/your-dns

A docker-compose file to provide a secure adblocking DNS server

Primary LanguageDockerfileMIT LicenseMIT

your-dns

A docker-compose file to provide a secure adblocking DNS server

Goal

Run a secure DoT (DNS-over-TLS) and DoH (DNS-over-HTTPS) DNS server that can do ad blocking and hide your DNS query from your ISP.

AND

Hide your DNS query from upstream recursive DNS server.

All components in this stack

overview of components

  1. Nginx: High Performance HTTP Server that provides DNS-over-TLS and access to Pihole (doc)
  2. Pihole: Ad blocking DNS server. Pihole forked dnsmasq and provide a nice UI to manage the DNS server. (donate)
  3. Stubby: A DNS stub server, which support forwarding DNS request to upstream DNS-over-TLS server. Note Unbound also support forwarding request to upstream over TLS, but I was told (can't find the reference) Unbound does not reuse TLS connections which is a concern to me (my ATT gateway has an internal NAT table with limited # of entries). (doc)
  4. DNS-over-HTTPS: A DoH server.

Prerequisites

  1. Install Docker (how) and docker-compose command (how).
  2. Know how to DNAT from your public IP to the server running the stack. Or alternatively if you have IPv6, allow dport=853 access to your server.
  3. Know how to get a Let's Encrypt certificate for your domain. You need a single wildcard certificate if you host both DoH server and pihole on the same server.

Run the stack

The following instruction will run a list of jobs on docker to DNS-over-TLS service on port 853 and foward your request through PiHole then to Cloudflare DNS over Tor.

  1. Modify .env file. See the comment in that file for instructions.
  2. Update config/letsencrypt/credentials.txt with your Cloudflare API key (See https://certbot-dns-cloudflare.readthedocs.io/en/stable/#credentials for reference)
  3. Run the following command which should success.
docker-compose run --entrypoint="certbot certonly --email ${EMAIL:?} -d *.${DOMAIN_NAME:?},${DOMAIN_NAME:?} --rsa-key-size=4096 --agree-tos --force-renewal --dns-cloudflare-credentials /credentials.txt --dns-cloudflare" certbot
  1. Run docker-compose up -d