Self-hosted DoH Server Setup
CoreDNS
CoreDNS is a flexible and powerful DNS server that supports a variety of plugin extensions. It is ideal for setting up DoH services.
Initialization
Install Required Components
First, update the system and install the necessary packages, including Docker Compose and Certbot (for obtaining SSL certificates).
sudo apt update && sudo apt upgrade -y && sudo apt install -y docker-compose certbotConfigure Firewall
Ensure server security by configuring firewall rules to allow necessary ports (22, 80, and 443).
sudo ufw allow 22sudo ufw allow 80sudo ufw allow 443sudo ufw enableObtain SSL Certificate
Use Certbot to obtain an SSL certificate. Replace <DOMAIN> with your actual domain name.
sudo certbot certonly --standalone -d <DOMAIN>Note: Ensure the domain correctly resolves to your server IP and port 80 is not occupied by other services.
Configure and Deploy CoreDNS
We will run CoreDNS via Docker.
Create CoreDNS Configuration Directory
Create the directory for configuration files.
sudo mkdir -p /etc/corednsWrite CoreDNS Configuration File
Create and edit /etc/coredns/Corefile:
sudo vim /etc/coredns/CorefileAdd the following content, replacing <DOMAIN> with your actual domain:
https://.:443 { tls /etc/letsencrypt/live/<DOMAIN>/fullchain.pem /etc/letsencrypt/live/<DOMAIN>/privkey.pem bind 0.0.0.0:443 forward . 1.1.1.1 8.8.8.8 log errors cache 300}Configuration Explanation:
<DOMAIN>:443: Listens for HTTPS requests from the specified domain on port 443.tls: Specifies the paths to the SSL certificate and private key.bind 0.0.0.0:443: Binds to port 443 on all network interfaces, allowing external access.forward . 1.1.1.1 8.8.8.8: Forwards DNS queries to Cloudflare (1.1.1.1) and Google (8.8.8.8) public DNS servers.loganderrors: Enables logging and error logging for debugging.cache 300: Enables DNS caching with a cache time of 300 seconds to improve query speed.
Run CoreDNS Container
Run the CoreDNS container using Docker. Ensure <DOMAIN> is replaced with your actual domain.
sudo docker run -d \ --name coredns \ --restart unless-stopped \ --network host \ -v /etc/coredns:/etc/coredns \ -v /etc/letsencrypt/live/<DOMAIN>/fullchain.pem:/etc/letsencrypt/live/<DOMAIN>/fullchain.pem \ -v /etc/letsencrypt/live/<DOMAIN>/privkey.pem:/etc/letsencrypt/live/<DOMAIN>/privkey.pem \ coredns/coredns \ -conf /etc/coredns/CorefileRun Explanation:
-network host: Uses the host’s network stack, allowing CoreDNS to listen on the host’s port 443.-v /etc/coredns:/etc/coredns: Mounts the host configuration directory into the container for easy management.-v /etc/letsencrypt/live/<DOMAIN>/fullchain.pemand-v /etc/letsencrypt/live/<DOMAIN>/privkey.pem: Mounts the SSL certificate and private key into the container to enable HTTPS for CoreDNS.
Verify CoreDNS Running Status
Ensure the CoreDNS container is running and listening on the correct port.
sudo docker ps | grep corednsYou should see output similar to the following, indicating the CoreDNS container is running and listening on port 443:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES<container_id> coredns/coredns "/coredns -conf /etc…" X seconds ago Up X seconds 0.0.0.0:443->443/tcp corednsConfigure Clients to Use DoH
After completing the above steps, your DoH server is ready. Next, configure DNS settings on client devices to use https://<DOMAIN>/dns-query as the DoH server address.
Automatically Update SSL Certificates
SSL certificates obtained via Certbot are valid for 90 days. It is recommended to set up a scheduled task to automatically renew certificates and restart the CoreDNS container.
Create a cron job to check and renew certificates daily:
sudo crontab -eAdd the following:
0 2 1 * * certbot renew --quiet && sudo docker restart corednsThis task will run at 2:00 AM on the 1st of every month, automatically renewing the certificate and restarting the CoreDNS container.