Home Explore Blog Models CI



nixpkgs
nixos/modules/services/networking/doh-server.md
0d882b058ce2d257953e2698c6adb1643cd7f68711463b9b00000003000006a5
# DNS-over-HTTPS Server {#module-service-doh-server}

[DNS-over-HTTPS](https://github.com/m13253/dns-over-https) is a high performance DNS over HTTPS client & server. This module enables its server part (`doh-server`).

## Quick Start {#module-service-doh-server-quick-start}

Setup with Nginx + ACME (recommended):

```nix
{
  services.doh-server = {
    enable = true;
    settings = {
      upstream = [ "udp:1.1.1.1:53" ];
    };
  };

  services.nginx = {
    enable = true;
    virtualHosts."doh.example.com" = {
      enableACME = true;
      forceSSL = true;
      http2 = true;
      locations."/".return = 404;
      locations."/dns-query" = {
        proxyPass = "http://127.0.0.1:8053/dns-query";
        recommendedProxySettings = true;
      };
    };
    # and other virtual hosts ...
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "you@example.com";
  };

  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
}
```

`doh-server` can also work as a standalone HTTPS web server (with SSL cert and key specified), but this is not recommended as `doh-server` does not do OCSP Stabbing.

Setup a standalone instance with ACME:

```nix
let
  domain = "doh.example.com";
in
{
  security.acme.certs.${domain} = {
    dnsProvider = "cloudflare";
    credentialFiles."CF_DNS_API_TOKEN_FILE" = "/run/secrets/cf-api-token";
  };

  services.doh-server = {
    enable = true;
    settings = {
      listen = [ ":443" ];
      upstream = [ "udp:1.1.1.1:53" ];
    };
    useACMEHost = domain;
  };

  networking.firewall.allowedTCPPorts = [ 443 ];
}
```

See a full configuration in <https://github.com/m13253/dns-over-https/blob/master/doh-server/doh-server.conf>.
Chunks
766beb48 (1st chunk of `nixos/modules/services/networking/doh-server.md`)
Title: DNS-over-HTTPS Server Module Configuration
Summary
This document describes the `doh-server` module, which enables the server part of a high-performance DNS-over-HTTPS client and server. It provides quick start guides for setting up the `doh-server`. The recommended setup involves using Nginx with ACME for SSL certificate management, with configuration examples detailing how to integrate `doh-server` with Nginx, ACME, and firewall rules. An alternative standalone setup with ACME is also presented, though running `doh-server` as a standalone HTTPS server is not recommended due to its lack of OCSP Stabbing. A link to the full configuration file on GitHub is also provided.