The following post will quickly guide you to set up your own DoH (DNS-over-HTTPS) server along with DNSCrypt on NAT environment. Adguard DNS will be used to block ads and malwares. I’ll be using a NAT-based instance that runs an up-to-date Debian Buster (10) installation. Thanks Web Horizon for providing reliable VPS instances, get yours here.
Step 1: Configuring Virtualizor Domain Forwarding
Go to your Virtualizor user account, the login information should be on the “Service Activated” email. Go to the “Domain Forwarding” option and add your domain name to work with port 80 (http) and port 443 (https). For this post I’ll use Cloudflare as DNS manager and doh-poland.alexgoldcheidt.com as the domain name to work with port 80 (http) and port 443 (https), if you are using Cloudflare as well, make sure to add the A record with the proxy status off (DNS only).
Step 2: Installing & Configuring DNSCrypt
After upgrading your OS installation, install DNSCrypt and additional utilities by executing:
apt install curl dnscrypt-proxy build-essential certbot python3-certbot-nginx git nginx-full dnsutils jq wget nano -yBy default, DNSCrypt use the local IP address: 127.0.2.1 to pass-through all the web traffic from the ethernet network interface. Let’s force DNSCrypt to be available on all network interfaces by executing:
sed -i "s|127.0.2.1|0.0.0.0|g" /lib/systemd/system/dnscrypt-proxy.socket; cat /lib/systemd/system/dnscrypt-proxy.socketNow let’s lock the resolv.conf file to connect through DNSCrypt permanently, even after reboots, do that by executing:
Due a WordPress protection, the next command line is available here: https://pastebin.com/3GiLP2CC
Once that’s completed, restart your system by executing:
shutdown -r nowAfter reboot, let’s find out if this is working, first, you can use dig to see if requests are made from DNSCrypt, do that by executing:
dig google.comThere are hundreds of DNS resolvers compatible with DNSCrypt, one of them is Adguard, they claim to: “Remove ads and protect your computer from malware”. Let’s replace the default resolver (Cloudflare) with Adguard, do that by executing:
sed -i "s|cloudflare|adguard-dns-doh|g" /etc/dnscrypt-proxy/dnscrypt-proxy.toml; cat /etc/dnscrypt-proxy/dnscrypt-proxy.toml; systemctl restart dnscrypt-proxy
Step 3: Compiling DNS-over-HTTPS Server
To compile DNS-over-HTTPS Server you need Go. Install Go by executing:
wget https://go.dev/dl/go1.18.2.linux-amd64.tar.gz; tar -C /usr/local -xzf go1*; echo "export PATH=$PATH:/usr/local/go/bin" >> $HOME/.profile; source ~/.profile; go version; rm -rf go1* essentialsNow it’s time to compile dns-over-https git, do that by executing:
git clone https://github.com/m13253/dns-over-https.git dns-over-https; cd dns-over-https; make; make install; cd ..; rm -rf dns-over-https goNow will be using DNSCrypt as DNS-over-HTTPS main upstream, do that by executing:
sed -i '/8.8/d' /etc/dns-over-https/doh-server.conf; sed -i '/1.0.0.1/d' /etc/dns-over-https/doh-server.conf; sed -i "s|1.1.1.1|127.0.0.1|g" /etc/dns-over-https/doh-server.conf; cat /etc/dns-over-https/doh-server.conf | grep '127.0.0.1'You should see “udp:127.0.0.1:53” in the output
Enable & restart the service by executing:
systemctl enable doh-server; systemctl restart doh-server
Step 4: Configuring Nginx
Let’s generate an example configuration file by executing:
cat <<\EOF2 > /etc/nginx/sites-available/dns-over-https
upstream dns-backend {
server 127.0.0.1:8053;
}
server {
listen 80;
server_name dns.example.com;
root /var/www/html/dns;
access_log /var/log/nginx/dns.access.log;
location /dns-query {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_redirect off;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 86400;
proxy_pass http://dns-backend/dns-query ;
}
}
EOF2You should replace: “dns.example.com” with your current domain name, I’ll use: “doh-poland.alexgoldcheidt.com”, so:
sed -i "s|dns.example.com|doh-poland.alexgoldcheidt.com|g" /etc/nginx/sites-available/dns-over-https; ln -s /etc/nginx/sites-available/dns-over-https /etc/nginx/sites-enabled/dns-over-https; cat /etc/nginx/sites-available/dns-over-httpsLet’s generate the staplin file, do that by executing:
cat <<\EOF2 > /etc/nginx/conf.d/stapling.conf
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.1;
EOF2Now let’s create a SSL certificate to our domain name, do that by executing:
certbot --register-unsafely-without-email --nginx -d doh-poland.alexgoldcheidt.comLet’s tweak the SSL configuration file by executing:
sed -i "s|10m|1m|g" /etc/letsencrypt/options-ssl-nginx.conf; sed -i "s|ciphers off|ciphers on|g" /etc/letsencrypt/options-ssl-nginx.conf; echo 'add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;' >> /etc/letsencrypt/options-ssl-nginx.conf; cat /etc/letsencrypt/options-ssl-nginx.confRestart & reload Nginx by executing:
systemctl daemon-reload; systemctl reload nginx; systemctl restart nginx
Step 5: Using DNS-over-HTTPS Servers in Web Browsers
Now you can use your new DNS-over-HTTPS server. Modern web browsers allows connect to websites through a: “Secure DNS” , in Chromium, go to: Settings > Privacy and Security > Security > Use secure DNS. Type your domain name in the “Custom” field.
Results:
Conclusion:
This post is based on: “Setup DNS-over-HTTPS Server + DNSCrypt + Nginx“ but I’ve added the “Domain Forwarding” step in order to work with NAT environment. Now you can use your VPS to navigate securely on internet. The main advantage of this, is to avoid DoH URLs changes in several devices or web browsers, you can now change the upstream in the DNSCrypt config file and all your devices will be follow it.
Don’t forget to check WebHorizon amazing deals here.