Kresec ::
Bima Sena

DoH Server

2 min read

Hello Stackers, this time we shared about Create DoH server because we are proud of the technique that China has with its GFW and DNS poisoning. I assume we already know what it is DoH.

Okay Let’s start:

sudo apt update and sudo apt install nginx

Next, run the following command to install DoH Docker:

docker run -itd --restart=always --name doh-server-p127.0.0.1:8053:8053-e UPSTREAM_DNS_SERVER="udp:1.1.1:53" -e DOH_HTTP_PREFIX="/dns-query" -e DOH_SERVER_LISTEN=":8053" -e DOH_SERVER_TIMEOUT="10" -e DOH_SERVER_TRIES="3" -e DOH_SERVER_VERBOSE="false" satishweb/doh-server

I set the value DOH_SERVER_VERBOSE to false because, later, I really want to make this a public server that everyone can use. So I deliberately turned off the logs so that I also don’t know what websites my server’s DoH users are visiting (privacy issues). But if we plan to use this DOH server for private purposes, it’s a good idea to change the value to true so that we can check all DNS queries there. What we are using here are Docker images from satishweb.

Well, for the Nginx server block, here’s the basic configuration :

server {
  listen       443 ssl http2;
  listen       [::]:443 ssl http2;
  server_name  doh.example.net;
  server_tokens off;

  ssl_protocols TLSv1.2 TLSv1.3;          # TLS 1.3 requires nginx >= 1.13.0
  ssl_prefer_server_ciphers on;
  ssl_dhparam /etc/ssl/certs/dhparam.pem; # openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096
  ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
  ssl_ecdh_curve secp384r1;               # Requires nginx >= 1.1.0
  ssl_session_timeout  10m;
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off;                # Requires nginx >= 1.5.9
  ssl_stapling on;                        # Requires nginx >= 1.3.7
  ssl_stapling_verify on;                 # Requires nginx => 1.3.7
  ssl_early_data off;                     # 0-RTT, enable if desired - Requires nginx >= 1.15.4
  resolver 1.1.1.1 valid=300s;            # Replace with your local resolver
  resolver_timeout 5s;

  # HTTP Security Headers
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
  add_header Strict-Transport-Security "max-age=63072000";
  ssl_certificate /etc/nginx/ssl/example.net/cert.pem;
  ssl_certificate_key /etc/nginx/ssl/example.net/cert.key;
  location /dns-query {
    proxy_pass       http://localhost:8053/dns-query;
    proxy_set_header Host      $host;
    proxy_set_header X-Real-IP $remote_addr;
  }
}

Customize for yourself what needs to be adjusted. Next, restart Nginx to see the changes. For SSL, we can use Let’s Encrypt. For DoH clients, we can use Cloudflare or DoH Client. Or, on a smartphone, we can use DNSCloak.

Okay, That’s All folks, see you in the next post.

Bima Sena
«
»

Golden Ticket

Rubeus

Kerberoasting

Leave a Reply

Your email address will not be published. Required fields are marked *