Logo Neurocoda

Self-hosted DoH Server Setup

Neurocoda
Neurocoda
2026-07-03 12:41:58 2026-07-03 13:41:41 400 Words 2 Mins ...

CoreDNS

CoreDNS is a flexible and powerful DNS server that supports a variety of plugin extensions. It is ideal for setting up DoH services.

Initialization

Install Required Components

First, update the system and install the necessary packages, including Docker Compose and Certbot (for obtaining SSL certificates).

Terminal window
sudo apt update && sudo apt upgrade -y && sudo apt install -y docker-compose certbot

Configure Firewall

Ensure server security by configuring firewall rules to allow necessary ports (22, 80, and 443).

Terminal window
sudo ufw allow 22
sudo ufw allow 80
sudo ufw allow 443
sudo ufw enable

Obtain SSL Certificate

Use Certbot to obtain an SSL certificate. Replace <DOMAIN> with your actual domain name.

Terminal window
sudo certbot certonly --standalone -d <DOMAIN>

Note: Ensure the domain correctly resolves to your server IP and port 80 is not occupied by other services.

Configure and Deploy CoreDNS

We will run CoreDNS via Docker.

Create CoreDNS Configuration Directory

Create the directory for configuration files.

Terminal window
sudo mkdir -p /etc/coredns

Write CoreDNS Configuration File

Create and edit /etc/coredns/Corefile:

Terminal window
sudo vim /etc/coredns/Corefile

Add the following content, replacing <DOMAIN> with your actual domain:

https://.:443 {
tls /etc/letsencrypt/live/<DOMAIN>/fullchain.pem /etc/letsencrypt/live/<DOMAIN>/privkey.pem
bind 0.0.0.0:443
forward . 1.1.1.1 8.8.8.8
log
errors
cache 300
}

Configuration Explanation:

  • <DOMAIN>:443: Listens for HTTPS requests from the specified domain on port 443.
  • tls: Specifies the paths to the SSL certificate and private key.
  • bind 0.0.0.0:443: Binds to port 443 on all network interfaces, allowing external access.
  • forward . 1.1.1.1 8.8.8.8: Forwards DNS queries to Cloudflare (1.1.1.1) and Google (8.8.8.8) public DNS servers.
  • log and errors: Enables logging and error logging for debugging.
  • cache 300: Enables DNS caching with a cache time of 300 seconds to improve query speed.

Run CoreDNS Container

Run the CoreDNS container using Docker. Ensure <DOMAIN> is replaced with your actual domain.

Terminal window
sudo docker run -d \
--name coredns \
--restart unless-stopped \
--network host \
-v /etc/coredns:/etc/coredns \
-v /etc/letsencrypt/live/<DOMAIN>/fullchain.pem:/etc/letsencrypt/live/<DOMAIN>/fullchain.pem \
-v /etc/letsencrypt/live/<DOMAIN>/privkey.pem:/etc/letsencrypt/live/<DOMAIN>/privkey.pem \
coredns/coredns \
-conf /etc/coredns/Corefile

Run Explanation:

  • -network host: Uses the host’s network stack, allowing CoreDNS to listen on the host’s port 443.
  • -v /etc/coredns:/etc/coredns: Mounts the host configuration directory into the container for easy management.
  • -v /etc/letsencrypt/live/<DOMAIN>/fullchain.pem and -v /etc/letsencrypt/live/<DOMAIN>/privkey.pem: Mounts the SSL certificate and private key into the container to enable HTTPS for CoreDNS.

Verify CoreDNS Running Status

Ensure the CoreDNS container is running and listening on the correct port.

Terminal window
sudo docker ps | grep coredns

You should see output similar to the following, indicating the CoreDNS container is running and listening on port 443:

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
<container_id> coredns/coredns "/coredns -conf /etc…" X seconds ago Up X seconds 0.0.0.0:443->443/tcp coredns

Configure Clients to Use DoH

After completing the above steps, your DoH server is ready. Next, configure DNS settings on client devices to use https://<DOMAIN>/dns-query as the DoH server address.

Automatically Update SSL Certificates

SSL certificates obtained via Certbot are valid for 90 days. It is recommended to set up a scheduled task to automatically renew certificates and restart the CoreDNS container.

Create a cron job to check and renew certificates daily:

Terminal window
sudo crontab -e

Add the following:

0 2 1 * * certbot renew --quiet && sudo docker restart coredns

This task will run at 2:00 AM on the 1st of every month, automatically renewing the certificate and restarting the CoreDNS container.

References

CoreDNS Manual
Certbot
Docker Documentation
DNS over HTTPS

Title: Self-hosted DoH Server Setup Author: Neurocoda Created at: 2026-07-03 12:41:58 Updated at: 2026-07-03 13:41:41 Link: https://neurocoda.com/en/posts/self-hosted-doh-server-setup-en/ License: This work is licensed under CC BY-ND 4.0.

Comments