• DNS Over HTTP
• Custom upstream DNS server option
• Support for custom script execution (/app-config)
• Support for linux/amd64,linux/arm64,linux/arm/v7
• Alpine based tiny images
• A great example of full DOH Server setup using Docker Swarm

• Protect yourself from ISP. They know too much about you as you are using their DNS servers.
• You dont want to use DOH services from DOH providers. (they are just replacing your ISP DNS service)
• https://www.netsparker.com/blog/web-security/pros-cons-dns-over-https/
• https://en.wikipedia.org/wiki/DNS_over_HTTPS

docker run -itd --name doh-server \
    -p 8053:8053 \
    -e UPSTREAM_DNS_SERVER=udp:8.8.8.8:53 \
satishweb/doh-server

services:
  doh-server:
    image: satishweb/doh-server
    hostname: doh-server
    networks:
      - default
    environment:
      DEBUG: "0"
      UPSTREAM_DNS_SERVER: "udp:unbound:53"
      DOH_HTTP_PREFIX: "/getnsrecord"
      DOH_SERVER_LISTEN: ":8053"
      DOH_SERVER_TIMEOUT: "10"
      DOH_SERVER_TRIES: "3"
      DOH_SERVER_VERBOSE: "true"
      # You can add more variables here or as docker secret and entrypoint
      # script will replace them inside doh-server.conf file
    volumes:
      # - ./doh-server.conf:/server/doh-server.conf
      # Mount app-config script with your customizations
      # - ./app-config:/app-config
    deploy:
      replicas: 1
      # placement:
      #   constraints:
      #     - node.labels.type == worker
    depends_on:
      - unbound
    labels:
      - "com.satishweb.description=DNS Over HTTP Service"

• RaspeberryPi/Linux/Mac with Docker preinstalled (Required)
• DNS Server Setup on AWS R53 (Optional)
• AWS Access Key, Secret key and R53 DNS Hosted Zone ID (for LetsEncrypt based auto installation of SSL Certs) (Optional)
• SSL Certificate (Required if your domain DNS hosting is not done at AWS)

• Visit https://github.com/satishweb/docker-doh/releases and download latest release to your server

wget https://github.com/satishweb/docker-doh/archive/v2.2.1.zip
unzip v2.2.1.zip
cp -rf docker-doh-2.2.1/examples/docker-swarm-doh-server doh-server
rm -rf v2.2.1.zip docker-doh-2.2.1
cd doh-server

• Edit services/cert-manager/docker-service.yml and update below variables

Note: This is to be done only if you intend to automatically setup SSL certificate using AWS DNS Hosting

DOMAIN_1
CERTBOT_EMAIL
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_REGION
AWS_HOSTED_ZONE_ID

• If you do not have AWS DNS Hosting, you need to add your SSL certificate manually

Note: You need your SSL certificate, CA Certificates and Private Key to complete below SSL configuration. You may use letsencrypt to generate a free certificate.

mkdir -p data/proxy/certs
# Generate Certificate Chain using below command
cat your-ssl-certicate.pem your-ca-certificate.pem your-private-key.pem > data/proxy/certs/YOURDOMAIN.COM.combined.pem

• Add your custom hosts to override DNS records if needed.

Note: This is optional unless you have certain DNS records that needs to be resolved/overridden locally.

mkdir -p data/unbound
vi data/unbound/custom.hosts

• File Path: data/unbound/custom.hosts
• File Contents Format:

local-zone: "SUB1.YOURDOMAIN.COM" redirect
local-data: "SUB1.YOURDOMAIN.COM A 192.168.0.100"
local-zone: "SUB2.YOURDOMAIN.COM" redirect
local-data: "SUB2.YOURDOMAIN.COM A 192.168.0.101"

• Start DNS server with Auto SSL Cert generation using LetsEncrypt and AWS DNS Hosting

./launch.sh unbound cert-manager proxy swarm-listener doh-server

• Start DNS Server with custom SSL certificate

./launch.sh unbound proxy swarm-listener doh-server

• Stop DNS Server:

Note: This will remove services but does not delete data

./remove.sh

• How to check if all is running well?

Note: Check if all services are launched successfully

docker service ls

• How to see logs of service?

docker service logs -f dns_unbound

• What is my DOH address?

Note: This is your server DNS name that you set up

https://dns.YOURDOMAIN.COM/getnsrecord

• Login to your router and search for DHCP settings
• Setup DNS settings to the IP of your DOH server.

Note: This will make all your client systems/phones connected to your router use this your DNS server. Note: This will not make clients use DOH but it will end up using unbound private DNS service that protects you from ISP.

• Install Cloudflared for Linux, Mac, Windows using below link

https://developers.cloudflare.com/argo-tunnel/downloads/

• Set your DOH server as upstream for cloudflared with below configuration
  • Linux: /usr/local/etc/cloudflared/config.yml
  • Mac: /usr/local/etc/cloudflared/config.yaml
  • Windows: God knows where, I dont have windows!

proxy-dns: true
proxy-dns-upstream:
 - https://dns.YOURDOMAIN.COM/getnsrecord

Note: You will need to ensure dnsmasq is uninstalled from your client system before using cloudflared

• Install Infra app from Play Store

https://play.google.com/store/apps/details?id=app.intra&hl=en_US

• Configure infra app to use your DOH server

Infra App -> Settings -> Select DNS over HTTPS Server -> Custom server URL
Value: https://dns.YOURDOMAIN.COM/getnsrecord

docker build . --no-cache -t satishweb/doh-server

docker pull satishweb/doh-server

• DOH Server: https://github.com/m13253/dns-over-https