What are the general disadvantages of having your own ‘DoH’/’DoT’ server?
One of DoH’s “problems” is that, if browsers activate it by default, large companies, such as Google or Cloudflare, would resolve the DNS requests of millions of clients.
Well, in view of this fact, one solution is to have your own DNS server compatible with ‘DoH’. But what would be the drawbacks? I mean, is it relatively easy to hack, for example?
On the other hand, if I’m not wrong (if I’m wrong, please correct me), the massive activation of ‘DoT’ should be driven by operating systems, and not by browsers, unlike DoH. In this case, DNS requests would be resolved as has traditionally been the case (by default, through ISP’s DNS servers), but the connection between the client and the recursive server would be encrypted thanks to TLS.
In view of this fact, I have a second question: Would it also be possible to create your own ‘DoT’ server? Could it be hacked easily? In general, what would be the disadvantages?
Answer
Building a DoH proxy server is pretty easy (https://www.hardill.me.uk/wordpress/2018/04/14/dns-over-https/ and https://github.com/hardillb/dns-over-https)
The problem with running one yourself is that for a normal Home user it doesn’t get you anything (assuming you host it at home, say on a Raspberry Pi). This is because the traffic would only be encrypted between your browser and the Pi. The outbound traffic would then flow out over your Network connection to what ever upstream DNS server you have configured it to use. This would be unencrypted and still open to tracking by your ISP.
You could work round this by configuring the DoH proxy to talk DoT to a known good DNS (not hosted by your ISP).
The other option (also implemented in the git repo I pointed to) is to proxy the other way, to have a normal “DNS server” running on your network that then proxies to DoH. This means that nothing on your network needs changing, it just points to the proxy which then forwards the request securely to a DoH server out on the internet. This means that your ISP can’t snoop on you, but the DoH server could.
Setting up a DoT server is also reasonably simple, just use something like stunnel to proxy for a DNS server that supports TCP as well as UDP. The harder part is getting a TLS cert with a SAN entry for the IP address (Lets Encrypt won’t issue one iirc)
There was a really good site with more details that I can’t find just now (I’ll edit the post when I find it again).
As with everything, it really depends on what threat you are looking to mitigate.
Attribution
Source : Link , Question Author : john smith , Answer Author : hardillb
