DOH Setup

In this blog, I will be doing a walk through to set up a Dns-Over-https server using DNSCrypt’s doh-proxy and caddy reverse proxy.

Why?

The following article explores the DNS-Over-https protocol and how to setup a server that uses DoH. DNS-Over-https has been around for quite a while and also has been utilized in Offensive security . Understanding how DOH server and architecture works is important in case an operator wants to utilize it is a mode of communication for their implant/C2 .

Setup

Ubuntu : t2/t3.Medium
Categorized Domain

Instructions

Our DOH server resolves the queries and also manages the Dns-over-https requests i.e we aren’t outsourcing our DNS load to external providers such as cloudflare.
Assuming you have already pointed the domain to the server. lets start with setting up our own dns server that resolves the dns queries. we will use unbound

sudo apt update -y 
sudo apt install unbound 
sudo unbound 
dig @127.0.0.1 www.google.com # To test it

Up next, we will setup our reverse proxy that will expose https (port 443) to the internet and forward the requests to the local doh-proxy . For this part, we will use caddy

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
chmod o+r /usr/share/keyrings/caddy-stable-archive-keyring.gpg
chmod o+r /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy

Use the following as the /etc/caddy/Caddyfile config

domain.com {
    encode zstd gzip
    route /dns-query* {
        reverse_proxy 127.0.0.1:3000
    }
log {
        output file /var/log/caddy/doh-access.log {
           
        }
        format json
    }
}

Now that the reverse proxy is taken care of, the last thing that is left is the DOH-proxy itself. We will be using DNSCrypt’s doh-proxy for this part.

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

cargo install doh-proxy

./doh-proxy -H 'domain.com' -u 127.0.0.1:53

The server is functional, the final piece would be to test it by setting your client. There are multiple options to do this, but the simplest would be using the browser .
Go to settings and search for DNS over HTTPs and choose Max Protection and enter the url https://domain.com/dns-query