21 comments

[ 3.4 ms ] story [ 56.8 ms ] thread
>Create a fly account

...nope!

There's no good way to host your apps without creating an account somewhere!

You can totally use the Docker image in the article without doing that though. And maybe we should figure out how to make "login with your Hacker News" work.

You can also do this on the same network which runs 1.1.1.1. Cloudflare (where I work) allows you to deploy your own serverless functions for free [1] on the same machines which serve DNS traffic, and the Workers can query https://cloudflare-dns.com without a problem.

1- https://workers.cloudflare.com/

At the risk of hair splitting, but I'm not sure I'd call custom JavaScript in front a shared backend DoH origin "private". It seems like you may as well just use 1.1.1.1 to do DoH if you're content with CloudFlare.
...in fact, the default DoH provider in Firefox is CloudFlare.
What would be my motivation doing so? Not sure what is the advantage of running my DNS over HTTPS.

>> DNS over HTTPS (or DoH) is a protocol that makes browsing more private. Browsers typically resolve domain names with an unencrypted protocol, allowing nosy neighbors and internet providers to snoop on some internet activity. DoH creates an enecrypted connection between browsers and the DNS resolver to make it difficult to even see what domains a user is loading.

This is simply not true (typo aside). My resolver runs locally in my apartment or in our office. "nosy neighbors and internet providers" are not a threat to us but surveillance companies are, who coincidentally pushing for DoH. And DoH is a protocol that makes browsing easier to be controlled by your browser vendor. These guys just forget that not all DNS traffic is originated from web browsers. Google (Chrome) already ignores resolv.conf and trying to force its way to 8.8.8.8. Basically fighting for the last bit of information they can get about you. Thanks, but no thanks.

Does your local resolver not have to query an upstream provider? Is that recursive query private?
You can configure it two ways:

- full recursive (meaning you are going to query the root servers and all the other servers until you get your answer)

- custom upstream provider who is not a surveillance company

The first is as secure as the protocol to use to query. You can use DoT to make it more secure.

"DNS over TLS (DoT) is a security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks."

The second case is a bit better when DoT is not available for all the nameservers, using Cloudflare's DNS service as an upstream gives you what you want (it also supports DoT AFAIK).

As far as I am concerned DoT is the way to go and the best would be if all DNS servers support that all the way to the root servers and I could run my home service with ad filtering on while other people could just use Cloudflare or whoever they want and not leaking out what they are querying for companies in between. DoH is pointless in my opinion if you have DoT.

I am not a network guy so please bear with me. I use a large hosts file on Windows filtering out massive amount of crap. I don't think it's possible to keep using it while running DNS over HTTPS? (I directly connect my PC to the modem provided by ISP).
That depends. If you're using Firefox and setting it to use dns-over-https it seems to ignore your /etc/hosts file. If you're installing DNS over HTTPS on an internet gateway, and just doing normal DNS lookups internal to your network the /etc/hosts file will work just fine.
There should be PHP sscipts; DoH servers. Install it to your https web site. Use it as a proxy to another DoH server. But before you forward the query to the other end check the domain against your black list.

Or you can use ads blocking DoH server https://blahdns.com

You could run something like PiHole locally, it has the ability to forward to DNSCrypt or similar.
The article is more about "how to use Fly", which is cool and looks useful, but not really for me.

Thanks for the doh-proxy tip off though, might be worth chucking that on the box that runs my DNS :)

doh-proxy is pretty neat and tiny. The flyio/doh-proxy docker image is pretty much ready to go if you want to use it somewhere else. It's just a little harder to get the "global" bit.
(comment deleted)
I wrote a DoH implementation https://github.com/fanf2/doh101 based on OpenResty which is running in production on Cambridge University’s central DNS resolvers. Not many people are using DoH, though! DNS-over-TLS is much more popular, because Android will try to use it by default. If you run a recursive DNS server, enable DoT!
OpenResty seems like a great way to do that.
It was my first OpenResty app, and it worked better than I expected. My only qualm is that the OpenResty packages are not updated very frequently, which makes me worried about security support.