
Run a private DNS over HTTPS service - mrkurt
https://fly.io/docs/getting-started/dns-over-https/
======
StreamBright
What would be my motivation doing so? Not sure what is the advantage of
running my DNS over HTTPS.

>> DNS over HTTPS (or DoH) is a protocol that makes browsing more private.
Browsers typically resolve domain names with an unencrypted protocol, allowing
nosy neighbors and internet providers to snoop on some internet activity. DoH
creates an enecrypted connection between browsers and the DNS resolver to make
it difficult to even see what domains a user is loading.

This is simply not true (typo aside). My resolver runs locally in my apartment
or in our office. "nosy neighbors and internet providers" are not a threat to
us but surveillance companies are, who coincidentally pushing for DoH. And DoH
is a protocol that makes browsing easier to be controlled by your browser
vendor. These guys just forget that not all DNS traffic is originated from web
browsers. Google (Chrome) already ignores resolv.conf and trying to force its
way to 8.8.8.8. Basically fighting for the last bit of information they can
get about you. Thanks, but no thanks.

~~~
lftl
Does your local resolver not have to query an upstream provider? Is that
recursive query private?

~~~
StreamBright
You can configure it two ways:

\- full recursive (meaning you are going to query the root servers and all the
other servers until you get your answer)

\- custom upstream provider who is not a surveillance company

The first is as secure as the protocol to use to query. You can use DoT to
make it more secure.

"DNS over TLS (DoT) is a security protocol for encrypting and wrapping Domain
Name System (DNS) queries and answers via the Transport Layer Security (TLS)
protocol. The goal of the method is to increase user privacy and security by
preventing eavesdropping and manipulation of DNS data via man-in-the-middle
attacks."

The second case is a bit better when DoT is not available for all the
nameservers, using Cloudflare's DNS service as an upstream gives you what you
want (it also supports DoT AFAIK).

As far as I am concerned DoT is the way to go and the best would be if all DNS
servers support that all the way to the root servers and I could run my home
service with ad filtering on while other people could just use Cloudflare or
whoever they want and not leaking out what they are querying for companies in
between. DoH is pointless in my opinion if you have DoT.

------
fanf2
I wrote a DoH implementation
[https://github.com/fanf2/doh101](https://github.com/fanf2/doh101) based on
OpenResty which is running in production on Cambridge University’s central DNS
resolvers. Not many people are using DoH, though! DNS-over-TLS is _much_ more
popular, because Android will try to use it by default. If you run a recursive
DNS server, enable DoT!

~~~
mrkurt
OpenResty seems like a great way to do that.

~~~
fanf2
It was my first OpenResty app, and it worked better than I expected. My only
qualm is that the OpenResty packages are not updated very frequently, which
makes me worried about security support.

------
esotericn
The article is more about "how to use Fly", which is cool and looks useful,
but not really for me.

Thanks for the doh-proxy tip off though, might be worth chucking that on the
box that runs my DNS :)

~~~
mrkurt
doh-proxy is pretty neat and tiny. The flyio/doh-proxy docker image is pretty
much ready to go if you want to use it somewhere else. It's just a little
harder to get the "global" bit.

------
baal80spam
I am not a network guy so please bear with me. I use a large hosts file on
Windows filtering out massive amount of crap. I don't think it's possible to
keep using it while running DNS over HTTPS? (I directly connect my PC to the
modem provided by ISP).

~~~
darkhorn
There should be PHP sscipts; DoH servers. Install it to your https web site.
Use it as a proxy to another DoH server. But before you forward the query to
the other end check the domain against your black list.

Or you can use ads blocking DoH server
[https://blahdns.com](https://blahdns.com)

~~~
oakslab
NextDNS[1] is an alternative with customizable blocklist.

[1]: [https://nextdns.io/](https://nextdns.io/)

------
zackbloom
You can also do this on the same network which runs 1.1.1.1. Cloudflare (where
I work) allows you to deploy your own serverless functions for free [1] on the
same machines which serve DNS traffic, and the Workers can query
[https://cloudflare-dns.com](https://cloudflare-dns.com) without a problem.

1- [https://workers.cloudflare.com/](https://workers.cloudflare.com/)

~~~
mrkurt
At the risk of hair splitting, but I'm not sure I'd call custom JavaScript in
front a shared backend DoH origin "private". It seems like you may as well
just use 1.1.1.1 to do DoH if you're content with CloudFlare.

~~~
uneekname
...in fact, the default DoH provider in Firefox is CloudFlare.

------
bananocurrency
>Create a fly account

...nope!

~~~
mrkurt
There's no good way to host your apps without creating an account somewhere!

You can totally use the Docker image in the article without doing that though.
And maybe we should figure out how to make "login with your Hacker News" work.

