646b892680
Some checks failed
Periodic Merges (6h) / master → staging-nixos (push) Failing after 12m50s
Periodic Merges (6h) / master → staging-next (push) Failing after 12m54s
Periodic Merges (24h) / merge-base(master,staging) → haskell-updates (push) Failing after 11m54s
Periodic Merges (6h) / staging-next → staging (push) Failing after 12m13s
Periodic Merges (24h) / staging-next-25.05 → staging-25.05 (push) Failing after 13m24s
Periodic Merges (24h) / release-25.05 → staging-next-25.05 (push) Failing after 14m28s
1.7 KiB
1.7 KiB
DNS-over-HTTPS Server
DNS-over-HTTPS is a high performance DNS over HTTPS client & server. This module enables its server part (doh-server).
Quick Start
Setup with Nginx + ACME (recommended):
{
services.doh-server = {
enable = true;
settings = {
upstream = [ "udp:1.1.1.1:53" ];
};
};
services.nginx = {
enable = true;
virtualHosts."doh.example.com" = {
enableACME = true;
forceSSL = true;
http2 = true;
locations."/".return = 404;
locations."/dns-query" = {
proxyPass = "http://127.0.0.1:8053/dns-query";
recommendedProxySettings = true;
};
};
# and other virtual hosts ...
};
security.acme = {
acceptTerms = true;
defaults.email = "you@example.com";
};
networking.firewall.allowedTCPPorts = [
80
443
];
}
doh-server can also work as a standalone HTTPS web server (with SSL cert and key specified), but this is not recommended as doh-server does not do OCSP Stabbing.
Setup a standalone instance with ACME:
let
domain = "doh.example.com";
in
{
security.acme.certs.${domain} = {
dnsProvider = "cloudflare";
credentialFiles."CF_DNS_API_TOKEN_FILE" = "/run/secrets/cf-api-token";
};
services.doh-server = {
enable = true;
settings = {
listen = [ ":443" ];
upstream = [ "udp:1.1.1.1:53" ];
};
useACMEHost = domain;
};
networking.firewall.allowedTCPPorts = [ 443 ];
}
See a full configuration in https://github.com/m13253/dns-over-https/blob/master/doh-server/doh-server.conf.