DNSSEC Serializing Server
The server binds onto default ports 8080 (HTTP), 9090 (UDP), 9091 (TCP) and provides the serialized DNS resolver responses to the clients.
Clients can test with the custom validating client or test with default dig
commands as follows:
$ dig @127.0.0.1 -p 9090 cloudflare.com A +dnssec # to send a UDP DNS query requiring a serialized DNS proof
$ dig @127.0.0.1 -p 9091 cloudflare.com A +dnssec +tcp # to send a TCP DNS query requiring a serialized DNS proof
Please use the validating client to send ODoH
requests, which are sent to the HTTP server listener and differentiated based on the Content-Type
header.
Local development
To deploy the server locally, first acquire a TLS certificate using mkcert as follows:
$ mkcert -key-file key.pem -cert-file cert.pem 127.0.0.1 localhost
Then build and run the server as follows:
$ make all
$ CERT=cert.pem KEY=key.pem PORT=4567 ./server
By default, the proxy listens on /proxy
and the target listens on /dns-query
.
You may then run the corresponding client as follows:
$ ./odoh-client odoh --proxy localhost:4567 --target odoh.cloudflare-dns.com --domain cloudflare.com
;; opcode: QUERY, status: NOERROR, id: 14306
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;cloudflare.com. IN AAAA
;; ANSWER SECTION:
cloudflare.com. 271 IN AAAA 2606:4700::6810:84e5
cloudflare.com. 271 IN AAAA 2606:4700::6810:85e5
Deployment
This section describes deployment instructions for odoh-server-go.
Preconfigured deployments
Manual deployment
This server can also be manually deployed on any bare metal machine, or in cloud providers such as GCP. Instructions for both follow.
Bare metal
Deployment on bare metal servers, such as Equinix, can be done following
the instructions below. These steps assume that git
and go
are both installed on the metal.
- Configure a certificate on the metal using certbot. Once complete, the output should be something like the following, assuming the server domain name is "example.com":
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/example.com/privkey.pem
You must configure certbot to renew this certificate periodically. The simplest way to do this is via a cron job:
$ 00 00 1 * 1 certbot renew
- Configure two environment variables to reference these files:
$ export CERT=/etc/letsencrypt/live/example.com/fullchain.pem
$ export KEY=/etc/letsencrypt/live/example.com/privkey.pem
- Clone and build the server:
$ git clone git@github.com:cloudflare/odoh-server-go.git
$ cd odoh-server-go
$ go build ./...
- Run the server:
$ PORT=443 ./odoh-server &
This will run the server until completion. You must configure the server to restart should it terminate prematurely.
Reverse proxy
You need to deploy a reverse proxy with a valid TLS server certificate for clients to be able to authenticate the target or proxy.
The simplest option for this is using Caddy. Caddy will automatically provision a TLS certificate using ACME from Let's Encrypt.
For instance:
caddy reverse-proxy --from https://odoh.example.net:443 --to 127.0.0.1:8080
Alternatively, use a Caddyfile similar to:
odoh.example.net
reverse_proxy localhost:8080
and run caddy start
.