initial

doh_hottis_de_https.mobileconfig

@@ -0,0 +1,76 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+    <dict>
+        <key>PayloadDisplayName</key>
+        <string>Hottis DNS-over-HTTPS</string>
+        <key>PayloadIdentifier</key>
+        <string>de.hottis.doh.https</string>
+        <key>PayloadUUID</key>
+        <string>34c7d729-3aee-459e-9563-dd4e5769c269</string>
+        <key>PayloadDescription</key>
+        <string>Hottis DNS-over-HTTPS</string>
+        <key>PayloadRemovalDisallowed</key>
+        <false/>
+        <key>PayloadVersion</key>
+        <integer>1</integer>
+        <key>PayloadType</key>
+        <string>Configuration</string>
+        <key>PayloadContent</key>
+        <array>
+            <dict>
+                <key>PayloadDisplayName</key>
+		        <string>Hottis DNS-over-HTTPS</string>
+                <key>PayloadType</key>
+                <string>com.apple.dnsSettings.managed</string>
+                <key>PayloadIdentifier</key>
+		        <string>com.apple.dnsSettings.managed.3dd84456-72bc-42a3-b9c3-64f8738b8a16</string>
+                <key>PayloadUUID</key>
+                <string>cda373f6-10f7-4344-8821-88add5d21907</string>
+                <key>PayloadVersion</key>
+                <integer>1</integer>
+                <key>ProhibitDisablement</key>
+                <false/>
+                <key>DNSSettings</key>
+                <dict>
+                    <key>DNSProtocol</key>
+                    <string>HTTPS</string>
+                    <key>ServerAddresses</key>
+                    <array>
+                    <string>130.162.53.245</string>
+                    </array>
+                    <key>ServerURL</key>
+		            <string>https://doh.hottis.de/dns-query</string>
+                </dict>
+                <key>OnDemandEnabled</key>
+                <integer>1</integer>
+                <key>OnDemandRules</key>
+                <array>
+                    <dict>
+                        <key>Action</key>
+                        <string>Disconnect</string>
+                        <key>InterfaceTypeMatch</key>
+                        <string>WiFi</string>
+                        <key>SSIDMatch</key>
+                        <array>
+                        <string>test</string>
+                        </array>
+                    </dict>
+                    <dict>
+                        <key>Action</key>
+                        <string>Connect</string>
+                        <key>InterfaceTypeMatch</key>
+                        <string>WiFi</string>
+                    </dict>
+                    <dict>
+                        <key>Action</key>
+                        <string>Connect</string>
+                        <key>InterfaceTypeMatch</key>
+                        <string>Cellular</string>
+                    </dict>
+                </array>
+            </dict>
+        </array>
+    </dict>
+</plist>
+

doh_hottis_de_tls.mobileconfig

@@ -0,0 +1,75 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+    <dict>
+        <key>PayloadDisplayName</key>
+        <string>Hottis DNS-over-TLS</string>
+        <key>PayloadIdentifier</key>
+        <string>de.hottis.doh.tls</string>
+        <key>PayloadUUID</key>
+        <string>86665a45-0dbd-48e3-b0fa-3e703a42a758</string>
+        <key>PayloadDescription</key>
+        <string>Hottis DNS-over-TLS</string>
+        <key>PayloadRemovalDisallowed</key>
+        <false/>
+        <key>PayloadVersion</key>
+        <integer>1</integer>
+        <key>PayloadType</key>
+        <string>Configuration</string>
+        <key>PayloadContent</key>
+        <array>
+            <dict>
+                <key>PayloadDisplayName</key>
+                <string>Hottis DNS-over-TLS</string>
+                <key>PayloadType</key>
+                <string>com.apple.dnsSettings.managed</string>
+                <key>PayloadIdentifier</key>
+		        <string>com.apple.dnsSettings.managed.e1a386eb-0562-4b5b-8a4f-7989743c4cd8</string>
+                <key>PayloadUUID</key>
+                <string>800dfe36-754a-4803-8fe4-36d82f67bdb3</string>
+                <key>PayloadVersion</key>
+                <integer>1</integer>
+                <key>ProhibitDisablement</key>
+                <false/>
+                <key>DNSSettings</key>
+                <dict>
+                    <key>DNSProtocol</key>
+                    <string>TLS</string>
+                    <key>ServerAddresses</key>
+                    <array>
+                        <string>130.162.53.245</string>
+                    </array>
+                    <key>ServerName</key>
+                    <string>doh.hottis.de</string>
+                </dict>
+                <key>OnDemandEnabled</key>
+                <integer>1</integer>
+                <key>OnDemandRules</key>
+                <array>
+                    <dict>
+                        <key>Action</key>
+                        <string>Disconnect</string>
+                        <key>InterfaceTypeMatch</key>
+                        <string>WiFi</string>
+                        <key>SSIDMatch</key>
+                        <array>
+                        <string>test</string>
+                        </array>
+                    </dict>
+                    <dict>
+                        <key>Action</key>
+                        <string>Connect</string>
+                        <key>InterfaceTypeMatch</key>
+                        <string>WiFi</string>
+                    </dict>
+                    <dict>
+                        <key>Action</key>
+                        <string>Connect</string>
+                        <key>InterfaceTypeMatch</key>
+                        <string>Cellular</string>
+                    </dict>
+                </array>
+            </dict>
+        </array>
+    </dict>
+</plist>

readme.md

@@ -0,0 +1,13 @@
+* for Ubuntu (since Debian is not available in Oracle-Cloud):
+  * install libnghttp2-dev to build, libnghttp2-14 to run
+  * install libssl-dev to build, libssl1.1 to run
+  * install libevent-dev to build, libevent-2.1-7 to run
+  * install libexpat1-dev to build, libexpat1 to run
+* clone unbound or download and unpack the tarball
+* ``./configure --with-libnghttp2 --with-libevent --prefix /opt/unbound --sysconfdir /etc/unbound``
+* ``make && make install``
+* download the root.hints file with ``curl https://www.internic.net/domain/named.root > /etc/unbound/root.hints``
+* create the initial trust key: ``unbound-anchor -a /etc/unbound/root.key``
+* create the initial Let's Encrypt certificate using ``certbot certonly --standalone --preferred-challenges http -d <yourdomain>``, put key and certificate into ``/etc/unbound``
+* run the script ``renewcerts.sh`` once a month (e.g. from cron)
+

renewcerts.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+echo "Running certbot"
+/usr/bin/certbot renew --standalone
+
+echo "Copying cert and key to unbound"
+cp /etc/letsencrypt/live/doh.hottis.de/privkey.pem /etc/unbound/privkey.pem
+chown unbound:unbound /etc/unbound/privkey.pem
+cp /etc/letsencrypt/live/doh.hottis.de/fullchain.pem /etc/unbound/pubcert.pem
+chown unbound:unbound /etc/unbound/pubcert.pem
+
+echo "Restarting unbound"
+systemctl restart unbound
+
+

unbound.conf

@@ -0,0 +1,38 @@
+server:
+    chroot: /etc/unbound
+
+    do-ip4: yes
+    do-ip6: no
+
+    interface: 0.0.0.0@53
+    port: 53
+
+    # tls-upstream: yes
+    # tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+
+    # initially create using unbound-anchor -a /etc/unbound/root.key
+    auto-trust-anchor-file: /etc/unbound/root.key
+
+    # can be created using letsencrypt means, e.g. by a companion Apache httpd with mod_md or using certbot
+    tls-service-key: /etc/unbound/privkey.pem
+    tls-service-pem: /etc/unbound/pubcert.pem
+    interface: 0.0.0.0@853
+    tls-port: 853
+    interface: 0.0.0.0@443
+    https-port: 443
+
+    num-threads: 2
+
+    # curl https://www.internic.net/domain/named.root > /etc/unbound/root.hints
+    root-hints: /etc/unbound/root.hints
+
+    do-daemonize: no
+
+    verbosity: 1
+    logfile: "/etc/unbound/unbound.log"
+    log-time-ascii: yes
+    log-queries: yes
+    log-replies: yes
+
+    access-control: 0.0.0.0/0 allow
+

unbound.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=unbound
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=simple
+GuessMainPID=yes
+ExecStart=/opt/unbound/sbin/unbound
+ExecStop=kill -SIGINT $mainpid
+Restart=on-failure
+WorkingDirectory=/etc/unbound
+
+[Install]
+Alias=unbound
+WantedBy=multi-user.target
+