I’ve decided to give some information about the DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) services I’m running that are publicly available on the dnscrypt provider list. (aaflalo-me; aaflalo-me-gcp; aaflalo-me-nyc).

All the servers support only TLS 1.2 and TLS 1.3.

aaflalo-me

Url for DoH requests:

https://dns.aaflalo.me/dns-query

For DNS-over-TLS (DoT):

 dns.aaflalo.me:853

This is the main server. I’ve created this server using my own guide on how to setup pihole and DoH. It runs a customized version of dnsmasq (named FTL) that is provided by the PiHole installer. Currently working with more than 500 000 blacklisted domains.

To provide the DoH part of the service, I’m using NGINX, let’s encrypt and doh-server as explained by the tutorial on how to setup a DoH server.

For the DoT part, I’m using also NGINX and a simple DNS server, in this case PiHole. You can find how to configure it in my DoT Tutorial.

The server doesn’t log anything, I’ve no idea who you are what request you do on it.

It’s a VPS server hosted at RamNode in their Netherlands datacenter.

aaflalo-me-nyc

Url for DoH requests:

https://dns-nyc.aaflalo.me/dns-query

For DNS-over-TLS (DoT):

 dns-nyc.aaflalo.me:853

A brand-new server hosted on Ramnode. I’m using their new cloud offering to host the instance in New-York, USA with a static IP.

It runs its own PiHole backed by an Unbound server to process the DNS requests. Unbound is the one doing the heaving lifting of checking DNSSEC and requesting the information for each DNS server in the chain.

For the DNS-over-TLS, I’m using nginx in stream mode to provide the TLS part and directly send the traffic to the unbound server. This is useful if you’re using Android 9 (Pie). This way you don’t need to install another app to secure your DNS request and benefit from the ad blocking feature.

Same configuration as aaflalo-me for the DoH part with Nginx, let’s encrypt and doh-server.

This server also uses doh-proxy for most of the DoH traffic instead of doh-server. It’s a 80% on doh-proxy and 20% on doh-server because I wanted to see how performant is Rust (language used by doh-proxy).

Also, it doesn’t log anything.

[DEPRECATED] aaflalo-me-gcp

Currently, a redirection to aaflalo-me-nyc.

Url for DoH requests:

https://dns-gcp.aaflalo.me/dns-query

For DNS-over-TLS (DoT):

 dns-gcp.aaflalo.me:853

This server is a proxy of the aaflalo-me ; it runs Unbound which keep a local cache of minimum 600 seconds for each response. It’s connected directly to aaflalo-me server using a wireguard connection where all the traffic is encrypted with minimal overhead. (It’s a great protocol for VPN, I’ll do an article about it).

For the DNS-over-TLS, I’m using nginx in stream mode to provide the TLS part and directly send the traffic to the unbound server. This is useful if you’re using Android 9 (Pie). This way you don’t need to install another app to secure your DNS request and benefit from the ad blocking feature.

This server doesn’t do any kind of ad blocking itself, it only redirects the query to the first server and save the result in a cache.

Same configuration as aaflalo-me for the DoH part with Nginx, let’s encrypt and doh-server.

Also, it doesn’t log anything.

The server is hosted on Google Cloud Platform on a free-tier VM with a static IP on the US zone.

Whitelisting

If you have issue with some website, I don’t mind adding new domain to the whitelist. You just need to contact me using the contact form and choose DNS as the reason. I usually respond quite fast.