How to use my own DoH server

[paddg]

How can I setup my own DoH server instead of using one of the built in list?

[timbru31]

Yes of course you can :)

[...]
server_names = ['myserver']

[static]
  [static.'myserver']
  stamp = '<stamp-value>'

[paddg]

Thank you, @timbru31. Can you please give me a more complete configuration example? I've no idea what a "stamp-value" is. Is "myserver" a URI? My DoH server URI is https://dns.t53.de/dns-query What should the configuration look like?

[timbru31]

You can generate one here: https://dnscrypt.info/stamps/

It’s a compact format that includes all the necessary server information.

Sent from my iPhone

On 17. Dec 2019, at 9:23 AM, Winfried Angele notifications@github.com wrote:

 Thank you, @timbru31. Can you please give me a more complete configuration example? I've no idea what a "stamp-value" is. Is "myserver" a URI? My DoH server URI is https://dns.t53.de/dns-query What should the configuration look like?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

[jedisct1]

A DNS Stamp is a string that encodes all the parameters required to connect to a DNS server or DNS relay.

If the server software you use doesn't print it, you can use the online DNS stamp tool to compute it.

In your case, it may be

sdns://AgUAAAAAAAAAACA-GhoPbFPz6XpJLVcIS1uYBwWe4FerFQWHb9g_2j24OApkbnMudDUzLmRlCi9kbnMtcXVlcnk

The certificate is signed by Let's Encrypt, so a parent certificate hash is 3e1a1a0f6c53f3e97a492d57084b5b9807059ee057ab1505876fd83fda3db838.

[jedisct1]

There is an entry for your server in the Lists of public DNSCrypt and DoH servers already: https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md#t53

Feel free to submit a pull request to that repository in order to change the stamp, the description or if you implement other protocols.

[paddg]

Thanks a lot guys! It works now with the list on GitHub. But I had to re-install the dnscloak app in order to see my server on the list. It seems it doesn't update the list automatically. I already love the logging possibilities! server with the lowest initial latency: t53 (rtt: 21ms) :-D Very cool tool, thanks! Any plans for Android? I had to borrow an Apple device for this test :-)

[jedisct1]

DNSCloak is an interface for dnscrypt-proxy. Since the configuration can be manually edited, it can be configured to do even more than what is accessible in the UI. See the documentation: https://github.com/DNSCrypt/dnscrypt-proxy

For Android, there are applications such as Invizible and a Magisk module.

I'm not very familiar with Android, but that thread may help.

[paddg]

Thanks!

[pinheadmz]

@jedisct1 Could you explain what the significance is of the hash

3e1a1a0f6c53f3e97a492d57084b5b9807059ee057ab1505876fd83fda3db838 ?

I have a DoH server running at easyhandshake.com and I got it to work with DNSCloak using this hash and the stamp computer. My SSL cert is signed by Let's Encrypt, but when I look at the certificate chain in Chrome I don't see this hash in any of the certs (DST Root > Let's Encrypt > easyhandshake.com)

If I didn't find this issue, or was using a different certificate authority, how would I learn which hash to use in the stamp computer?

[jedisct1]

@pinheadmz

TLS certificates are tied to host names.

But domains expire, get reassigned and switch hands all the time. If a domain originally used for a DoH service gets a new, possibly malicious owner, clients still configured to use the service will blindly keep trusting it.

If an additional root CA is installed (either by endpoint security software, by the company, a malware or by users because they are tricked into doing so), MITM will never be detected either.

Ensuring that a known certificate is present in the chain prevents all these issues.

Some arcane openssl commands can print the certificate hashes, but the easiest way is probably to run dnscrypt-proxy -show-certs.

The rust-doh documentation includes some information about this: https://github.com/jedisct1/rust-doh#dns-stamp-and-certificate-hashes

As well as some operational recommendations: https://github.com/jedisct1/rust-doh#operational-recommendations

That being said, unless you are a big ISP or a CDN, you should rather use DNSCrypt than DoH.

[pinheadmz]

@jedisct1 Thanks for the answer! I am running my own DoH server (easyhandshake.com) to resolve names on the Handshake blockchain (handshake.org). We're on freenode at #handshake if you want to chat. DNSCloak is perfect for integrating iPhones to our extended root zone.

I understand how the cert authority works, I was just wondering how to find the hashes like in your example... Like I said, Chrome reports different hashes when I inspect the security on my domain. But the hash you have above works on my stamp and on my phone...