Running a DoH server on a local network
vukitoso opened this issue · comments
Hello.
Is it possible to run a DoH server on a local network?
I generated a self-signed certificate
openssl req -x509 -newkey rsa:2048 -keyout example.key -out example.crt -days 365 -nodes -subj "/CN=dnsproxy.local" -addext "subjectAltName=DNS:dnsproxy.local,IP:192.168.1.5"
Run:
./dnsproxy -l 192.168.1.5 --https-port=443 --tls-crt=key2/example.crt --tls-key=key2/example.key --insecure -u 1.1.1.1:53 -p 0
But the dns client says "certificate signed by unknown authority"
# q -v google.com @https://192.168.1.5
DEBU[0000] Name: google.com
DEBU[0000] RR types: [A AAAA NS MX TXT CNAME]
DEBU[0000] Server(s): [https://192.168.1.5]
WARN[0000] TLS secret logging enabled
DEBU[0000] Using server https://192.168.1.5:443/dns-query with transport http
DEBU[0000] Using HTTP(s) transport: https://192.168.1.5:443/dns-query
DEBU[0000] [http] sending GET request to https://192.168.1.5:443/dns-query?dns=OVMBAAABAAAAAAAABmdvb2dsZQNjb20AABAAAQ
FATA[0000] requesting https://192.168.1.5:443/dns-query?dns=OVMBAAABAAAAAAAABmdvb2dsZQNjb20AABAAAQ: Get "https://192.168.1.5:443/dns-query?dns=OVMBAAABAAAAAAAABmdvb2dsZQNjb20AABAAAQ": tls: failed to verify certificate: x509: certificate signed by unknown authority
I understand that it’s just not possible to launch a local DNS DoH server.
- You need to create your own local certification authority,
- issue a certificate from him
- and add this certificate authority to the system or browser where you plan to use the DNS client.
Did I understand correctly, or are there other solutions?
Hi!
You just need to install the certificate that you generated to your client computer's list of trusted certificate authoritites.
Running dnsproxy with --insecure is not necessary.