[ArcHound]

Thank you for the kind words.

DoH is a critical enabler of ECH, and getting it right isn't easy - especially dodging all of the free services provided by the giants.

[Bender]

In my unbound.conf it looks like this:

    # https://dohint.mydomain.tld/dns-query
    # lan interface
    interface: [x.x.x.x]@443
    # wifi interface
    interface: [x.x.x.x]@443
    https-port: 443
    http-query-buffer-size: 16m
    http-response-buffer-size: 16m
    http-max-streams: 420
    tls-service-key: "/etc/unbound/keys.d/unbound_server.key"
    tls-service-pem: "/etc/unbound/keys.d/unbound_server.pem"

Then in browsers / devices I set a custom DoH endpoint of https://dohint.mydomain.tld/dns-query and uses the same key/cert I used in the past for DNS over TLS (DoT) which is still listening on TCP port 853

[ArcHound]

Have you tried putting this behind a reverse proxy? This gives us a lot of features like rate-limiting and it should work well since it is https after all.

[Bender]

I thought about putting a few instances behind HAProxy for public use. Not sure many people would use it.

[Bender]

I put Unbound directly on the web to play with for now, having some quirks with haproxy. It has an hourly cron job that pre-caches the Cloudflare Top 20000 or so .com .net .org .is domains and some domains I use.

https://doh.nochan.net/dns-query