Running a DoH server on a local network

[vukitoso]

Hello. Is it possible to run a DoH server on a local network?

I generated a self-signed certificate

openssl req -x509 -newkey rsa:2048 -keyout example.key -out example.crt -days 365 -nodes -subj "/CN=dnsproxy.local" -addext "subjectAltName=DNS:dnsproxy.local,IP:192.168.1.5"

Run:

./dnsproxy -l 192.168.1.5 --https-port=443 --tls-crt=key2/example.crt --tls-key=key2/example.key --insecure -u 1.1.1.1:53 -p 0

But the dns client says "certificate signed by unknown authority"

# q -v google.com @https://192.168.1.5
DEBU[0000] Name: google.com                             
DEBU[0000] RR types: [A AAAA NS MX TXT CNAME]           
DEBU[0000] Server(s): [https://192.168.1.5]             
WARN[0000] TLS secret logging enabled                   
DEBU[0000] Using server https://192.168.1.5:443/dns-query with transport http 
DEBU[0000] Using HTTP(s) transport: https://192.168.1.5:443/dns-query 
DEBU[0000] [http] sending GET request to https://192.168.1.5:443/dns-query?dns=OVMBAAABAAAAAAAABmdvb2dsZQNjb20AABAAAQ 
FATA[0000] requesting https://192.168.1.5:443/dns-query?dns=OVMBAAABAAAAAAAABmdvb2dsZQNjb20AABAAAQ: Get "https://192.168.1.5:443/dns-query?dns=OVMBAAABAAAAAAAABmdvb2dsZQNjb20AABAAAQ": tls: failed to verify certificate: x509: certificate signed by unknown authority 

I understand that it’s just not possible to launch a local DNS DoH server. 1) You need to create your own local certification authority, 2) issue a certificate from him 3) and add this certificate authority to the system or browser where you plan to use the DNS client.

Did I understand correctly, or are there other solutions?

[ameshkov]

Hi!

You just need to install the certificate that you generated to your client computer's list of trusted certificate authoritites.

Running dnsproxy with --insecure is not necessary.