I’ve decided to give some information about the DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) services I’m running that are publicly available on the dnscrypt provider list. (aaflalo-me; aaflalo-me-gcp; aaflalo-me-nyc).

All the servers support only TLS 1.2 and TLS 1.3.

As of June 2023, I didn’t have the time anymore to support those servers. Both of them are now offline. Please use NextDNS instead.

aaflalo-me-nyc [OFFLINE]

Url for DoH requests: 

https://dns-nyc.aaflalo.me/dns-query

For DNS-over-TLS (DoT):

 dns-nyc.aaflalo.me:853

A brand-new server hosted on Ramnode. I’m using their new cloud offering to host the instance in New-York, USA with a static IP.

It runs my own ad blocking system based on scripts from the PiHole project, some Lua scripting and PowerDNS Recursor. It was receiving too many request per day to still be using PiHole (dnsmasq) as DNS server. I had to reengineer the stack.

For the DNS-over-TLS, I’m using nginx in stream mode to provide the TLS part and directly send the traffic to the PowerDNS recursor. This is useful if you’re using Android 9 (Pie). This way you don’t need to install another app to secure your DNS request and benefit from the ad blocking feature.

To provide the DoH part of the service, I’m using NGINX, let’s encrypt and doh-server as explained by the tutorial on how to setup a DoH server.

For the DoT part, I’m using also NGINX and a simple DNS server, in this case PowerDNS Recursor. You can find how to configure it in my DoT Tutorial.

This server also uses doh-proxy for most of the DoH traffic instead of doh-server. It’s a 80% on doh-proxy and 20% on doh-server because I wanted to see how performant is Rust (language used by doh-proxy).

Also, it doesn’t log anything.

aaflalo-me [OFFLINE]

For historical purpose I keep the definition of this server here, but it’s not available anymore. (20 June 2020)

Url for DoH requests:

https://dns.aaflalo.me/dns-query

For DNS-over-TLS (DoT):

 dns.aaflalo.me:853

This is the main server. I’ve created this server using my own guide on how to setup pihole and DoH. It runs a customized version of dnsmasq (named FTL) that is provided by the PiHole installer. Currently working with more than 500 000 blacklisted domains.

To provide the DoH part of the service, I’m using NGINX, let’s encrypt and doh-server as explained by the tutorial on how to setup a DoH server.

For the DoT part, I’m using also NGINX and a simple DNS server, in this case PiHole. You can find how to configure it in my DoT Tutorial.

The server doesn’t log anything, I’ve no idea who you are what request you do on it.

It’s a VPS server hosted at RamNode in their Netherlands datacenter.

aaflalo-me-gcp [DEPRECATED]

Currently, a redirection to aaflalo-me-nyc.

Url for DoH requests: 

https://dns-gcp.aaflalo.me/dns-query

For DNS-over-TLS (DoT):

 dns-gcp.aaflalo.me:853

This server is a proxy of the aaflalo-me ; it runs Unbound which keep a local cache of minimum 600 seconds for each response. It’s connected directly to aaflalo-me server using a wireguard connection where all the traffic is encrypted with minimal overhead. (It’s a great protocol for VPN, I’ll do an article about it).

For the DNS-over-TLS, I’m using nginx in stream mode to provide the TLS part and directly send the traffic to the unbound server. This is useful if you’re using Android 9 (Pie). This way you don’t need to install another app to secure your DNS request and benefit from the ad blocking feature.

This server doesn’t do any kind of ad blocking itself, it only redirects the query to the first server and save the result in a cache.

Same configuration as aaflalo-me for the DoH part with Nginx, let’s encrypt and doh-server.

Also, it doesn’t log anything.

The server is hosted on Google Cloud Platform on a free-tier VM with a static IP on the US zone.

Whitelisting

If you have issue with some website, I don’t mind adding new domain to the whitelist. You just need to contact me using the contact form and choose DNS as the reason. I usually respond quite fast.