How to Set up Your Own DoH Server on CentOS 8 - Printable Version +- Post4VPS Forum | Free VPS Provider (https://post4vps.com) +-- Forum: VPS Discussion (https://post4vps.com/Forum-VPS-Discussion) +--- Forum: Tutorials (https://post4vps.com/Forum-Tutorials) +--- Thread: How to Set up Your Own DoH Server on CentOS 8 (/Thread-How-to-Set-up-Your-Own-DoH-Server-on-CentOS-8) |
How to Set up Your Own DoH Server on CentOS 8 - fChk - 02-08-2020 First off, I must confess that this HowTo is nothing but a poor man's way to deploy a fully functional DoH server. It's basically my way of utilizing the available resources at hand on @Neoon's NAT-VPS on his NanoKVM platform; thus if we forget about the transparent reverse-proxy (HAProxy) at the NAT-gate, this implementation is basically concerned to tight together 3 independent pieces of software:
Systemd-resolved as the DNS resolver Please refer to the 'A Case for systemd-resolved as the default DNS Resolver' thread for more details on this (I did specifically created it, because it deserved to be discussed thoroughly.) In here, I'll just publish systemd-resolved configuration file -located at /etc/systemd/resolved.conf- that's needed for this use case: Code: # This file is part of systemd. Now, you're supposed to start the service and enable it permanently (if you choose to), then by running this command, you'll see the service current status: Code: [root@vps ~]# resolvectl [OR systemd-resolve --status] As a test: Code: [root@vps ~]# dig google.com To get an idea on the resolver stats, run this: Code: [root@vps ~]# systemd-resolve --statistics That should be all for the DNS resolver part (for more specifics on systemd-resolved, check the thread mentioned above.) Setting up a DoH Server if we run a search on Gihub public repositories on IETF-compliant DoH, three results are resturned, but m13253/DNS-over-HTTPS seems to be the most mature. Thus we'll be using m13253/DNS-over-HTTPS as our DoH-server, which supports the following features:
To use m13253/DNS-over-HTTPS, we have to first install Google's Golang. On Centos 8, we simply have to issue the following command as an admin: Code: dnf module -y install go-toolset To verify that Go is installed and configured as it should, we run: Code: [root@natty ~]# go version As a standard user, we'll compile m13253/DNS-over-HTTPS following these steps: Code: mkdir -p temp && cd temp The binary should then be installed in the /usr/local/bin but the config file is located in the /etc/dns-over-https/ folder. The install also makes available the doh-server own systemd service file to control it in the standard way. To undo the installation step, simply run: Code: sudo make uninstall Now, to link our DoH-server to our DNS resolver listening on 127.0.0.53:53/udp, we have to make just one edit to the '/etc/dns-over-https/doh-server.conf' file: Code: vi /etc/dns-over-https/doh-server.conf If you want to completely offload all the DNS resolution step to an external public DNS server, uncomment the addresses above. Now, that we have our configuration as we wanted, time to start and enable the server: Code: systemctl start doh-server If we check, our running services, we would find that our doh-server is listening on port 8053, as set in its config file. Code: [root@natty ~]# netstat -tulpn|grep doh-server At this point, we're done with the DOH-server part. Apache 2.4 as the Web Server of this Stack Given that I'm already running Apache 2.4 as my Web server, I won't use Nginx although it's the best suited for this job. HTTPD is is running in mod_event and has many virtual hosts among them our generic 'doh.example.com' with the following config file: Code: <VirtualHost *:443> With this last step, check your httpd config ( httpd -t ) and reload your web server. Now, if you send this query to your doh.example.com you'll get an answer in the json format: Code: curl -s "https://doh.example.com/dns-query?name=google.com&type=A" | python -m json.tool If you make it till this stage successfully, Congratulation, now you can test it with Firefox :-) Testing your Custom DoH Server with Firefox In the about:config tab, type: network.trr; a list of directives will show. We are interested in the 'network.trr.custom_uri' and 'network.trr.bootstrapAddress'(only relevant when network.trr.mode===3), which you'll set like this: Code: network.trr.custom_uri https://doh.example.com/dns_query That's ALL there is to it. Now!... Why bother you may ask?... Privacy!.. I would say!.. No one can handle your data as faithfully and diligently as you would. At least that's the assumption of this HowTo :-) RE: How to Set up Your Own DoH Server on CentOS 8 - rudra - 02-08-2020 You could add part on DoT .. by tls proxy (nginx, stubby can work) or server with direct support. People can use their own private dns in Android pi 9 and above with that. RE: How to Set up Your Own DoH Server on CentOS 8 - fChk - 02-09-2020 (02-08-2020, 06:08 PM)rudra Wrote: You could add part on DoT .. by tls proxy (nginx, stubby can work) or server with direct support. I've exclusively reserved this thread for DoH -as the title suggests- because of the fact that my HowTos are reports of actual implementations of projects on live VPSes. As of today, the only personal live system I've got is the one on NanoKVM platform which , as you may know, is a NAT-VPS. That means I don't have access to port 853, thus standard DoT deployment is impossible there. It's for that reason that I didn't switch Apache Web Server (2.4.41) with Nginx. Nginx can be set to proxy both DoH and DoT traffics in the same setup. In the DoT mode, nginx-mod-stream package is needed (libnginx-mod-stream package in Debian) to proxy plain TCP over to your DNS resolver solution
(systemd-resolved, Unbound, Bind/named, etc....) In this situation too Nginx should handles SSL termination.(02-08-2020, 06:08 PM)rudra Wrote: People can use their own private dns in Android pi 9 and above with that.Indeed, a private DoT server is ideal for people with devices supporting DoT natively (like Android Pie -9), or people in my situation with DNS issues with their ISP (check Heads-Up: Firefox rolling DNS-over-HTTPS (DoH) for the background story.) Thanks for your input @rudra! RE: How to Set up Your Own DoH Server on CentOS 8 - fChk - 04-10-2020 This is a follow-up post aiming at addressing the use of Nginx as the WebServer in the DOH Server Setup, instead of the Apache WebServer used in the OP. The Apache WebServer (httpd) is the grand-daddy of WebServers; I like it a lot and has my complete trust. BUT, there are just situations where you can still use it but behind the scene. This is the case for the setup I'm intending to implement on my newly deployed CentOS-8 on VirMach's Phoenix-based VPS-9. In this setup, I'm using Nginx as the public-facing WebServer where all HTTPS connections will terminate and serving as both a static web server and a reverse-proxy for a bunch of services running in the host, among them httpd, nodejs, etc... The intent of such setup is to leverage the power of Nginx as an Asynchronous web server. Enter the question of how to rewrite the OP with this adjustment. The answer is that everything stays the same except for the third section which should be replaced by the following: Nginx as the Reverse-Proxy in our DoH Server Stack In this post I'll skip the actual TLS setup steps [2], and will just present the actual configuration of the server block of our generic 'doh.example.com': Code: server { Notes: [1]-As the title suggests, I've exclusively reserved this thread for DoH. I'll post another tutorial about a setup where Nginx is proxying both DoT and DoH queries. [2]-In the above mentioned upcoming titurial, I'll discuss the TLS setup in the Nginx context. Stay tuned! |