Development practice of using cloud server ECS to build DoH service
As we all know, a DNS server can convert a domain name (usually referred to as a URL) that is easy for humans to understand into an "IP address" that is easy for machines to understand. It uses UDP port 53 to provide external services. Typically, DNS queries are clear text, which means that your website access records can be easily obtained by network administrators and ISPs.
Faced with increasingly severe behavior management, privacy disclosure, and malicious hijacking, DoH is being used more widely as a more secure DNS query method. It provides DNS resolution through the TLS encrypted HTTP connection specified in RFC 8484, which means that our DNS queries are encrypted and protected.
Can I try building a DoH server on the public network?
After I had this idea, I started to take action. I also resolved many doubts by consulting public online materials. Finally, with the help of Alibaba Cloud's ECS (image source is really fast, recommended), I successfully completed the practice of building a Doh server.
Next, follow me to see how the construction was completed~
01 Resource preparation: ECS+domain name
1. Cloud server
For this practice, it is recommended to use a cloud server loaded with Ubuntu images. You can use the t5 instance for free for one month in Alibaba Cloud's trial center.
If you are a college student or teacher, you can use the college plan and receive it for free for 2.5 months.
2. Domain name preparation
It is recommended to purchase a domain name using Alibaba Cloud World Wide Web. The advantage is that you can obtain a free SSL certificate.
02 Convenient construction scheme
If you just want to facilitate configuration, you can refer to the following steps:
1. Install Docker:
apt-get install docker.io
2. Start docker:
service docker start
3. Download Create and initialize the Dnscrypt container:
explain:
① ": example.com is replaced by your domain name, 192.168.1.1:443 is replaced by the ECS public IP address, and multiple comma separated IPs and ports can be specified, such as - E '192.168.1.1:443, [2001:0db8:: 412f]: 443'. - v"
② :/etc/dnscrypt server:/opt/encrypted dns/etc/keys indicates the path inside the container.
/Opt/encrypted dns/etc/keys maps to/etc/dnscrypt server/keys.
Start service command: docker start dnscrypt-server
4. Download to create and initialize the Doh server container:
5. Verify container status:
docker ps -a
6. Set Self Start:
docker update --restart=unless-stopped dnscrypt-server docker update --restart=unless-stopped doh-server
7. For Web client and SSL certificates, refer to nginx below.
8. Check the configuration - After all services are started, we have the Doh service. Please refer to the final summary section.
03 Advanced Building Tutorial
How to build is a problem, so here are three solutions and ideas.
I. nginx+doh server+dnscrypt (used in this article)
ii. Nginx+doh server+Bind (alternative)
Iii. nginx+doh server+CoreDNS (cloud native solution)
1. Install the software-properties-common package:
This is a preliminary operation. I am using the Ubuntu 20.04 64 bit system officially provided by Alibaba Cloud, which lacks the add apt repository command. I need to run the following command on the system terminal to install the software properties common package:
sudo apt update
sudo apt -y install software-properties-common dirmngr apt-transport-https lsb-release ca-certificates
Tips:
You can add a PPA repository using the following command:
sudo add-apt-repository ppa:
After adding the PPA repository, update the package list and install the new package from the repository:
sudo apt update
sudo apt install
2. Install Dnscrypt-Proxy
a) Installation and Verification
Dnscrypt-Proxy is a DNS proxy server program with many modern functions, which supports DNSCrypt v2 (identity authentication), DNS-over HTTPS (RFC8484, DNS Queries over HTTPS (DoH)), and other functions.
Because Dnscrypt Proxy is developed using Golang, it does not support installation on CentOS 5 and earlier Linux distributions. Dnscrypt-Proxy needs to occupy port 53, so you can check the usage of port 53 before installing it. The command is:
ss -lp 'sport = :domain'
We can use volunteer contributed PPAs to quickly install and maintain the latest version of the program:
sudo add-apt-repository ppa:shevchuk/dnscrypt-proxy
sudo apt install dnscrypt-proxy
After installation, the Dnscrypt Proxy service will automatically start on the server.
The program will be installed in the/etc/dnscrypt-proxy folder. The listening address for dnscrypt-proxy is usually (V: 2.1.0~ppa6): 127.0.0.53:53. We can use the dig command to check it.
The server whose configuration file is/etc/dnscrypt-proxy/dnscrypt-proxy.toml_ The names field requires you to set up one or more servers that you like. If the first request fails, it will automatically request the second server. For example: server_ Names=['alidns doh '] We will not make any changes here. Depending on the availability zone where the server is located, we may modify the parameters here.
b) Modify system DNS configuration
Remove system DNS configuration command:
apt-get remove resolvconf
To set up a backup for the system DNS configuration file:
cp /etc/resolv.conf /etc/resolv.conf.backup
Modify the original DNS configuration file:
vim /etc/resolv.conf
Modify to nameserver 127.0.0.53 options edns0
Finally, restart the dnscrypt-proxy service:
•
sudo systemctl restart dnscrypt-proxy
Note: The default socket library address used by the Systemd service of the system is 127.0.2.1:53
3. Install DNS-over-HTTPs
This is an open source DoH server program developed based on Golong, which can accept http requests and perform DNS queries. We can quickly install the DNS-over-HTTPS server program using the deb installation package:
If debian is used, the command is:
sudo dpkg -i doh-server_ 2.0.1_ amd64.deb
In ubuntu, the command is:
sudo apt install doh-server_ 2.0.1_ amd64.deb
sudo apt install /root/doh-server_ 2.0.1_ amd64.deb
Note: Please replace the above file path according to the facts
Tips: If you get a dependency error during the installation of the deb package, you can use the following command to fix the dependency problem:
sudo apt install -f
The configuration file for the installed DoH server program is located at the path/etc/dns over https/doh server. conf. To set reverse resolution, we modify its upstream field (upstream DNS resolution) to the listening address of the dnscrypt-proxy mentioned above; The dnscrypt-proxy listening field can be modified in the/etc/dnscrypt-proxy/dnscrypt-proxy.toml file. This way, the DoH program will use Dnscrypt proxy to perform DNS requests.
Modification code:
vim /etc/dns-over-https/doh-server.conf
The modifications are shown in the following figure:
Restart the service to make application changes:
sudo systemctl restart doh-server
4. Install Nginx
Nginx is a high-performance reverse proxy server program that accepts HTTPS DNS requests from clients, then acts as a reverse proxy to decode HTTPS requests from clients and send DoH requests to DoH server programs. It is a portal for communicating with clients, and we will also configure an SSL certificate for it to facilitate authentication of HTTPS requests.
I am using "On" ř ej Sur ý” For the relevant version provided, search for this keyword in Baidu, and then enter the webpage to download the corresponding installation package. The following are the installation commands:
sudo add-apt-repository ppa:ondrej/nginx
sudo apt install nginx-full
Nginx is installed in the/etc/nginx directory. We need to edit the configuration file.
Vim /etc/nginx/sites-available/dns-over-https
Where server_ The name field requires your own domain name, which is required to provide DoH services. Upstream dns backend is the address to which you need Nginx to forward. Here is the listening address for our DOH. The following is an example configuration:
We can configure nginx to check SSL certificates:
The configuration is shown in the following figure, where the resolver variable is the listening address of DNScrypt.
5. Request an SSL certificate
Method 1: Manual installation
If you purchase an AliCloud domain name, we can choose to install it manually. The advantage is that the validity period can be as long as one year, while the disadvantage is that it is relatively troublesome.
Enter Console - Digital Certificate Management Service https://yundun.console.aliyun.com/
After purchasing a DV single domain name certificate package, you can click Create Certificate, fill in the application, and verify it.
After the purchase is successful, we can download the certificate and deploy it to the server. Upload the certificate to the server directory through FTP or other methods, and modify the nginx configuration file to apply the changes. An example configuration is as follows:
Use the nginx - t command to test whether the configuration is correct.
Restart nginx for application configuration:
sudo systemctl reload nginx
Method 2: Install using plug-ins
Certbot is a free open source SSL certificate application tool for automatically deploying free Let's Encrypt certificates on manually managed websites to enable HTTPS. Using Certbot to configure certificates on nginx servers is a great choice. The advantage is that it is relatively convenient, while the disadvantage is that the validity period is short.
To install a certbot using PPA:
The screenshot after success is as follows:
Apply for a certificate for your domain name, pay attention to replacement, and enter Agreement according to the prompt to proceed:
sudo certbot --nginx -d dns.example.com
Next, we will select 2 to forward HTTP traffic to HTTPS. If we select 1, it means no forwarding. (As shown in the following figure)
The plug-in configuration file address is vim/etc/netsencrypt/options ssl nginx. conf
Restart nginx for application configuration:
sudo systemctl reload nginx
"Since the certificate issued by Let's Encrypt has a valid period of only 90 days, we can use the certbot renew command to update the certificate.".
04 DOH Usage Summary
RFC 8484 specifies the use of the/dns query path as the default query path. On the client side, browsers such as Firefox and Google already support DoH, and the configuration path in Google Browser is: Settings - Security and Privacy Settings - Advanced - Use Secure DNS:
Of course, due to policy reasons, the Doh servers we have built in China cannot provide services to the public network without operational records, so the significance of this practice lies in the fun of learning and hands-on practice.
In addition, due to the requirements of providing DNS services quickly and accurately, personal built servers are not the optimal choice; If you have a need, you can try Alibaba Cloud's public DoH service.
Faced with increasingly severe behavior management, privacy disclosure, and malicious hijacking, DoH is being used more widely as a more secure DNS query method. It provides DNS resolution through the TLS encrypted HTTP connection specified in RFC 8484, which means that our DNS queries are encrypted and protected.
Can I try building a DoH server on the public network?
After I had this idea, I started to take action. I also resolved many doubts by consulting public online materials. Finally, with the help of Alibaba Cloud's ECS (image source is really fast, recommended), I successfully completed the practice of building a Doh server.
Next, follow me to see how the construction was completed~
01 Resource preparation: ECS+domain name
1. Cloud server
For this practice, it is recommended to use a cloud server loaded with Ubuntu images. You can use the t5 instance for free for one month in Alibaba Cloud's trial center.
If you are a college student or teacher, you can use the college plan and receive it for free for 2.5 months.
2. Domain name preparation
It is recommended to purchase a domain name using Alibaba Cloud World Wide Web. The advantage is that you can obtain a free SSL certificate.
02 Convenient construction scheme
If you just want to facilitate configuration, you can refer to the following steps:
1. Install Docker:
apt-get install docker.io
2. Start docker:
service docker start
3. Download Create and initialize the Dnscrypt container:
explain:
① ": example.com is replaced by your domain name, 192.168.1.1:443 is replaced by the ECS public IP address, and multiple comma separated IPs and ports can be specified, such as - E '192.168.1.1:443, [2001:0db8:: 412f]: 443'. - v"
② :/etc/dnscrypt server:/opt/encrypted dns/etc/keys indicates the path inside the container.
/Opt/encrypted dns/etc/keys maps to/etc/dnscrypt server/keys.
Start service command: docker start dnscrypt-server
4. Download to create and initialize the Doh server container:
5. Verify container status:
docker ps -a
6. Set Self Start:
docker update --restart=unless-stopped dnscrypt-server docker update --restart=unless-stopped doh-server
7. For Web client and SSL certificates, refer to nginx below.
8. Check the configuration - After all services are started, we have the Doh service. Please refer to the final summary section.
03 Advanced Building Tutorial
How to build is a problem, so here are three solutions and ideas.
I. nginx+doh server+dnscrypt (used in this article)
ii. Nginx+doh server+Bind (alternative)
Iii. nginx+doh server+CoreDNS (cloud native solution)
1. Install the software-properties-common package:
This is a preliminary operation. I am using the Ubuntu 20.04 64 bit system officially provided by Alibaba Cloud, which lacks the add apt repository command. I need to run the following command on the system terminal to install the software properties common package:
sudo apt update
sudo apt -y install software-properties-common dirmngr apt-transport-https lsb-release ca-certificates
Tips:
You can add a PPA repository using the following command:
sudo add-apt-repository ppa:
After adding the PPA repository, update the package list and install the new package from the repository:
sudo apt update
sudo apt install
2. Install Dnscrypt-Proxy
a) Installation and Verification
Dnscrypt-Proxy is a DNS proxy server program with many modern functions, which supports DNSCrypt v2 (identity authentication), DNS-over HTTPS (RFC8484, DNS Queries over HTTPS (DoH)), and other functions.
Because Dnscrypt Proxy is developed using Golang, it does not support installation on CentOS 5 and earlier Linux distributions. Dnscrypt-Proxy needs to occupy port 53, so you can check the usage of port 53 before installing it. The command is:
ss -lp 'sport = :domain'
We can use volunteer contributed PPAs to quickly install and maintain the latest version of the program:
sudo add-apt-repository ppa:shevchuk/dnscrypt-proxy
sudo apt install dnscrypt-proxy
After installation, the Dnscrypt Proxy service will automatically start on the server.
The program will be installed in the/etc/dnscrypt-proxy folder. The listening address for dnscrypt-proxy is usually (V: 2.1.0~ppa6): 127.0.0.53:53. We can use the dig command to check it.
The server whose configuration file is/etc/dnscrypt-proxy/dnscrypt-proxy.toml_ The names field requires you to set up one or more servers that you like. If the first request fails, it will automatically request the second server. For example: server_ Names=['alidns doh '] We will not make any changes here. Depending on the availability zone where the server is located, we may modify the parameters here.
b) Modify system DNS configuration
Remove system DNS configuration command:
apt-get remove resolvconf
To set up a backup for the system DNS configuration file:
cp /etc/resolv.conf /etc/resolv.conf.backup
Modify the original DNS configuration file:
vim /etc/resolv.conf
Modify to nameserver 127.0.0.53 options edns0
Finally, restart the dnscrypt-proxy service:
•
sudo systemctl restart dnscrypt-proxy
Note: The default socket library address used by the Systemd service of the system is 127.0.2.1:53
3. Install DNS-over-HTTPs
This is an open source DoH server program developed based on Golong, which can accept http requests and perform DNS queries. We can quickly install the DNS-over-HTTPS server program using the deb installation package:
If debian is used, the command is:
sudo dpkg -i doh-server_ 2.0.1_ amd64.deb
In ubuntu, the command is:
sudo apt install doh-server_ 2.0.1_ amd64.deb
sudo apt install /root/doh-server_ 2.0.1_ amd64.deb
Note: Please replace the above file path according to the facts
Tips: If you get a dependency error during the installation of the deb package, you can use the following command to fix the dependency problem:
sudo apt install -f
The configuration file for the installed DoH server program is located at the path/etc/dns over https/doh server. conf. To set reverse resolution, we modify its upstream field (upstream DNS resolution) to the listening address of the dnscrypt-proxy mentioned above; The dnscrypt-proxy listening field can be modified in the/etc/dnscrypt-proxy/dnscrypt-proxy.toml file. This way, the DoH program will use Dnscrypt proxy to perform DNS requests.
Modification code:
vim /etc/dns-over-https/doh-server.conf
The modifications are shown in the following figure:
Restart the service to make application changes:
sudo systemctl restart doh-server
4. Install Nginx
Nginx is a high-performance reverse proxy server program that accepts HTTPS DNS requests from clients, then acts as a reverse proxy to decode HTTPS requests from clients and send DoH requests to DoH server programs. It is a portal for communicating with clients, and we will also configure an SSL certificate for it to facilitate authentication of HTTPS requests.
I am using "On" ř ej Sur ý” For the relevant version provided, search for this keyword in Baidu, and then enter the webpage to download the corresponding installation package. The following are the installation commands:
sudo add-apt-repository ppa:ondrej/nginx
sudo apt install nginx-full
Nginx is installed in the/etc/nginx directory. We need to edit the configuration file.
Vim /etc/nginx/sites-available/dns-over-https
Where server_ The name field requires your own domain name, which is required to provide DoH services. Upstream dns backend is the address to which you need Nginx to forward. Here is the listening address for our DOH. The following is an example configuration:
We can configure nginx to check SSL certificates:
The configuration is shown in the following figure, where the resolver variable is the listening address of DNScrypt.
5. Request an SSL certificate
Method 1: Manual installation
If you purchase an AliCloud domain name, we can choose to install it manually. The advantage is that the validity period can be as long as one year, while the disadvantage is that it is relatively troublesome.
Enter Console - Digital Certificate Management Service https://yundun.console.aliyun.com/
After purchasing a DV single domain name certificate package, you can click Create Certificate, fill in the application, and verify it.
After the purchase is successful, we can download the certificate and deploy it to the server. Upload the certificate to the server directory through FTP or other methods, and modify the nginx configuration file to apply the changes. An example configuration is as follows:
Use the nginx - t command to test whether the configuration is correct.
Restart nginx for application configuration:
sudo systemctl reload nginx
Method 2: Install using plug-ins
Certbot is a free open source SSL certificate application tool for automatically deploying free Let's Encrypt certificates on manually managed websites to enable HTTPS. Using Certbot to configure certificates on nginx servers is a great choice. The advantage is that it is relatively convenient, while the disadvantage is that the validity period is short.
To install a certbot using PPA:
The screenshot after success is as follows:
Apply for a certificate for your domain name, pay attention to replacement, and enter Agreement according to the prompt to proceed:
sudo certbot --nginx -d dns.example.com
Next, we will select 2 to forward HTTP traffic to HTTPS. If we select 1, it means no forwarding. (As shown in the following figure)
The plug-in configuration file address is vim/etc/netsencrypt/options ssl nginx. conf
Restart nginx for application configuration:
sudo systemctl reload nginx
"Since the certificate issued by Let's Encrypt has a valid period of only 90 days, we can use the certbot renew command to update the certificate.".
04 DOH Usage Summary
RFC 8484 specifies the use of the/dns query path as the default query path. On the client side, browsers such as Firefox and Google already support DoH, and the configuration path in Google Browser is: Settings - Security and Privacy Settings - Advanced - Use Secure DNS:
Of course, due to policy reasons, the Doh servers we have built in China cannot provide services to the public network without operational records, so the significance of this practice lies in the fun of learning and hands-on practice.
In addition, due to the requirements of providing DNS services quickly and accurately, personal built servers are not the optimal choice; If you have a need, you can try Alibaba Cloud's public DoH service.
Related Articles
-
A detailed explanation of Hadoop core architecture HDFS
Knowledge Base Team
-
What Does IOT Mean
Knowledge Base Team
-
6 Optional Technologies for Data Storage
Knowledge Base Team
-
What Is Blockchain Technology
Knowledge Base Team
Explore More Special Offers
-
Short Message Service(SMS) & Mail Service
50,000 email package starts as low as USD 1.99, 120 short messages start at only USD 1.00
