Skip to content

Instantly share code, notes, and snippets.

@pietheinstrengholt

pietheinstrengholt/DNS-over-HTTPS-and-Private-Proxy.sh

Created January 5, 2022 07:47
Show Gist options
  • Save pietheinstrengholt/bdac4ffd3c3b6caab682f32a249bc7d4 to your computer and use it in GitHub Desktop.
Save pietheinstrengholt/bdac4ffd3c3b6caab682f32a249bc7d4 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
DNS-over-HTTPS-and-Private-Proxy.sh
=== INSTALL SQUID ===
sudo apt install squid
sudo systemctl status squid
sudo cp /etc/squid/squid.conf{,.orginal}
sudo ufw allow 'Squid'
printf "user:$(openssl passwd -crypt 'password')\n" | sudo tee -a /etc/squid/htpasswd
sudo nano /etc/squid/squid.conf
# ...
auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid/htpasswd
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
# ...
#http_access allow localnet
http_access allow localhost
http_access allow authenticated
# And finally deny all other access to this proxy
http_access deny all
sudo systemctl restart squid
==== INSTALL BIND 9 ===
sudo apt install bind9 bind9utils bind9-dnsutils bind9-doc bind9-host
sudo systemctl enable named
sudo nano /etc/bind/named.conf.options
// hide version number from clients for security reasons.
version "not currently available";
// optional - BIND default behavior is recursion
recursion yes;
// provide recursion service to trusted clients only
allow-recursion { 127.0.0.1; 192.168.0.0/24; 10.10.10.0/24; };
// enable the query log
querylog yes;
sudo systemctl restart named
sudo ufw allow in from 192.168.0.0/24 to any port 53
dig A google.com @192.168.0.199
sudo nano /etc/systemd/resolved.conf
DNS=127.0.0.1
systemd-resolve --status
sudo nano /etc/bind/named.conf
include "/etc/bind/named.conf.log";
/etc/bind/named.conf.log
logging {
channel bind_log {
file "/var/log/named/bind.log" versions 3 size 5m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default { bind_log; };
category update { bind_log; };
category update-security { bind_log; };
category security { bind_log; };
category queries { bind_log; };
category lame-servers { null; };
};
sudo mkdir /var/log/named/
sudo nano /etc/bind/named.conf
sudo systemctl restart named
=== INSTALL DNSDIST ===
sudo apt install dnsdist
sudo nano /etc/dnsdist/dnsdist.conf
setLocal("127.0.0.1:5353")
sudo systemctl restart dnsdist
sudo apt install certbot
=== INSTALL APACHE 2 ===
sudo apt-get install apache2
sudo nano /etc/apache2/sites-available/example.com.conf
<VirtualHost *:80>
ServerName example.com
DocumentRoot /var/www/dnsdist
</VirtualHost>
sudo mkdir /var/www/dnsdist
sudo chown www-data:www-data /var/www/dnsdist -R
sudo a2ensite example.com
sudo systemctl reload apache2
sudo certbot certonly --webroot --agree-tos --email user@example.com -d example.com -w /var/www/dnsdist
=== CONFIGURE DNSDIST ===
sudo nano /etc/dnsdist/dnsdist.conf
-- allow query from all IP addresses
addACL('0.0.0.0/0')
-- add a DoH resolver listening on port 443 of all interfaces
addDOHLocal("0.0.0.0:443", "/etc/letsencrypt/live/example.com/fullchain.pem", "/etc/letsencrypt/live/example.com/privkey.pem", { "/" }, { doTCP=true, reusePort=true, tcpFastOpenSize=0 })
-- downstream resolver
newServer({address="127.0.0.1:53",qps=5, name="resolver1"})
sudo apt install acl
sudo setfacl -R -m u:_dnsdist:rx /etc/letsencrypt/
sudo dnsdist --check-config
sudo systemctl restart dnsdist
=== RUN CHROME ===
"C:\Program Files\Google\Chrome\Application\chrome.exe" --proxy-server="http://192.168.0.199:3128" --user-data-dir="%LOCALAPPDATA%\Google\Chrome-proxy01\User Data"
Go to Security and Privacy, Security, Use secure DNS: https://192.168.0.199
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment