apache-access.log

10.0.1.2 - - [16/Jul/2020:03:57:51 +0000] "POST /dns-query HTTP/1.1" 200 1300 "-" "Chrome"
10.0.1.2 - - [16/Jul/2020:03:57:52 +0000] "POST /dns-query HTTP/1.1" 200 722 "-" "Chrome"
10.0.1.2 - - [16/Jul/2020:03:57:54 +0000] "POST /dns-query HTTP/1.1" 200 826 "-" "Chrome"
10.0.1.2 - - [16/Jul/2020:03:57:54 +0000] "POST /dns-query HTTP/1.1" 200 1299 "-" "Chrome"
10.0.1.2 - - [16/Jul/2020:03:58:13 +0000] "POST /dns-query HTTP/1.1" 200 1299 "-" "Chrome"
10.0.1.2 - - [16/Jul/2020:03:58:14 +0000] "POST /dns-query HTTP/1.1" 200 783 "-" "Chrome"
10.0.1.2 - - [16/Jul/2020:03:58:21 +0000] "POST /dns-query HTTP/1.1" 200 1303 "-" "Chrome"
10.0.1.2 - - [16/Jul/2020:03:58:45 +0000] "POST /dns-query HTTP/1.1" 200 1300 "-" "Chrome"
10.0.1.2 - - [16/Jul/2020:03:58:53 +0000] "POST /dns-query HTTP/1.1" 200 1289 "-" "Chrome"
10.0.1.2 - - [16/Jul/2020:03:58:54 +0000] "POST /dns-query HTTP/1.1" 200 917 "-" "Chrome"

apache.conf

# Domain related info has been redacted for privacy.

<IfModule mod_ssl.c>
<VirtualHost *:443>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        ServerName [domain]
        ServerAlias [aliases]

        #ServerAdmin webmaster@localhost
        DocumentRoot /var/www/[domain]

        ProxyAddHeaders On
        ProxyPass /dns-query http://127.0.0.1:8053/dns-query
        ProxyPassReverse /dns-query http://127.0.0.1:8053/dns-query

        # Test to ensure X-Forwarded-* headers are being sent.
        #ProxyPass /dns-query http://127.0.0.1:3053/dns-query
        #ProxyPassReverse /dns-query http://127.0.0.1:3053/dns-query

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf


Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/[domain]/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/[domain]/privkey.pem
</VirtualHost>
</IfModule>

doh-server.conf

# HTTP listen port
listen = [
    "127.0.0.1:8053",
#    "[::1]:8053",
#    "0.0.0.0:8053",
#    "[::]:8053",

# To listen on both 0.0.0.0:8053 and [::]:8053, use the following line
#    ":8053",
]

# Local address and port for upstream DNS
# If left empty, a local address is automatically chosen.
local_addr = ""

# TLS certification file
# If left empty, plain-text HTTP will be used.
# You are recommended to leave empty and to use a server load balancer (e.g.
# Caddy, Nginx) and set up TLS there, because this program does not do OCSP
# Stapling, which is necessary for client bootstrapping in a network
# environment with completely no traditional DNS service.
cert = ""

# TLS private key file
key = ""

# HTTP path for resolve application
path = "/dns-query"

# Upstream DNS resolver
# If multiple servers are specified, a random one will be chosen each time.
# You can use "udp", "tcp" or "tcp-tls" for the type prefix.
# For "udp", UDP will first be used, and switch to TCP when the server asks to
# or the response is too large.
# For "tcp", only TCP will be used.
# For "tcp-tls", DNS-over-TLS (RFC 7858) will be used to secure the upstream connection.
upstream = [
#    "udp:127.0.0.1:53",
    "udp:1.1.1.1:53",
    "udp:1.0.0.1:53",
    "udp:8.8.8.8:53",
    "udp:8.8.4.4:53",
]

# Upstream timeout
timeout = 10

# Number of tries if upstream DNS fails
tries = 3

# Enable logging
verbose = true

# Enable log IP from HTTPS-reverse proxy header: X-Forwarded-For or X-Real-IP
# Note: http uri/useragent log cannot be controlled by this config
log_guessed_client_ip = true

doh-server.service

[Unit]
Description=DNS-over-HTTPS Server
Documentation=https://github.com/m13253/dns-over-https
After=network.target

[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
ExecStart=/usr/local/bin/doh-server -conf /etc/dns-over-https/doh-server.conf
LimitNOFILE=1048576
Restart=always
RestartSec=3
Type=simple
User=nobody
StandardOutput=append:/var/log/doh-server/queries.log
StandardError=append:/var/log/doh-server/errors.log

[Install]
WantedBy=multi-user.target

queries.log

127.0.0.1:60426 - - [16/Jul/2020:03:59:37 +0000] "content-autofill.googleapis.com. IN A"
127.0.0.1 - - [16/Jul/2020:03:59:37 +0000] "POST /dns-query HTTP/1.1" 200 107 "" "Chrome"
127.0.0.1:60426 - - [16/Jul/2020:03:59:39 +0000] "gist.github.com. IN A"
127.0.0.1 - - [16/Jul/2020:03:59:39 +0000] "POST /dns-query HTTP/1.1" 200 109 "" "Chrome"
127.0.0.1:60428 - - [16/Jul/2020:03:59:58 +0000] "r26581199.sync.app.asana.com. IN A"
127.0.0.1 - - [16/Jul/2020:03:59:58 +0000] "POST /dns-query HTTP/1.1" 200 145 "" "Chrome"