Minimal nginx for DNS-over-TLS and DNS-over-HTTP

default

upstream dns-backend {
    server 127.0.0.1:8053;
}

# http-redirects to https - for domain calls not via IP
server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    server_name www.example.com;
    root /var/www/html;

    if ($allowed_country = 0 ) { return 444; }

    location /generate_204 { return 204; } 

    # DNS-over-HTTP
    location /dns-query {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_redirect off;
        proxy_set_header        X-Forwarded-Proto $scheme;
        proxy_read_timeout 86400;
        proxy_pass http://dns-backend/dns-query ;

        access_log off;
    }

    location / {
        try_files $uri /index.html;
    }
    # openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;

}

server {
    listen         80;
    listen    [::]:80;
    server_name www.example.com;

    return 301 https://$host$request_uri;
}

nginx.conf

# https://gist.github.com/plentz/6737338

user www-data;
worker_processes auto;
pid /run/nginx.pid;

#
# DNS-over-TLS
#
stream {
    log_format stream
        '$time_local $session_time '
        '[$remote_addr]:$remote_port '
        '$status $bytes_sent $bytes_received';

    # access_log /var/log/nginx/stream.log stream;
    access_log off;

    upstream dns-servers {
        server    127.0.0.1:53;
    }

    server {
        listen 853 ssl;

        proxy_pass dns-servers;
        proxy_responses 1;
        proxy_timeout 15s;

        ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
        ssl_prefer_server_ciphers on;
        ssl_protocols           TLSv1.2;
        ssl_ciphers             ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCMSHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA;
        ssl_handshake_timeout   2s;
        ssl_session_cache       shared:DNS:32m;
        ssl_session_timeout     15m;
        ssl_session_tickets     on;
    }
}

http {
    #
    # Block by country with GeoIP
    #
    geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {
        auto_reload 45m;
        $geoip2_metadata_country_build metadata build_epoch;
        $geoip2_country_code default=US source=$remote_addr country iso_code;
    }
    map $geoip2_country_code $allowed_country {
        default 0;
        NL 1;
        PL 1;
    }
    # enable session resumption to improve https performance
    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 1d;

    # Enable session tickets
    ssl_session_tickets on;
    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 127.0.0.1 1.1.1.1 valid=60s;
    resolver_timeout 3s;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    # Virtual Host Configs

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

}

Let'sencrypt certificate installation for nginx on Debian 9 (stretch)

Best and quite easy tool to install modern nginx from source

You will have to edit that script (after each script update) and add two lines installing stream modeule for nginx
c.a. line 220

                 --with-stream \                                                                                                                                                      
                 --with-stream_ssl_module \ 

notes how to improve Nginx performance, security and other important things

Tutorial to setup your own DNS-over-HTTPS (DoH) server