Set up a DNS-over-HTTPS server

With a Debian server, Unbound, Nginx, and doh-proxy, you can set up your own DNS-over-HTTPS server.

In this guide, we’ll show you how to set up your own DoH (DNS‑over‑HTTPS) server and start sending encrypted DNS queries in less than half an hour using Glesys Cloud.

We’ll be using a Debian server with nginx, a DoH proxy, and Unbound, along with Let’s Encrypt and a domain name that you’ll need to provide.

Setting up the DNS-over-HTTPS server

Start by logging in to our control panel and provisioning a server running Debian 12 or later. After you have selected an IP address for your server, go to the DNS in Glesys Cloud and point doh.example.com (replace example.com with your own domain) to the IPv4 and IPv6 addresses assigned to your server.

Start by updating your server:

Commands

sudo apt update
sudo apt upgrade

Once that’s done, it’s time to begin the installation.

We start by installing unbound . Unbound is a recursive and caching name server. This is what will make the actual DNS look-ups.

Commands

sudo apt install unbound
sudo systemctl enable unbound
sudo systemctl start unbound

Then, download the latest version of doh-proxy for Debian amd64 from this site https://github.com/DNSCrypt/doh-server/releases.

Once downloaded, install it with (replace the version with the version you downloaded):

Command

sudo apt install ./doh-proxy_0.9.15-1_amd64.deb

Next, you need to create a user to run doh-proxy (to avoid having it run as root):

Command

sudo adduser --home /var/lib/proxy --comment "Homer says DOH" --shell /sbin/nologin --system --group doh-proxy

To make doh-proxy start automatically when the server boots, create a systemd service for it in /etc/systemd/system/doh-proxy.service.

/etc/systemd/system/doh-proxy.service

[Unit]
Description=DOH Proxy
Before=nginx.target

[Service]
Type=simple
ExecStart=/usr/bin/doh-proxy -H 'doh.example.com' -u 127.0.0.1:53
Restart=always
User=doh-proxy
Group=doh-proxy

[Install]
WantedBy=multi-user.target

To make the system recognize this new service, reload the systemd daemon:

Command

sudo systemctl daemon-reload

Next, install Nginx and Certbot for Nginx:

Command

sudo apt install python3-certbot-nginx nginx

Now it's time to issue a Let's Encrypt certificate for the Nginx server using Certbot (replace example.com with your real domain):

sudo certbot --nginx -d doh.example.com

If you try accessing https://doh.example.com now, you should see Nginx default welcome page.

Now it's time to configure HTTP/2 and Nginx with doh-proxy. Edit the file /etc/nginx/sites-available/default. Find the following two lines in that file:

Lines in /etc/nginx/sites-available/default

  listen [::]:443 ssl ipv6only=on; # managed by Certbot
  listen 443 ssl; # managed by Certbot

Add http2 to those line so that they instead look like this:

Lines in /etc/nginx/sites-available/default

   listen [::]:443 ssl http2 ipv6only=on; # managed by Certbot
   listen 443 ssl http2; # managed by Certbot

Then find the line that reads:

Line in /etc/nginx/sites-available/default

    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

Right below that line, add the following to tell Nginx that we only accept HEAD, GET, and POST requests:

Lines to add to /etc/nginx/sites-available/default

    if ( $request_method !~ ^(GET|POST|HEAD)$ ) {
        return 501;
    }

The next step is to configure the backend. Find the lines that read something like the example below. Remember that this should be inside the server block for HTTPS.

Lines to replace in /etc/nginx/sites-available/default

    location / {
        try_files $uri $uri/ =404;
    }

Replace that entire block with this code:

Lines to add in /etc/nginx/sites-available/default

       location /dns-query {
              proxy_set_header Host $http_host;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_redirect off;
              proxy_buffering off;
              proxy_pass http://dohproxy_backend;
        }

Next, at the very end of the file, after the final bracket, add the following:

Lines to add in /etc/nginx/sites-available/default

upstream dohproxy_backend {
    server 127.0.0.1:3000;
}

That's it. Now, save the file, exit the editor, and restart Nginx:

Command

sudo systemctl restart nginx

Next, start and enable the doh-proxy service:

sudo systemctl start doh-proxy
sudo systemctl enable doh-proxy

Testing the DNS-over-HTTPS server

Congratulations! Everything is now set up, and you can try out your DoH server. To test it, you can use cURL, preferably from your own computer. Remember to use your own domain, not example.com.

Command

curl -H "Accept: application/dns-json" "https://doh.example.com/dns-query?name=glesys.se"

If it worked, you should get a reply like this:

Output

{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"glesys.se","type":1}],"Answer":[{"name":"glesys.se","type":1,"TTL":517,"data":"185.39.145.232"}]}

Now, you can add your DNS-over-HTTPS server to Firefox:

PreviousLogging with iptables and nftables NextReset your password in Linux

Last updated 6 months ago

Was this helpful?