| blob | 2ac1630aa29dbc257271515169a446b3686863c6 |
1 # DNS-over-HTTPS Server {#module-service-doh-server}
3 [DNS-over-HTTPS](https://github.com/m13253/dns-over-https) is a high performance DNS over HTTPS client & server. This module enables its server part (`doh-server`).
5 ## Quick Start {#module-service-doh-server-quick-start}
7 Setup with Nginx + ACME (recommended):
9 ```nix
10 {
11 services.doh-server = {
12 enable = true;
13 settings = {
14 upstream = [ "udp:1.1.1.1:53" ];
15 };
16 };
18 services.nginx = {
19 enable = true;
20 virtualHosts."doh.example.com" = {
21 enableACME = true;
22 forceSSL = true;
23 http2 = true;
24 locations."/".return = 404;
25 locations."/dns-query" = {
26 proxyPass = "http://127.0.0.1:8053/dns-query";
27 recommendedProxySettings = true;
28 };
29 };
30 # and other virtual hosts ...
31 };
33 security.acme = {
34 acceptTerms = true;
35 defaults.email = "you@example.com";
36 };
38 networking.firewall.allowedTCPPorts = [ 80 443 ];
39 }
40 ```
42 `doh-server` can also work as a standalone HTTPS web server (with SSL cert and key specified), but this is not recommended as `doh-server` does not do OCSP Stabbing.
44 Setup a standalone instance with ACME:
46 ```nix
47 let
48 domain = "doh.example.com";
49 in
50 {
51 security.acme.certs.${domain} = {
52 dnsProvider = "cloudflare";
53 credentialFiles."CF_DNS_API_TOKEN_FILE" = "/run/secrets/cf-api-token";
54 };
56 services.doh-server = {
57 enable = true;
58 settings = {
59 listen = [ ":443" ];
60 upstream = [ "udp:1.1.1.1:53" ];
61 };
62 useACMEHost = domain;
63 };
65 networking.firewall.allowedTCPPorts = [ 443 ];
66 }
67 ```
69 See a full configuration in https://github.com/m13253/dns-over-https/blob/master/doh-server/doh-server.conf.