Setting Up Personal DNS over HTTPS (DoH) and DNS over TLS (DoT) Using Open-Source Software

In an era where digital privacy is increasingly at risk, securing your DNS (Domain Name System) queries is crucial. Traditional DNS requests are sent in plaintext, making them vulnerable to eavesdropping and tampering. Fortunately, DNS over HTTPS (DoH) and DNS over TLS (DoT) offer encrypted channels for DNS queries, significantly enhancing your privacy and security.

In this guide, we’ll explore how to set up your own personal DNS resolver using open-source software that supports both DoH and DoT. We will cover the installation and configuration of Unbound, Caddy, Stubby, and other relevant tools to ensure your DNS traffic remains private and secure.

Understanding DoH and DoT

  • DNS over HTTPS (DoH): Encrypts DNS queries using the HTTPS protocol, making it difficult to distinguish DNS traffic from regular web traffic. This helps bypass censorship and improve privacy.
  • DNS over TLS (DoT): Encrypts DNS queries using Transport Layer Security (TLS), securing the communication channel between your device and the DNS resolver.

Both protocols prevent eavesdropping and manipulation of DNS data by external parties, such as ISPs or malicious actors.

Why Run Your Own DNS Resolver?

Running your own DNS resolver has several advantages:

  1. Enhanced Privacy: Prevent third-party DNS services from logging or selling your DNS queries.
  2. Increased Security: Protect against DNS hijacking and other DNS-related threats.
  3. Customization: Apply custom DNS filtering rules, block ads and trackers, or direct specific domains to chosen IPs.
  4. Improved Performance: Reduce latency by caching DNS responses and optimizing resolver placement.

Open-Source Software for DoH and DoT

We’ll focus on the following open-source tools to set up a personal DNS resolver with support for DoH and DoT:

  1. Unbound: A high-performance DNS resolver that supports DNS over TLS (DoT).
  2. Caddy: A modern web server with native support for DNS over HTTPS (DoH).
  3. Stubby: A DNS privacy daemon designed for DNS over TLS (DoT).
  4. Knot Resolver: A versatile DNS resolver supporting both DoH and DoT.
  5. CoreDNS: A DNS server with modular support for DoH and DoT via plugins.
  6. DNSDist: A DNS load balancer that can proxy DNS queries over HTTPS and TLS.

Protect your online privacy and enhance your security by setting up your personal DNS resolver with DNS over HTTPS (DoH) and DNS over TLS (DoT). Learn how to install and configure popular open-source tools like Unbound, Caddy, Stubby, Knot Resolver, CoreDNS, and DNSDist to secure your DNS queries.

1. Unbound: High-Performance DNS Resolver with DoT Support

Unbound is a powerful DNS resolver that supports DNS over TLS (DoT). Here’s how to install and configure it:

Install Unbound

For Debian-based systems:

sudo apt update
sudo apt install unbound

For Red Hat-based systems:

sudo yum install unbound

Configure Unbound

Edit the Unbound configuration file at /etc/unbound/unbound.conf:

server:
    interface: 0.0.0.0@853
    interface: ::0@853
    tls-service-key: "/etc/unbound/unbound_server.key"
    tls-service-pem: "/etc/unbound/unbound_server.pem"
    access-control: 127.0.0.0/8 allow
    access-control: ::1 allow
    root-hints: "/etc/unbound/root.hints"
    cache-max-ttl: 86400
    cache-min-ttl: 3600

forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 1.1.1.1@853
    forward-addr: 8.8.8.8@853

Generate TLS certificates:

openssl req -x509 -newkey rsa:4096 -keyout /etc/unbound/unbound_server.key -out /etc/unbound/unbound_server.pem -days 365 -nodes -subj "/CN=yourdomain.com"

Start Unbound:

sudo systemctl enable unbound
sudo systemctl start unbound

2. Caddy: Modern Web Server with Native DoH Support

Caddy provides built-in support for DNS over HTTPS (DoH).

Install Caddy

For Debian-based systems:

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo tee /etc/apt/trusted.gpg.d/caddy-stable.asc
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy

Configure Caddy

Create or edit the Caddyfile at /etc/caddy/Caddyfile:

yourdomain.com {
    tls /etc/caddy/caddy_server.pem /etc/caddy/caddy_server.key

    route {
        forward_proxy {
            to dns://127.0.0.1:53
        }
    }
}

Generate TLS certificates:

openssl req -x509 -newkey rsa:4096 -keyout /etc/caddy/caddy_server.key -out /etc/caddy/caddy_server.pem -days 365 -nodes -subj "/CN=yourdomain.com"

Start Caddy:

sudo systemctl enable caddy
sudo systemctl start caddy

3. Stubby: DNS Privacy Daemon for DoT

Stubby is a lightweight daemon for DNS over TLS.

Install Stubby

For Debian-based systems:

sudo apt update
sudo apt install stubby

Configure Stubby

Edit the configuration file at /etc/stubby/stubby.yml:

resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS

tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private: 1

round_robin_upstreams: 1

upstream_recursive_servers:
  - address_data: 1.1.1.1
    tls_port: 853
    tls_auth_name: "cloudflare-dns.com"
  - address_data: 8.8.8.8
    tls_port: 853
    tls_auth_name: "dns.google"

Start Stubby:

sudo systemctl enable stubby
sudo systemctl start stubby

4. Knot Resolver: Versatile DNS Resolver with DoH and DoT

Knot Resolver supports both DoH and DoT.

Install Knot Resolver

For Debian-based systems:

sudo apt update
sudo apt install knot-resolver

Configure Knot Resolver

Edit the configuration file at /etc/knot-resolver/kresd.conf:

-- Set up DNS over TLS
resolver:tls("1.1.1.1", 853)
resolver:tls("8.8.8.8", 853)

-- Set up DNS over HTTPS
http:doa({
  ["doh"] = "https://yourdomain.com/dns-query"
})

Start Knot Resolver:

sudo systemctl enable kresd
sudo systemctl start kresd

5. CoreDNS: Modular DNS Server with DoH and DoT Plugins

CoreDNS supports DoH and DoT through plugins.

Install CoreDNS

For Debian-based systems:

curl -sL https://coredns.io/downloads/ | tar xz
sudo mv coredns /usr/local/bin/

Configure CoreDNS

Create or edit the CoreDNS configuration file (e.g., Corefile):

.:53 {
    forward . 1.1.1.1 8.8.8.8
    log
}

# For DoH
example.org {
    forward . https://yourdomain.com/dns-query
}

Start CoreDNS:

coredns

6. DNSDist: DNS Load Balancer with DoH and DoT Proxy

DNSDist can proxy DNS queries over HTTPS and TLS.

Install DNSDist

For Debian-based systems:

sudo apt update
sudo apt install dnsdist

Configure DNSDist

Edit the configuration file at /etc/dnsdist/dnsdist.conf:

-- Configure DNS over TLS
addTLS("127.0.0.1", 853)
addServer("1.1.1.1", {tls = true})
addServer("8.8.8.8", {tls = true})

-- Configure DNS over HTTPS
addDOH("127.0.0.1", 443, "https://yourdomain.com/dns-query")

Start DNSDist:

sudo systemctl enable dnsdist
sudo systemctl start dnsdist

Combining Tools for Comprehensive DNS Privacy

Integrating multiple tools can provide a robust DNS privacy solution. For instance:

  • Stubby + Unbound: Use Stubby to forward queries over TLS to Unbound, which performs DNS resolution and caching.
  • Caddy + Unbound: Set up Unbound for DoT and Caddy for DoH to provide secure DNS resolution over both protocols.
  • Knot Resolver: As an all-in-one solution for both DoH and DoT.

Conclusion

Securing your DNS traffic is essential to maintaining privacy and protecting against potential threats. With open-source tools like Unbound, Caddy, Stubby, Knot Resolver, CoreDNS, and DNSDist, you can set up a personal DNS resolver that supports both DNS over HTTPS and DNS over TLS. These tools offer flexibility, privacy, and control over your DNS queries, ensuring a more secure and private browsing experience.

Explore and configure these solutions to meet your specific needs and enjoy a safer online experience.

Share this content:

2 comments

comments user
SeeM

That is nice. I still prefer dns in a local subnet, or via vpn, but it’s inpractical for a lot of devices without any vpn client.

    comments user
    9M2PJU

    yes. local dns is the lowest latency we can get.

Post Comment