1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
|
---
title: "Run your own DNS over HTTPS server."
tags: ["service"]
draft: true
---
Encrypted DNS can be a great tool for your online privacy if it\'s
hosted by a trustworthy entity, and who can you trust more with your
data than yourself?
## Installing Unbound.
First of all, we need to install our DNS server, Unbound. Unbound is a
validating, recursive and caching DNS server.
```sh
apt install -y unbound
```
### Now that Unbound is installed, we will configure it a bit.
Using your favorite editor, edit the file `/etc/unbound/unbound.conf`
and add the following values, if they don\'t exist already:
````
include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
server:
log-queries: no
log-replies: no
aggressive-nsec: yes
ratelimit: 150
verbosity: 1
```
Now restart Unbound to activate your new configuration:
```sh
systemctl restart unbound
````
To test to see if your DNS server is resolving, add
`nameserver 127.0.0.1` to your `/etc/resolv.conf`. If you are able to
resolve domains, Unbound is working.
## Installing DNSS.
Now we need to install a program to convert HTTP requests to DNS
queries. `dnss` accomplishes that goal very well.
To install DNSS, run the following command:
```sh
apt install -y dnss
```
### Configuring DNSS.
DNSS comes with a bad default configuration, disable it using the
following command:
```sh
systemctl disable --now dnss dnss.socket
```
Now, using your favorite text editor, create a new file in
`/etc/systemd/system` named `doh.service`. This will be the new DNSS
configuration file. Add the following values to the file:
```systemd
[Unit]
Description=DNSS DNS over HTTPS Proxy
[Service]
ExecStart=/usr/bin/dnss \
-enable_https_to_dns \
-https_server_addr 127.0.0.1:8080 \
-insecure_http_server \
-dns_upstream 127.0.0.1:53
Type=simple
Restart=always
User=dnss
Group=dnss
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
ProtectSystem=full
[Install]
WantedBy=multi-user.target
```
Close the file and enable/start it using the command:
```sh
systemctl enable --now doh.service
```
## Setting up Nginx.
To set up Nginx with HTTPS, follow [these](/basic/nginx) [guides](/basic/certbot).
Once you\'ve gotten all of that set up, we\'ll reverse proxy our HTTPS
to DNS proxy. Open up your Nginx config file, and add the following
values:
```nginx
location /dns-query {
proxy_pass http://127.0.0.1:8080/;
}
```
Now, your configuration should look something like this:
```nginx
server {
listen 80;
server_name chad.thesiah.xyz;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name chad.thesiah.xyz;
root /var/www/sich;
ssl_certificate /etc/letsencrypt/live/chad.thesiah.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/chad.thesiah.xyz/privkey.pem;
location /dns-query {
proxy_pass http://127.0.0.1:8080/;
}
}
```
Finally, you can check your Nginx config using `nginx -t`, if the check
passes, restart Nginx using the command:
```sh
systemctl restart nginx
```
## Using your DNS over HTTPS server.
To use your new DNS over HTTPS server, go to your browser\'s settings
and navigate to the \"Network Settings\" area. You should be able to set
a custom secure DNS url. Once set, you can check to see if it\'s working
by attempting to resolve domains, and by testing your browser with
[whatismydnsserver.com](http://www.whatsmydnsserver.com/).
## Contributor
[Josiah.](https://ioens.is)
|
