surtur 51cb74c853
add DoH support
* add instructions on how to use the resolvers
* additionally, configure better caching on CoreDNS
* tweak the main domain used
* reorganise the README a bit
2023-10-05 14:53:36 +02:00

1.9 KiB


this repo contains the configuration files for CoreDNS set up as a DNS over TLS (DoT) and DNS over HTTPS (DoH) forwarding resolver that relies on a locally running dnscrypt-proxy instance for resolution of any and all queries.

CoreDNS is configured to run under an unprivileged user (see coredns.service), which doesn't by default have access to /etc/letsencrypt. the TLS certs therefore need to be supplied to CoreDNS using another way - see the copycerts_coredns.{path,service,timer} units.

how to use this - tl;dr


DoH @

DoH alt port @

how to use this - the long version

the base domain here is


simply configure the base domain directly as the standard port (:853/tcp) is used.


append /dns-query to the base domain and optionally prefix it with https://, i.e. configure or as the DoH server (in e.g. Firefox).

it is worth noting that the DoH server natively listens on :4053, not :443. however, it's additionally proxied by nginx (that hogs all :443/[::]:443 on the host) so that it can be found on the standard HTTPS port and blends in better.

i.e. while both configurations can be used equally as well, one uses a non-standard port but does not depend on nginx running, and the other does use the standard DoH port but could become unavailable in the event of nginx crashing for some reason. in summary, pick your set of potential drawbacks.


  • automated deployment (preferably using ansible + drone)


WTFPLv2, see LICENSE for details