My DoH server ended up on a random list on Github at some point. I noticed when I saw what seemed like a small country suddenly use my DoH server.
Blacklisting the entire country worked, after that I moved my actual DoH resolver to a subpath. Because it's HTTPS, you can just run your DoH server at https://my-doh.example.com/066c591f-c976-4095-85fe-a49e62577.... Not as easy to remember, but you can send yourself and anyone you want to share the server with a link.
Other things to consider when setting up your own DoH server: setting up HTTP3 with HTTPS records and the like, 0-rtt TLS for the query server, ODoH support (upstream or as an endpoint directly), and of course DNSSEC validation (because you can't trust your clients to the validation themselves).
For DoT this is a lot harder. A random IPv6 address should work, but then you're stuck having to fall back to something else on networks with only legacy IP support.
From a practical viewpoint: the desktop tower in the corner of my room that acted as my NAS+router+home server+home assistant was running quite hot and the poor undervolted i3 CPU wasn't able to keep up.
>ODoH support (upstream or as an endpoint directly)
Is there client support without installing third party apps? Such apps usually use a VPN connection to operate, which means you can't use another VPN at the same time as oDOH, which is a major disadvantage.
dnscrypt supports ODoH so any device capable of running that will do. Other than that, you'll need individual app support (like browsers for instance).
If you want support on mobile devices without VPN-like apps, I think the best way to set it up would be to run something like a PiHole or equivalent, configure dnscrypt as your upstream, and then set up DoH/DoT from your phone to your DNS server. Mobile phones can do DoT/DoH natively already, but I don't think any commercial mobile OS has extended support to ODoH.
In theory you may be able to run dnscrypt in the background and point your DNS resolver to that, but I doubt it'll work reliably.
Seems this got into the second chance pool or something like that. One thing I forgot to add to this is that if your Linux repo does not have a build of Unbound that contains the libnghttp2 library (required to enable the DoH HTTPS listener) please politely request the package maintainer build with that library so that more people can have their own DoH service without having to recompile Unbound.
It should be able to handle infinitely high request rates but I do block a lot of things that may be bots. I will let archive.is back in for a min and make an archive of this page.
I see you've mentioned using a VPS for this. Suppose I want a DoH server for private use; is there a reason for me not to host it on my homeserver instead?
I suppose my ISP could see the server's DNS queries, but so could the VPS provider, and precaching Cloudflare's top 20k domains seems to provide some level of obfuscation anyways.
I am doing exactly that. I have Unbound running on my firewall/router running Alpine Linux and everything talks to port 443 (DoH). I only set up public DoH servers when people are asking for one or if I am going to be out and about. I had one set up as a demo but there was not much interest in it so I nuked the VM and just left my how-to document in place.
Blacklisting the entire country worked, after that I moved my actual DoH resolver to a subpath. Because it's HTTPS, you can just run your DoH server at https://my-doh.example.com/066c591f-c976-4095-85fe-a49e62577.... Not as easy to remember, but you can send yourself and anyone you want to share the server with a link.
Other things to consider when setting up your own DoH server: setting up HTTP3 with HTTPS records and the like, 0-rtt TLS for the query server, ODoH support (upstream or as an endpoint directly), and of course DNSSEC validation (because you can't trust your clients to the validation themselves).
For DoT this is a lot harder. A random IPv6 address should work, but then you're stuck having to fall back to something else on networks with only legacy IP support.
Wouldn't that mean that your requests are more hidden, instead of sticking out and being more susceptible to a side channel attack?
From a practical viewpoint: the desktop tower in the corner of my room that acted as my NAS+router+home server+home assistant was running quite hot and the poor undervolted i3 CPU wasn't able to keep up.
Is there client support without installing third party apps? Such apps usually use a VPN connection to operate, which means you can't use another VPN at the same time as oDOH, which is a major disadvantage.
If you want support on mobile devices without VPN-like apps, I think the best way to set it up would be to run something like a PiHole or equivalent, configure dnscrypt as your upstream, and then set up DoH/DoT from your phone to your DNS server. Mobile phones can do DoT/DoH natively already, but I don't think any commercial mobile OS has extended support to ODoH.
In theory you may be able to run dnscrypt in the background and point your DNS resolver to that, but I doubt it'll work reliably.
Why would it be? Is there some client/OS that doesn't support custom paths for DoH?
https://en.wikipedia.org/wiki/DNS_over_HTTPS
Archive [1]
[1] - https://archive.ph/cdawK
* https://blog.cloudflare.com/oblivious-dns/
solved the SNI problem
if this says SNI=plaintext your ISP knows where you are going anyway
* https://one.one.one.one/cdn-cgi/trace
[1] - https://tls-ech.dev/
* https://blog.cloudflare.com/encrypted-client-hello/
what's weird is my ancient version of chrome passes ECH
but my Firefox ESR does not have ECH and I cannot figure out how to turn it on in about:config, googling fails me
wait! found it, 3rd times the charm
set to TRUE = ECH enabled, passes test* https://www.cloudflare.com/ssl/encrypted-sni/