crony/cronyakatsuki.xyz
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Site update

Browse source
This commit is contained in:
CronyAkatsuki 2023-10-24 19:16:22 +02:00
parent 6f9ac9c5b8
commit 26d0746f07
8 changed files with 934 additions and 302 deletions
Download patch file Download diff file Expand all files Collapse all files

212
public/blog/setup-dns-pihole-unbound/index.html
View file

@ -58,40 +58,40 @@
<p>Let&rsquo;s start with setting up pihole. I will be installing it with their script on a debian system for easier unbound integration ( unbound doesn&rsquo;t have an official docker container ).</p>
<p>I recommend to read up on the pihole&rsquo;s docs on exactly how to install it since pihole get&rsquo;s frequent updates. <a href="https://docs.pi-hole.net/main/basic-install/">DOCS</a></p>
<p>I recommend you to install the admin page for easier managmenet and ability to change the upstream dns server ( needed for changing it to unbound later on ). To be able to access the admin page I use an nginx configuration like this one.</p>
<div class="highlight"><pre tabindex="0" style="color:#ef9f76;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#ca9ee6">server</span> <span style="color:#c6d0f5">{</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">server_name</span> <span style="color:#a6d189">example.com</span> <span style="color:#c6d0f5">;</span>
<div class="highlight"><pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#ca9ee6">server</span> {
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">server_name</span> <span style="color:#a6d189">example.com</span> ;
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">location</span> <span style="color:#a6d189">/</span> <span style="color:#c6d0f5">{</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">return</span> 403<span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#c6d0f5">}</span>
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">location</span> <span style="color:#a6d189">/</span> {
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">return</span> <span style="color:#ef9f76">403</span>;
</span></span><span style="display:flex;"><span> }
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">location</span> <span style="color:#a6d189">/admin</span> <span style="color:#c6d0f5">{</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">proxy_pass</span> <span style="color:#a6d189">http://127.0.0.1:8185/admin</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">proxy_set_header</span> <span style="color:#a6d189">Host</span> <span style="color:#babbf1">$host</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#c6d0f5">}</span>
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">location</span> <span style="color:#a6d189">/admin</span> {
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">proxy_pass</span> <span style="color:#a6d189">http://127.0.0.1:8185/admin</span>;
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">proxy_set_header</span> <span style="color:#a6d189">Host</span> <span style="color:#f2d5cf">$host</span>;
</span></span><span style="display:flex;"><span> }
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#626880;font-style:italic"># If you want to log user activity, comment these
</span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span> <span style="color:#ca9ee6">access_log</span> <span style="color:#a6d189">/dev/null</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">error_log</span> <span style="color:#a6d189">/dev/null</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#737994;font-style:italic"># If you want to log user activity, comment these
</span></span></span><span style="display:flex;"><span><span style="color:#737994;font-style:italic"></span> <span style="color:#81c8be">access_log</span> <span style="color:#a6d189">/dev/null</span>;
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">error_log</span> <span style="color:#a6d189">/dev/null</span>;
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">listen</span> <span style="color:#a6d189">[::]:443</span> <span style="color:#a6d189">ssl</span><span style="color:#c6d0f5">;</span> <span style="color:#626880;font-style:italic"># managed by Certbot
</span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span> <span style="color:#ca9ee6">listen</span> 443 <span style="color:#a6d189">ssl</span><span style="color:#c6d0f5">;</span> <span style="color:#626880;font-style:italic"># managed by Certbot
</span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span> <span style="color:#ca9ee6">ssl_certificate</span> <span style="color:#a6d189">/etc/letsencrypt/live/example.com/fullchain.pem</span><span style="color:#c6d0f5">;</span> <span style="color:#626880;font-style:italic"># managed by Certbot
</span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span> <span style="color:#ca9ee6">ssl_certificate_key</span> <span style="color:#a6d189">/etc/letsencrypt/live/example.com/privkey.pem</span><span style="color:#c6d0f5">;</span> <span style="color:#626880;font-style:italic"># managed by Certbot
</span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span> <span style="color:#ca9ee6">include</span> <span style="color:#a6d189">/etc/letsencrypt/options-ssl-nginx.conf</span><span style="color:#c6d0f5">;</span> <span style="color:#626880;font-style:italic"># managed by Certbot
</span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span> <span style="color:#ca9ee6">ssl_dhparam</span> <span style="color:#a6d189">/etc/letsencrypt/ssl-dhparams.pem</span><span style="color:#c6d0f5">;</span> <span style="color:#626880;font-style:italic"># managed by Certbot
</span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span><span style="color:#c6d0f5">}</span>
</span></span><span style="display:flex;"><span><span style="color:#ca9ee6">server</span> <span style="color:#c6d0f5">{</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">if</span> <span style="color:#a6d189">(</span><span style="color:#babbf1">$host</span> <span style="color:#c6d0f5">=</span> <span style="color:#a6d189">example.com)</span> <span style="color:#c6d0f5">{</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">return</span> 301 <span style="color:#a6d189">https://</span><span style="color:#babbf1">$host$request_uri</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#c6d0f5">}</span> <span style="color:#626880;font-style:italic"># managed by Certbot
</span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span>
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">listen</span> <span style="color:#a6d189">[::]:443</span> <span style="color:#a6d189">ssl</span>; <span style="color:#737994;font-style:italic"># managed by Certbot
</span></span></span><span style="display:flex;"><span><span style="color:#737994;font-style:italic"></span> <span style="color:#81c8be">listen</span> <span style="color:#ef9f76">443</span> <span style="color:#a6d189">ssl</span>; <span style="color:#737994;font-style:italic"># managed by Certbot
</span></span></span><span style="display:flex;"><span><span style="color:#737994;font-style:italic"></span> <span style="color:#81c8be">ssl_certificate</span> <span style="color:#a6d189">/etc/letsencrypt/live/example.com/fullchain.pem</span>; <span style="color:#737994;font-style:italic"># managed by Certbot
</span></span></span><span style="display:flex;"><span><span style="color:#737994;font-style:italic"></span> <span style="color:#81c8be">ssl_certificate_key</span> <span style="color:#a6d189">/etc/letsencrypt/live/example.com/privkey.pem</span>; <span style="color:#737994;font-style:italic"># managed by Certbot
</span></span></span><span style="display:flex;"><span><span style="color:#737994;font-style:italic"></span> <span style="color:#81c8be">include</span> <span style="color:#a6d189">/etc/letsencrypt/options-ssl-nginx.conf</span>; <span style="color:#737994;font-style:italic"># managed by Certbot
</span></span></span><span style="display:flex;"><span><span style="color:#737994;font-style:italic"></span> <span style="color:#81c8be">ssl_dhparam</span> <span style="color:#a6d189">/etc/letsencrypt/ssl-dhparams.pem</span>; <span style="color:#737994;font-style:italic"># managed by Certbot
</span></span></span><span style="display:flex;"><span><span style="color:#737994;font-style:italic"></span>}
</span></span><span style="display:flex;"><span><span style="color:#ca9ee6">server</span> {
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">if</span> <span style="color:#a6d189">(</span><span style="color:#f2d5cf">$host</span> = <span style="color:#a6d189">example.com)</span> {
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">return</span> <span style="color:#ef9f76">301</span> <span style="color:#a6d189">https://</span><span style="color:#f2d5cf">$host$request_uri</span>;
</span></span><span style="display:flex;"><span> } <span style="color:#737994;font-style:italic"># managed by Certbot
</span></span></span><span style="display:flex;"><span><span style="color:#737994;font-style:italic"></span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">server_name</span> <span style="color:#a6d189">example.com</span> <span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">listen</span> 80<span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">listen</span> <span style="color:#a6d189">[::]:80</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">return</span> 404<span style="color:#c6d0f5">;</span> <span style="color:#626880;font-style:italic"># managed by Certbot
</span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span><span style="color:#c6d0f5">}</span>
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">server_name</span> <span style="color:#a6d189">example.com</span> ;
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">listen</span> <span style="color:#ef9f76">80</span>;
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">listen</span> <span style="color:#a6d189">[::]:80</span>;
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">return</span> <span style="color:#ef9f76">404</span>; <span style="color:#737994;font-style:italic"># managed by Certbot
</span></span></span><span style="display:flex;"><span><span style="color:#737994;font-style:italic"></span>}
</span></span></code></pre></div><p>The main point of this config is the <code>/admin</code> location that you need to pass the lighttpd port to acces the website, you can just do it on your main website also.
Also to make lighttpd work with nginx listening on port 80 you need to edit the <code>server.port</code> to port you wan&rsquo;t to use in lighttpd config file located at <code>/etc/lighttpd/lighttpd.conf</code> and then just restart lighttpd</p>
<h2 id="2-unbound">2. Unbound</h2>
@ -100,104 +100,104 @@ Also to make lighttpd work with nginx listening on port 80 you need to edit the
<h2 id="3-dns-over-tls">3. DNS over TLS</h2>
<p>For dns over tls you need to first have a ssl certificate. I recommend on using certbot to generate one with this command <code>certbot --nginx -d dot.example.com</code>.</p>
<p>Next you will need a reverse proxy, in my case I use nginx. You will need to add this configuration to your main nginx config located at <code>/etc/nginx/nginx.conf</code>. <strong>Make sure to add this outside of the http block and change example.com to your domain</strong></p>
<div class="highlight"><pre tabindex="0" style="color:#ef9f76;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#ca9ee6">stream</span> <span style="color:#c6d0f5">{</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">log_format</span> <span style="color:#a6d189">basic</span> <span style="color:#a6d189">&#39;</span><span style="color:#babbf1">$remote_addr</span> <span style="color:#a6d189">[</span><span style="color:#babbf1">$time_local]</span> <span style="color:#babbf1">$protocol</span> <span style="color:#babbf1">$status</span> <span style="color:#babbf1">$bytes_sent</span> <span style="color:#babbf1">$bytes_received</span> <span style="color:#babbf1">$session_time</span> <span style="color:#babbf1">$upstream_addr&#39;</span><span style="color:#c6d0f5">;</span>
<div class="highlight"><pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#ca9ee6">stream</span> {
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">log_format</span> <span style="color:#a6d189">basic</span> <span style="color:#a6d189">&#39;</span><span style="color:#f2d5cf">$remote_addr</span> <span style="color:#a6d189">[</span><span style="color:#f2d5cf">$time_local]</span> <span style="color:#f2d5cf">$protocol</span> <span style="color:#f2d5cf">$status</span> <span style="color:#f2d5cf">$bytes_sent</span> <span style="color:#f2d5cf">$bytes_received</span> <span style="color:#f2d5cf">$session_time</span> <span style="color:#f2d5cf">$upstream_addr&#39;</span>;
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">upstream</span> <span style="color:#a6d189">dns</span>
</span></span><span style="display:flex;"><span> <span style="color:#c6d0f5">{</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">zone</span> <span style="color:#a6d189">dns</span> 64k<span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">server</span> <span style="color:#babbf1">127.0.0.1</span><span style="color:#c6d0f5">:</span>53<span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#c6d0f5">}</span>
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">upstream</span> <span style="color:#a6d189">dns</span>
</span></span><span style="display:flex;"><span> {
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">zone</span> <span style="color:#a6d189">dns</span> <span style="color:#ef9f76">64k</span>;
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">server</span> 127.0.0.1:<span style="color:#ef9f76">53</span>;
</span></span><span style="display:flex;"><span> }
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">server</span> <span style="color:#c6d0f5">{</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">listen</span> 853 <span style="color:#a6d189">ssl</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">server</span> {
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">listen</span> <span style="color:#ef9f76">853</span> <span style="color:#a6d189">ssl</span>;
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">access_log</span> <span style="color:#a6d189">/var/log/nginx/dot-access.log</span> <span style="color:#a6d189">basic</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">error_log</span> <span style="color:#a6d189">/var/log/nginx/dot-error.log</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">access_log</span> <span style="color:#a6d189">/var/log/nginx/dot-access.log</span> <span style="color:#a6d189">basic</span>;
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">error_log</span> <span style="color:#a6d189">/var/log/nginx/dot-error.log</span>;
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">ssl_certificate</span> <span style="color:#a6d189">/etc/letsencrypt/live/dot.example.com/fullchain.pem</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">ssl_certificate_key</span> <span style="color:#a6d189">/etc/letsencrypt/live/dot.example.com/privkey.pem</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">ssl_certificate</span> <span style="color:#a6d189">/etc/letsencrypt/live/dot.example.com/fullchain.pem</span>;
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">ssl_certificate_key</span> <span style="color:#a6d189">/etc/letsencrypt/live/dot.example.com/privkey.pem</span>;
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">ssl_protocols</span> <span style="color:#a6d189">TLSv1.2</span> <span style="color:#a6d189">TLSv1.3</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">ssl_ciphers</span> <span style="color:#a6d189">HIGH:!aNULL:!MD5</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">ssl_protocols</span> <span style="color:#a6d189">TLSv1.2</span> <span style="color:#a6d189">TLSv1.3</span>;
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">ssl_ciphers</span> <span style="color:#a6d189">HIGH:!aNULL:!MD5</span>;
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">ssl_handshake_timeout</span> <span style="color:#a6d189">10s</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">ssl_session_cache</span> <span style="color:#a6d189">shared:SSL:20m</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">ssl_session_timeout</span> <span style="color:#a6d189">4h</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">proxy_pass</span> <span style="color:#a6d189">dns</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">proxy_responses</span> 1<span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">proxy_timeout</span> <span style="color:#a6d189">1s</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#c6d0f5">}</span>
</span></span><span style="display:flex;"><span><span style="color:#c6d0f5">}</span>
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">ssl_handshake_timeout</span> <span style="color:#a6d189">10s</span>;
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">ssl_session_cache</span> <span style="color:#a6d189">shared:SSL:20m</span>;
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">ssl_session_timeout</span> <span style="color:#a6d189">4h</span>;
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">proxy_pass</span> <span style="color:#a6d189">dns</span>;
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">proxy_responses</span> <span style="color:#ef9f76">1</span>;
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">proxy_timeout</span> <span style="color:#a6d189">1s</span>;
</span></span><span style="display:flex;"><span> }
</span></span><span style="display:flex;"><span>}
</span></span></code></pre></div><p>Also make sure to enable port 853, example ufw command is <code>ufw allow 853/tcp</code>. Then restart nginx, to test if this configuration is working you can use your android phone by setting the private dns address to <code>dot.example.com</code> and then visit the website<a href="https://dnsleaktest.com">dnsleaktest</a></p>
<h2 id="4-dns-over-https">4. DNS over HTTPS</h2>
<p>For using dns over https we will be installing additional package called dnsdinst. On debian systems just run <code>apt install dnsdinst</code>. Next you will need to setup dnsdinst config and restart it. Make sure to change example.com.</p>
<div class="highlight"><pre tabindex="0" style="color:#ef9f76;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-conf" data-lang="conf"><span style="display:flex;"><span><span style="color:#babbf1">--</span> <span style="color:#babbf1">dnsdist</span> <span style="color:#babbf1">configuration</span> <span style="color:#babbf1">file</span><span style="color:#c6d0f5">,</span> <span style="color:#babbf1">an</span> <span style="color:#babbf1">example</span> <span style="color:#babbf1">can</span> <span style="color:#babbf1">be</span> <span style="color:#babbf1">found</span> <span style="color:#babbf1">in</span> <span style="color:#e78284">/</span><span style="color:#babbf1">usr</span><span style="color:#e78284">/</span><span style="color:#babbf1">share</span><span style="color:#e78284">/</span><span style="color:#babbf1">doc</span><span style="color:#e78284">/</span><span style="color:#babbf1">dnsdist</span><span style="color:#e78284">/</span><span style="color:#babbf1">examples</span><span style="color:#e78284">/</span>
<pre tabindex="0"><code class="language-conf" data-lang="conf">-- dnsdist configuration file, an example can be found in /usr/share/doc/dnsdist/examples/
-- disable security status polling via DNS
setSecurityPollSuffix(&#34;&#34;)
-- fix up possibly badly truncated answers from pdns 2.9.22
-- truncateTC(true)
-- Answer to only clients from this subnet
setACL(&#34;127.0.0.1/8&#34;)
-- Define upstream DNS server (Pi-hole)
newServer({address=&#34;127.0.0.1&#34;, name=&#34;Pi-hole&#34;, checkName=&#34;example.com&#34;, checkInterval=60, mustResolve=true})
-- Create local DOH server listener in DNS over HTTP mode, otherwise the information coming from nginx won&#39;t be processed well
addDOHLocal(&#34;127.0.0.1:5300&#34;, nil, nil, &#34;/dns-query&#34;, { reusePort=true })
</code></pre><p>Next we will need another ssl certificate for the doh domain, for that we will once again using certbot with this command <code>certbot --nginx -d doh.example.com</code>after that add this configuratin to nginx either in sites-available and linking it to sites enabled or in http block in main nginx configuration.</p>
<div class="highlight"><pre tabindex="0" style="color:#c6d0f5;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#737994;font-style:italic"># Proxy Cache storage - so we can cache the DoH response from the upstream
</span></span></span><span style="display:flex;"><span><span style="color:#737994;font-style:italic"></span><span style="color:#ca9ee6">proxy_cache_path</span> <span style="color:#a6d189">/var/run/doh_cache</span> <span style="color:#a6d189">levels=1:2</span> <span style="color:#a6d189">keys_zone=doh_cache:10m</span>;
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#babbf1">--</span> <span style="color:#babbf1">disable</span> <span style="color:#babbf1">security</span> <span style="color:#babbf1">status</span> <span style="color:#babbf1">polling</span> <span style="color:#babbf1">via</span> <span style="color:#babbf1">DNS</span>
</span></span><span style="display:flex;"><span><span style="color:#99d1db">setSecurityPollSuffix</span><span style="color:#c6d0f5">(</span><span style="color:#a6d189">&#34;&#34;</span><span style="color:#c6d0f5">)</span>
</span></span><span style="display:flex;"><span><span style="color:#ca9ee6">server</span> {
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">listen</span> <span style="color:#ef9f76">80</span>;
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">server_name</span> <span style="color:#a6d189">doh.example.com</span>;
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">return</span> <span style="color:#ef9f76">301</span> <span style="color:#a6d189">https://doh.example.com/</span><span style="color:#f2d5cf">$request_uri</span>;
</span></span><span style="display:flex;"><span>}
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#babbf1">--</span> <span style="color:#babbf1">fix</span> <span style="color:#babbf1">up</span> <span style="color:#babbf1">possibly</span> <span style="color:#babbf1">badly</span> <span style="color:#babbf1">truncated</span> <span style="color:#babbf1">answers</span> <span style="color:#babbf1">from</span> <span style="color:#babbf1">pdns</span> <span style="color:#babbf1">2.9.22</span>
</span></span><span style="display:flex;"><span><span style="color:#babbf1">--</span> <span style="color:#99d1db">truncateTC</span><span style="color:#c6d0f5">(</span><span style="color:#ca9ee6;font-style:italic">true</span><span style="color:#c6d0f5">)</span>
</span></span><span style="display:flex;"><span><span style="color:#737994;font-style:italic"># This virtual server accepts HTTP/2 over HTTPS
</span></span></span><span style="display:flex;"><span><span style="color:#737994;font-style:italic"></span><span style="color:#ca9ee6">server</span> {
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">listen</span> <span style="color:#ef9f76">443</span> <span style="color:#a6d189">ssl</span> <span style="color:#a6d189">http2</span>;
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">server_name</span> <span style="color:#a6d189">doh.example.com</span>;
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#babbf1">--</span> <span style="color:#babbf1">Answer</span> <span style="color:#babbf1">to</span> <span style="color:#babbf1">only</span> <span style="color:#babbf1">clients</span> <span style="color:#babbf1">from</span> <span style="color:#babbf1">this</span> <span style="color:#e5c890">subnet</span>
</span></span><span style="display:flex;"><span><span style="color:#99d1db">setACL</span><span style="color:#c6d0f5">(</span><span style="color:#a6d189">&#34;127.0.0.1/8&#34;</span><span style="color:#c6d0f5">)</span>
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">access_log</span> <span style="color:#a6d189">/var/log/nginx/doh.access</span>;
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">error_log</span> <span style="color:#a6d189">/var/log/nginx/doh.error</span> <span style="color:#a6d189">error</span>;
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#babbf1">--</span> <span style="color:#babbf1">Define</span> <span style="color:#babbf1">upstream</span> <span style="color:#babbf1">DNS</span> <span style="color:#99d1db">server</span> <span style="color:#c6d0f5">(</span><span style="color:#babbf1">Pi-hole</span><span style="color:#c6d0f5">)</span>
</span></span><span style="display:flex;"><span><span style="color:#99d1db">newServer</span><span style="color:#c6d0f5">({</span><span style="color:#babbf1">address</span><span style="color:#99d1db">=</span><span style="color:#a6d189">&#34;127.0.0.1&#34;</span><span style="color:#c6d0f5">,</span> <span style="color:#babbf1">name</span><span style="color:#99d1db">=</span><span style="color:#a6d189">&#34;Pi-hole&#34;</span><span style="color:#c6d0f5">,</span> <span style="color:#babbf1">checkName</span><span style="color:#99d1db">=</span><span style="color:#a6d189">&#34;example.com&#34;</span><span style="color:#c6d0f5">,</span> <span style="color:#babbf1">checkInterval</span><span style="color:#99d1db">=</span><span style="color:#babbf1">60</span><span style="color:#c6d0f5">,</span> <span style="color:#babbf1">mustResolve</span><span style="color:#99d1db">=</span><span style="color:#ca9ee6;font-style:italic">true</span><span style="color:#c6d0f5">})</span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#babbf1">--</span> <span style="color:#babbf1">Create</span> <span style="color:#babbf1">local</span> <span style="color:#babbf1">DOH</span> <span style="color:#babbf1">server</span> <span style="color:#babbf1">listener</span> <span style="color:#babbf1">in</span> <span style="color:#babbf1">DNS</span> <span style="color:#babbf1">over</span> <span style="color:#babbf1">HTTP</span> <span style="color:#babbf1">mode</span><span style="color:#c6d0f5">,</span> <span style="color:#babbf1">otherwise</span> <span style="color:#babbf1">the</span> <span style="color:#babbf1">information</span> <span style="color:#babbf1">coming</span> <span style="color:#babbf1">from</span> <span style="color:#babbf1">nginx</span> <span style="color:#babbf1">won</span><span style="color:#e78284">&#39;</span><span style="color:#babbf1">t</span> <span style="color:#babbf1">be</span> <span style="color:#babbf1">processed</span> <span style="color:#babbf1">well</span>
</span></span><span style="display:flex;"><span><span style="color:#99d1db">addDOHLocal</span><span style="color:#c6d0f5">(</span><span style="color:#a6d189">&#34;127.0.0.1:5300&#34;</span><span style="color:#c6d0f5">,</span> <span style="color:#babbf1">nil</span><span style="color:#c6d0f5">,</span> <span style="color:#babbf1">nil</span><span style="color:#c6d0f5">,</span> <span style="color:#a6d189">&#34;/dns-query&#34;</span><span style="color:#c6d0f5">,</span> <span style="color:#c6d0f5">{</span> <span style="color:#babbf1">reusePort</span><span style="color:#99d1db">=</span><span style="color:#ca9ee6;font-style:italic">true</span> <span style="color:#c6d0f5">})</span>
</span></span></code></pre></div><p>Next we will need another ssl certificate for the doh domain, for that we will once again using certbot with this command <code>certbot --nginx -d doh.example.com</code>after that add this configuratin to nginx either in sites-available and linking it to sites enabled or in http block in main nginx configuration.</p>
<div class="highlight"><pre tabindex="0" style="color:#ef9f76;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#626880;font-style:italic"># Proxy Cache storage - so we can cache the DoH response from the upstream
</span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span><span style="color:#ca9ee6">proxy_cache_path</span> <span style="color:#a6d189">/var/run/doh_cache</span> <span style="color:#a6d189">levels=1:2</span> <span style="color:#a6d189">keys_zone=doh_cache:10m</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#ca9ee6">server</span> <span style="color:#c6d0f5">{</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">listen</span> 80<span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">server_name</span> <span style="color:#a6d189">doh.example.com</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">return</span> 301 <span style="color:#a6d189">https://doh.example.com/</span><span style="color:#babbf1">$request_uri</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span><span style="color:#c6d0f5">}</span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"># This virtual server accepts HTTP/2 over HTTPS
</span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span><span style="color:#ca9ee6">server</span> <span style="color:#c6d0f5">{</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">listen</span> 443 <span style="color:#a6d189">ssl</span> <span style="color:#a6d189">http2</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">server_name</span> <span style="color:#a6d189">doh.example.com</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">access_log</span> <span style="color:#a6d189">/var/log/nginx/doh.access</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">error_log</span> <span style="color:#a6d189">/var/log/nginx/doh.error</span> <span style="color:#a6d189">error</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">ssl_certificate</span> <span style="color:#a6d189">/etc/letsencrypt/live/doh.example.com/fullchain.pem</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">ssl_certificate_key</span> <span style="color:#a6d189">/etc/letsencrypt/live/doh.example.com/privkey.pem</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">ssl_certificate</span> <span style="color:#a6d189">/etc/letsencrypt/live/doh.example.com/fullchain.pem</span>;
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">ssl_certificate_key</span> <span style="color:#a6d189">/etc/letsencrypt/live/doh.example.com/privkey.pem</span>;
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#626880;font-style:italic"># DoH may use GET or POST requests, Cache both
</span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span> <span style="color:#ca9ee6">proxy_cache_methods</span> <span style="color:#a6d189">GET</span> <span style="color:#a6d189">POST</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#737994;font-style:italic"># DoH may use GET or POST requests, Cache both
</span></span></span><span style="display:flex;"><span><span style="color:#737994;font-style:italic"></span> <span style="color:#81c8be">proxy_cache_methods</span> <span style="color:#a6d189">GET</span> <span style="color:#a6d189">POST</span>;
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#626880;font-style:italic"># Return 404 to all responses, except for those using our published DoH URI
</span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span> <span style="color:#ca9ee6">location</span> <span style="color:#a6d189">/</span> <span style="color:#c6d0f5">{</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">try_files</span> <span style="color:#babbf1">$uri</span> <span style="color:#babbf1">$uri/</span> <span style="color:#c6d0f5">=</span>404<span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#c6d0f5">}</span>
</span></span><span style="display:flex;"><span> <span style="color:#737994;font-style:italic"># Return 404 to all responses, except for those using our published DoH URI
</span></span></span><span style="display:flex;"><span><span style="color:#737994;font-style:italic"></span> <span style="color:#81c8be">location</span> <span style="color:#a6d189">/</span> {
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">try_files</span> <span style="color:#f2d5cf">$uri</span> <span style="color:#f2d5cf">$uri/</span> =<span style="color:#ef9f76">404</span>;
</span></span><span style="display:flex;"><span> }
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">ssl_protocols</span> <span style="color:#a6d189">TLSv1.2</span> <span style="color:#a6d189">TLSv1.3</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">proxy_ssl_ciphers</span> <span style="color:#a6d189">HIGH:!aNULL:!MD5</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">ssl_protocols</span> <span style="color:#a6d189">TLSv1.2</span> <span style="color:#a6d189">TLSv1.3</span>;
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">proxy_ssl_ciphers</span> <span style="color:#a6d189">HIGH:!aNULL:!MD5</span>;
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#626880;font-style:italic"># This is our published DoH URI
</span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span> <span style="color:#ca9ee6">location</span> <span style="color:#a6d189">/dns-query</span> <span style="color:#c6d0f5">{</span>
</span></span><span style="display:flex;"><span> <span style="color:#626880;font-style:italic"># Proxy HTTP/1.1, clear the connection header to enable Keep-Alive
</span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span> <span style="color:#ca9ee6">proxy_http_version</span> 1<span style="color:#a6d189">.1</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">proxy_set_header</span> <span style="color:#a6d189">Connection</span> <span style="color:#a6d189">&#34;&#34;</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#737994;font-style:italic"># This is our published DoH URI
</span></span></span><span style="display:flex;"><span><span style="color:#737994;font-style:italic"></span> <span style="color:#81c8be">location</span> <span style="color:#a6d189">/dns-query</span> {
</span></span><span style="display:flex;"><span> <span style="color:#737994;font-style:italic"># Proxy HTTP/1.1, clear the connection header to enable Keep-Alive
</span></span></span><span style="display:flex;"><span><span style="color:#737994;font-style:italic"></span> <span style="color:#81c8be">proxy_http_version</span> <span style="color:#ef9f76">1</span><span style="color:#a6d189">.1</span>;
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">proxy_set_header</span> <span style="color:#a6d189">Connection</span> <span style="color:#a6d189">&#34;&#34;</span>;
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#626880;font-style:italic"># Enable Cache, and set the cache_key to include the request_body
</span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span> <span style="color:#ca9ee6">proxy_cache</span> <span style="color:#a6d189">doh_cache</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">proxy_cache_key</span> <span style="color:#babbf1">$scheme$proxy_host$uri$is_args$args$request_body</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#737994;font-style:italic"># Enable Cache, and set the cache_key to include the request_body
</span></span></span><span style="display:flex;"><span><span style="color:#737994;font-style:italic"></span> <span style="color:#81c8be">proxy_cache</span> <span style="color:#a6d189">doh_cache</span>;
</span></span><span style="display:flex;"><span> <span style="color:#81c8be">proxy_cache_key</span> <span style="color:#f2d5cf">$scheme$proxy_host$uri$is_args$args$request_body</span>;
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#626880;font-style:italic"># proxy pass to dnsdist
</span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span> <span style="color:#ca9ee6">proxy_pass</span> <span style="color:#a6d189">http://127.0.0.1:5300</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#737994;font-style:italic"># proxy pass to dnsdist
</span></span></span><span style="display:flex;"><span><span style="color:#737994;font-style:italic"></span> <span style="color:#81c8be">proxy_pass</span> <span style="color:#a6d189">http://127.0.0.1:5300</span>;
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span> <span style="color:#626880;font-style:italic"># proxy pass address
</span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span> <span style="color:#ca9ee6">proxy_set_header</span> <span style="color:#a6d189">X-Forwarded-For</span> <span style="color:#babbf1">$proxy_add_x_forwarded_for</span><span style="color:#c6d0f5">;</span>
</span></span><span style="display:flex;"><span> <span style="color:#c6d0f5">}</span>
</span></span><span style="display:flex;"><span><span style="color:#c6d0f5">}</span>
</span></span><span style="display:flex;"><span> <span style="color:#737994;font-style:italic"># proxy pass address
</span></span></span><span style="display:flex;"><span><span style="color:#737994;font-style:italic"></span> <span style="color:#81c8be">proxy_set_header</span> <span style="color:#a6d189">X-Forwarded-For</span> <span style="color:#f2d5cf">$proxy_add_x_forwarded_for</span>;
</span></span><span style="display:flex;"><span> }
</span></span><span style="display:flex;"><span>}
</span></span></code></pre></div><p>After restarting nginx with this configuration you can it to your web browser as a DNS over HTTPS resolver and once again checkout <a href="https://dnsleaktest.com">dnsleaktest</a> website and check if it is all working.</p>
<p>Hope this has been helpfull and if anybody has any way on how to make this guied better you can open a pull request or make an issue on the website&rsquo;s <a href="https://code.cronyakatsuki.xyz/crony/website">repo</a>.</p>
</div>