Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/yegle/your-dns

A docker-compose file to provide a secure adblocking DNS server
https://github.com/yegle/your-dns

dns-over-https dns-over-tls dns-server

Last synced: about 2 months ago
JSON representation

A docker-compose file to provide a secure adblocking DNS server

Host: GitHub
URL: https://github.com/yegle/your-dns
Owner: yegle
License: mit
Created: 2019-05-26T03:38:02.000Z (over 5 years ago)
Default Branch: master
Last Pushed: 2021-02-18T21:25:08.000Z (over 3 years ago)
Last Synced: 2024-06-27T10:37:33.801Z (3 months ago)
Topics: dns-over-https, dns-over-tls, dns-server
Size: 75.2 KB
Stars: 341
Watchers: 7
Forks: 19
Open Issues: 2
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# your-dns
A docker-compose file to provide a secure adblocking DNS server

**NOTE**: if you are interested in a hosted solution, please take a look at
[nextdns.io](https://nextdns.io). I'm not affiliated with nextdns.io.

**NEW**: Try using `your-dns.run` as a DNS-over-TLS server. You can use this
domain with "Private DNS" feature in > Android 9 (Pie). This server is set up
using the `your-dns-run` branch of this repo.

## Goal

Run a secure DoT (DNS-over-TLS) and DoH (DNS-over-HTTPS) DNS server that
can do ad blocking and hide your DNS query from your ISP.

## Non Goal

Hide your DNS query from upstream recursive DNS server. Why? Because to
me hide my trail from various ISPs (Verizon, ATT, and any other ISPs
behind public WiFis) is more important.

## Privacy Tradeoffs

We are running a DNS forwarder instead of a DNS resolver. Running a
forwarder and connect to upstream DNS over secure connection does hide
your DNS queries from your ISP, but it would also leaks your web history
(in the form of DNS query) to the upstream DNS.

Your web history is always open to your ISP until ESNI is widely
adopted. Even with ESNI, it's still easy for the ISP to learn your web
history based on the IP addresses you connected.

The main benefit of running a forwarder that communicate securely with
upstream DNS is that your ISP won't be able to manipulate your DNS query
results, e.g. hijack the `NXDOMAIN` response to show ads, force traffic
to go through a transparent proxy (with more and more sites offering
HTTPS, this is less of a concern) and so on.

There's a trade off you need to make whether the benefit beats the
reduced privacy. Personally, making it harder for the ISP to learn my web
history is a good enough reason.

## All components in this stack

![overview of components](https://g.gravizo.com/source/svg?https://raw.githubusercontent.com/yegle/your-dns/master/graph.dot)

1. [Adguard Home](https://github.com/AdguardTeam/AdGuardHome): Ad
blocking DNS server with native DoT/DoH support.
1. [Pomerium](https://pomerium.io): An identity-aware reverse proxy. This
allows me to remote access PiHole's web UI. More importantly,
Pomerium is used to get SSL certificate automatically from Let's
Encrypt.
([reference](https://www.pomerium.io/reference/))
1. Optional: [Autoheal](https://github.com/willfarrell/docker-autoheal):
Auto-restart container that failed health check.
1. Optional: [Ouroboros](https://github.com/pyouroboros/ouroboros): Auto-pull
latest version of each container.

**NOTE**: Previously Pihole+CoreDNS was used. That setup was deprecated. If
you are still looking for that, take a look at the "pihole" branch.

## Prerequisites

1. Install Docker ([how](https://docs.docker.com/v17.12/install/)) and
`docker-compose` command
([how](https://docs.docker.com/compose/install/)).
1. Know how to DNAT from your public IP to the server running the stack.
Or alternatively if you have IPv6, allow dport=853 access to your
server.

## Run the stack

The following instruction will run a list of jobs on docker to
DNS-over-TLS service on port 853 and foward your request through PiHole
then to Cloudflare DNS.

By default the setup uses Cloudflare's 1.1.1.1 DNS server. You can
modify `Corefile` and specify a different server. A list of DNS-over-TLS
name server is available at
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers.

1. Create a network called `infra_network`. (Why not create the network
in the compose file? Because you cannot *create* the `default` network
in compose file, and can only *replace* it with `external`.)
```
docker network create --subnet 172.30.0.0/16 infra_network
```
1. Rename `example.env` to `.env` and update the values in the file. See
the comment in that file for instructions.
1. Rename `adguard/conf/AdguardHome.yaml.example` to
`adguard/conf/AdguardHome.yaml`.
1. Update the `tls_server_name` in `pomerium.yaml` to match the actual
domain name you will use.
1. `docker-compose up -d` and you are done :-)

## TODO

None