53 \
satishweb/doh-serverversion: '2.2'
networks:
default:
services:
doh-server:
image: satishweb/doh-server
hostname: doh-server
networks:
- default
environment:
DEBUG: "0"
# Upstream DNS server: proto:host:port
# We are using OpenDNS DNS servers as default,
# Here is the list of addresses: https://use.opendns.com/
UPSTREAM_DNS_SERVER: "udp:208.67.222.222:53"
DOH_HTTP_PREFIX: "/getnsrecord"
DOH_SERVER_LISTEN: ":8053"
DOH_SERVER_TIMEOUT: "10"
DOH_SERVER_TRIES: "3"
DOH_SERVER_VERBOSE: "true"
# You can add more variables here or as docker secret and entrypoint
# script will replace them inside doh-server.conf file
volumes:
# - ./doh-server.conf:/server/doh-server.conf
# Mount app-config script with your customizations
# - ./app-config:/app-config
deploy:
replicas: 1
# placement:
# constraints:
# - node.labels.type == workerdocker build . --no-cache -t satishweb/doh-server -f Dockerfile.alpinedocker pull satishweb/doh-server- RaspeberryPi/Linux/Mac with Docker preinstalled (Required)
- DNS Server Setup on AWS R53 (Other providers supported)
- AWS Access Key, Secret key, and R53 DNS Hosted Zone ID (for LetsEncrypt based auto installation of SSL Certs) (Optional)
- Visit https://github.com/satishweb/docker-doh/releases and download the latest release to your server
wget https://github.com/satishweb/docker-doh/archive/v2.3.3.zip
unzip v2.3.3.zip
cp -rf docker-doh-2.3.3/examples/docker-compose-doh-server doh-server
rm -rf v2.3.3.zip docker-doh-2.3.3
cd doh-server- Copy env.sample.conf to env.conf and update environment variables
EMAIL=user@example.com
DOMAIN=example.com
SUBDOMAIN=dns
AWS_ACCESS_KEY_ID=AKIKJ_CHANGE_ME_FKGAFVA
AWS_SECRET_ACCESS_KEY=Nx3yKjujG8kjj_CHANGE_ME_Z/FnMjhfJHFvEMRY3
AWS_REGION=us-east-1
AWS_HOSTED_ZONE_ID=Z268_CHANGE_ME_IQT2CE6- Launch services
./launch.sh- Add your custom hosts to override DNS records if needed.
mkdir -p data/unbound/custom
vi data/unbound/custom/custom.hosts
Contents:
local-zone: "SUB1.example.com" redirect
local-data: "SUB1.example.com A 192.168.0.100"
local-zone: "SUB2.example.com" redirect
local-data: "SUB2.example.com A 192.168.0.101"- What is my DOH address?
https://dns.example.com/getnsrecord- How do I test DoH Server?
curl -w '\n' 'https://dns.example.com/getnsrecord?name=google.com&type=A'- Proxy is still running with a self-signed certificate
- Check data/proxy/certs/acme.json contents.
- Enable debug mode for proxy by editing proxy service in docker-compose.yml. Run launch command again for changes to take effect.
- Check proxy container logs for errors.
Note: If you are using an IAM account for R53 access, please make sure you have the below permissions added to the access policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"route53:GetChange",
"route53:ChangeResourceRecordSets",
"route53:ListResourceRecordSets"
],
"Resource": [
"arn:aws:route53:::hostedzone/*",
"arn:aws:route53:::change/*"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": "route53:ListHostedZonesByName",
"Resource": "*"
}
]
}-
Can not bind 53 port for unbound service
- Unbound service is configured to bind 53 ports on the Docker host.
- Sometimes systemd-resolved service blocks that port and it needs to be stopped
- run
sudo service systemd-resolved stop;sudo apt-get -y purge systemd-resolvedand then retry again - Unbound service port mappings can be commented out if DOH service is the only DNS client for it.
-
Can not bind port 80 and 443 for proxy service.
- Another program on the docker host or one of the docker containers has acquired the same ports.
- You need to stop those programs or change the proxy service ports to unused ports
- Docker-compose configuration with IPV6 support will be added in the future.
- Login to your router and search for DHCP settings
- Setup DNS settings to the IP of your DOH server.
Note: This will make all your client systems/phones connected to your router use this as your DNS server. Note: This will not make clients use DOH but it will end up using an unbound private DNS service that protects you from ISP.
- Install Cloudflared for Linux, Mac, Windows using the below link
https://developers.cloudflare.com/argo-tunnel/downloads/- Set your DOH server as upstream for cloudflared with below configuration
- Linux: /usr/local/etc/cloudflared/config.yml
- Mac: /usr/local/etc/cloudflared/config.yaml
- Windows: God knows where, I don't have windows
proxy-dns: true
proxy-dns-upstream:
- https://dns.example.com/getnsrecordNote: You will need to ensure dnsmasq is uninstalled from your client system before using cloudflared
- Install Intra app from Play Store
https://play.google.com/store/apps/details?id=app.intra&hl=en_US- Configure infra app to use your DOH server
Intra App -> Settings -> Select DNS over HTTPS Server -> Custom server URL
Value: https://dns.example.com/getnsrecord
- DOH Server: https://github.com/m13253/dns-over-https
- Traefik Proxy: https://www.traefik.io