Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/masx200/doh_server

https://github.com/maurorappa/doh_server
https://github.com/masx200/doh_server

Last synced: 6 days ago
JSON representation

https://github.com/maurorappa/doh_server

Host: GitHub
URL: https://github.com/masx200/doh_server
Owner: masx200
License: gpl-3.0
Created: 2024-01-20T16:20:12.000Z (10 months ago)
Default Branch: master
Last Pushed: 2024-01-20T16:20:22.000Z (10 months ago)
Last Synced: 2024-04-16T20:13:04.516Z (7 months ago)
Language: Go
Homepage:
Size: 1.83 MB
Stars: 1
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# DoH_server
run you own DNS over HTTP2S server

to run quickly run it:

1- make `doh` directory

2- copy `doh-server.conf` and edit to suit your needs

3- copy certificate ad private key, for example if you used Letsencrypt with certbot
`cp /etc/letsencrypt/live/doh.yapily.com/cert.pem doh/
cp /etc/letsencrypt/live/doh.yapily.com/privkey.pem doh/`

4- run docker `docker run -it -p 443:443 -v /home/mauro/doh:/svc:ro privatesurfing/doh`

Docker images available here:

https://hub.docker.com/repository/docker/privatesurfing/doh

Info on browser setup:

https://support.mozilla.org/en-US/kb/firefox-dns-over-https

https://windowsloop.com/enable-dns-over-https-chrome/

https://daniel.haxx.se/blog/2018/06/03/inside-firefoxs-doh-engine/

https://github.com/coredns/coredns/issues/1650

https://pypi.org/project/doh-cli/

# FAQs:

- Can I use plain HTTP? No, by design you need HTTPS with a proper certificate

- Shall I run as a service or as container? Being a service exposed over Internet, you should use a container to isolate from the OS, in case you want to run on the plain OS consider to use FireJail.

- Do you think my code is crappy? Help me to write a better one!

- Is it a secure 'container'? The server, a static hardened Go binary, is the only process and it does not perform any outgoing connections other than dns queries

# Tips for implementation:

- I use the standard HTTPS port (443) to run this service so my Firefox can use it even behind a corporate firewall (even if having a proxy they can see my surfing activity anyway)

# Enhancement to the original project
(https://github.com/m13253/dns-over-https):

- use of the strongest TLS ciphers, random SessionTicket for every connection *

- ability to Skip Ipv6 dns queries to speed up resolution (details here https://github.com/m13253/dns-over-https/pull/19)

- instead of DNS roundrobin I implemented a primitive algorithm to use the fastest DNS server out of the specified pool and continually monitor which server is the fastest
- IP whitelisting, only authorized IP/networks can use it

- /stat page provides upstream DNS latency and relative usage

# ToDo

- write some test code

# References

* https://blog.ungleich.ch/en-us/cms/blog/2018/08/04/mozillas-new-dns-resolution-is-dangerous/

* https://www.ispreview.co.uk/index.php/2019/09/firefox-says-no-dns-over-https-doh-by-default-for-uk.html

* https://blog.filippo.io/we-need-to-talk-about-session-tickets/

* https://blog.twitter.com/engineering/en_us/a/2013/forward-secrecy-at-twitter.html