dns-over-https.md

Remote and local servers

mkdir -p /srv/doh-proxy/git /srv/doh-proxy/venv
python3 -mvirtualenv /srv/doh-proxy/venv

# Fork of https://github.com/facebookexperimental/doh-proxy - functionality additions
git clone https://github.com/rfinnie/doh-proxy /srv/doh-proxy/git/doh-proxy

# Fork of https://github.com/decentfox/aioh2 - Python 3.6/3.8 fixes
git clone https://github.com/URenko/aioh2 /srv/doh-proxy/git/aioh2

/srv/doh-proxy/venv/bin/pip3 install /srv/doh-proxy/git/aioh2
/srv/doh-proxy/venv/bin/pip3 install /srv/doh-proxy/git/doh-proxy

Remote server

/etc/apache2/sites-enabled/doh.example.com.conf

<VirtualHost *:443>
  ServerName doh.example.com
  DocumentRoot /srv/www/doh.example.com/htdocs

  ProxyPass /dns-query http://[::1]:19380/dns-query
  ProxyPassReverse /dns-query http://[::1]:19380/dns-query

  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/doh.example.com/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/doh.example.com/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/doh.example.com/chain.pem

  Header always set Strict-Transport-Security "max-age=15768000"
</VirtualHost>

<VirtualHost *:80>
  ServerName doh.example.com
  Redirect permanent / https://doh.example.com/
</VirtualHost>

/etc/systemd/system/doh-httpproxy.service

[Unit]
Description=doh-httpproxy

[Service]
DynamicUser=yes
Restart=always
ExecStart=/srv/doh-proxy/venv/bin/doh-httpproxy \
 --level INFO \
 --upstream-resolver ::1 \
 --port 19380 \
 --listen-address ::1 \
 --ecs

[Install]
WantedBy=default.target

Local server

This assumes you're running an existing BIND server locally.

/etc/bind/named.conf.options

options {
    // ...
    forwarders { ::1 port 5390; };
};

/etc/systemd/system/doh-stub.service

[Unit]
Description=doh-stub

[Service]
DynamicUser=yes
Restart=always
ExecStart=/srv/doh-proxy/venv/bin/doh-stub \
 --level INFO \
 --listen-port 5390 \
 --listen-address ::1 \
 --domain doh.example.com \
 --remote-address 1.2.3.4

[Install]
WantedBy=default.target