@Shamar oops, that Unbound version is a minimum. I lost the + in a typo correction.
That what I did understood by reading the doc.
#PowerDNS's #DNSDist seems a superb project, just maybe a bit overhelm for what it should do in this specific case. Yet seems likely the only option, actually.
It's a bit of a shame no other #DoH #CGI have been written in compiled languages so far... which is likely why few resolver support such forwarding.
When I first read about DNS-over-HTTP, I saw it as a further centralization attempt by #Google & friends (which sadly includes @mozilla these days), since to get a working DoH service you need good sysadmin skills and a stable public IP: not something a kid with a cheap shared hosting can set up.
And ə PHP implementation would be too slow.
#FossilSCM made me realize that a simple CGI in C could have good performances and be widely distributed, so I wrote one (still early alpha).
Now I can use it in most (non enterprise managed¹) browser, but I'd like to try it system wide.
Anyway... thanks for your help guys!
@bortzmeyer @draeath @Shamar it depends. No stable #bind9 release can forward over DoT (yet). None of them can forward over #DoH even on the latest commit afaik.
@Shamar try playing with dnsdist. You would need to handle /etc/resolv.conf manually. Why not just DoT?
Because I wrote a fast, easy to deploy, cgi-bin in C to do DoH, and saw that it is an incredibly good way to circumvent surveillance (that mainstream DoH providers feed) and censorship (that these day run rampant in Italy, thank to the #PiracyShield).
With a single binary that can be hosted practically anywhere, you can merge your DNS traffic with the one of the hosting provider and have a professional security around the service.
And being a small binary, it's very fast.
@Shamar I'm used to #dnsmasq, but there are probably others. I use it to serve my local network's #DHCP+#DNS coordinated services, meaning if a new client tells the DHCP server its hostname, DNS will abide to it and the rest of the machines will be able to reach it by name.
As for the system wide config, it depends a lot on which tool you're using to configure your network interfaces. It's most probably #NetwortManager, so check it's doc about setting a fixed DNS server.
@Shamar I set up an Unbound resolver forwarding to a public resolver. Example:
forward-zone:
name: "."
# FDN
# forward-addr: 2001:910:800::12@853#ns0.fdn.fr
# My resolver
# forward-addr: 2001:41d0:302:2200::180@853#dot.bortzmeyer.fr
# DNS.sb
forward-addr: 2a11::@853#dot.sb
forward-tls-upstream: yes
@Shamar run a local resolver, and have it do the DoH. Bind (9.17+), Knot (4.0+), and Unbound (11.12) all apparently support it. Configure this resolver via /etc/resolv.conf, NetworkManager, etc.
Unbound is pretty lightweight, I would look into that first.
If the debian packages are too old, look at running it in a podman (or docker) container.