Comment by deknos
1 day ago
is it possible to route DoH over generic HTTPS service when i only inspect a certain route? so i could have a generic https-server, where at some route, DNS requests are answered, other stuff just gives me a normal website?
because then we could use DoH for hiding our DNS requests..
This is how it works already, the DoH endpoint is "/dns-query", both CloudFlare and Google route this endpoint to their resolver services, while the rest of the site (one.one.one.one or dns.google) is just a website.
Yes.
DoH requests go to /dns-query so you only need that path to proxy onto your DoH handler.
Some DoH clients will also allow you to specify a custom path, so you can also obfuscate the path by configuring client and server to use /foobar instead.
But, re-using an existing site does come at the cost of generating a bunch of extra log noise (fine if it's just you, not so fine if it isn't). If you don't have some kind of auth in place, you might also find that you suddenly come under a lot of load (when I ran a public DoH service, I eventually started getting a lot of traffic from users in an authoritarian country)