pyrox.dev
1# DNS-over-HTTPS Server {#module-service-doh-server}
2
3[DNS-over-HTTPS](https://github.com/m13253/dns-over-https) is a high performance DNS over HTTPS client & server. This module enables its server part (`doh-server`).
4
5## Quick Start {#module-service-doh-server-quick-start}
6
7Setup with Nginx + ACME (recommended):
8
9```nix
10{
11 services.doh-server = {
12 enable = true;
13 settings = {
14 upstream = [ "udp:1.1.1.1:53" ];
15 };
16 };
17
18 services.nginx = {
19 enable = true;
20 virtualHosts."doh.example.com" = {
21 enableACME = true;
22 forceSSL = true;
23 http2 = true;
24 locations."/".return = 404;
25 locations."/dns-query" = {
26 proxyPass = "http://127.0.0.1:8053/dns-query";
27 recommendedProxySettings = true;
28 };
29 };
30 # and other virtual hosts ...
31 };
32
33 security.acme = {
34 acceptTerms = true;
35 defaults.email = "you@example.com";
36 };
37
38 networking.firewall.allowedTCPPorts = [
39 80
40 443
41 ];
42}
43```
44
45`doh-server` can also work as a standalone HTTPS web server (with SSL cert and key specified), but this is not recommended as `doh-server` does not do OCSP Stabbing.
46
47Setup a standalone instance with ACME:
48
49```nix
50let
51 domain = "doh.example.com";
52in
53{
54 security.acme.certs.${domain} = {
55 dnsProvider = "cloudflare";
56 credentialFiles."CF_DNS_API_TOKEN_FILE" = "/run/secrets/cf-api-token";
57 };
58
59 services.doh-server = {
60 enable = true;
61 settings = {
62 listen = [ ":443" ];
63 upstream = [ "udp:1.1.1.1:53" ];
64 };
65 useACMEHost = domain;
66 };
67
68 networking.firewall.allowedTCPPorts = [ 443 ];
69}
70```
71
72See a full configuration in <https://github.com/m13253/dns-over-https/blob/master/doh-server/doh-server.conf>.