 What's up guys today I'm going to show you how to host your own encrypted recursive DNS server on a remote VPS or you could probably follow this guide to host one locally, which would actually be a little bit faster, especially once you've been able to build up a cache of DNS records on your own server. Now the reason that you would want to do this without getting too verbose into how DNS works is for privacy reasons. DNS queries contain information about the name of the site you visited and a time stamp of when you visited that site. So historically all of this DNS stuff was sent in the clear so anybody who's listening on the wire like the alphabet boys could see all that information as well. But these days most popular DNS servers that are run by Google, Cloudflare and others actually use encrypted DNS over TLS or DNS over HTTPS which we're going to be doing as well. But since we're hosting our own DNS server, we can be absolutely 100% sure that the records about what sites we visit and when that are cached on every DNS server or our DNS server in this case are not going to be sold to anybody who wants to buy them. So this is about as private as you can get with DNS in the DNS world and like I said, if it's hosted locally, it can actually end up being a whole lot faster. Now one thing that I do have to mention is this setup does not yet support encrypted client hello but it should in the near future because encrypted client hello is going to be making its way into open SSL soonish. I mean there's a pull request that's been open for it here and I guess this person here SFTCD is going to be doing some refactoring and splitting the pull request into three different pull requests. So maybe that's going to make it take a little bit longer but it's going to be added in the near future and this is then going to add encrypted client hello support to hopefully most of the internet or at least most people out there who are going to be running the latest version of open SSL because this I'm pretty sure is the most popular SSL library that's out there on the internet. Now if you're a bit more of an advanced user and you don't want to wait for this pull request to get merged into open SSL, you could probably get encrypted client hello working. If you configure whatever DNS software you're using to use the boring SSL library instead because as far as I know this is the most popular SSL library that does currently support encrypted client hello which is as you can see maintained by the Chromium project. But like I said I'm just going to wait for it to get merged into open SSL and then start using encrypted client hello from there. So I'm going to be using a Volter VPS. I also have an affiliate link in the description of this video and the pinned comment that would give me some credits with Volter if you sign up with it. I believe it also gives you some credits as well and Volter is actually a pretty good cloud provider. They have a lot of applications that you can easily deploy. I actually use them for my base.win WooCommerce store. They aren't so great for email though because I guess a lot of people have used them for spam in the past so getting them to open up the ports for email can be a little bit difficult. And personally I just run my email server on Linode but thanks in advance for those of you that use that affiliate link. So I'm just going to go fast forward through the boring stuff with setting up this Debian box and I'll see you guys in a little bit. OK so now I have an updated Debian box with my new user Kenny. I've generated SSH keys and secured SSH to only allow login with those keys and only allow Kenny to log in or at least I've prevented root logins. And I've also gone ahead and set up the reverse DNS in Volter for my DNS base.win domain name and I've done the forward DNS in pork bun which is currently what I'm using for my registrar for base.win since Google domains is dead. And I've also already generated a Let's Encrypt certificate. I had one from when I was testing. I mean I didn't see any reason to generate a new one especially because with Let's Encrypt you're only able to generate I think it's like 12 or so like certificates for the same domain within a certain period of time. So I think it's really just best practice to you know back up those certificates for a domain like if you're testing and then deploy those same certificates to your actual production server. So anyway let's just go ahead and get started with the rest of the setup and I'll make this a little bit bigger so that you guys can see. So bind nine is what I'm going to be using for my DNS software. There's a number of free and open source DNS softwares out there that you can use. This is one of them probably one of the more popular ones as well. So go ahead and install that. And now we need to enable bind nine's domain name server daemon which is called name D. Alright and then we need to allow bind nine through the firewall. We also need to allow HTTP and HTTPS through our firewall as well. And at this point now we just need to configure our name D configuration file and actually I think I have to do this as root. Let's see bind name D dot cough dot options and it actually looks like it has a little bit of a configuration already generated. Let's see. We got our DNS sec validation on but there's a few more things that need to be added. Alright so we'll do recursion. Yes. Allow recursion any listen on any and let's see I think I'm going to skip v6 and see DNS sec validation is at the bottom and we actually have listen on v6 configured anyway. Alright cool so we'll right quit this and let's check our configuration file make sure it's good. Check cough. Let's see bind named D dot cough dot options. Okay and no output is good that means that there's no issues with our configuration file and restart name D. Okay and now we can test our DNS configuration with a dead command so this is not encrypted yet. This is just you know very basic old school you know in the clear plain text DNS that I'm doing right now. Alright and you can see that you know it's just regular unencrypted DNS but now we're going to set up the encrypted version of it. So couple other configurations obviously generate your less encrypt certificates if you haven't done that already or you know restore them if you're you know if you had backup ones like I did and you need to make some configurations to app armor dot D local we're going to create this file got too many forward slashes. Okay so in here we're just going to paste this right here so this is going to allow name D to be able to access our let's encrypt folder and then we're going to reload app armor. Okay and I still think I need to change the file permissions of let's encrypt. So let me do that real quick. Oh my internet is slow today. Okay bind Etsy let's encrypt live DNS base.win private key and sudo chmod let's encrypt live DNS privkey. Okay so now we should be able to make our changes. To bind's configuration or name D's configuration rather. Alright so we want to add at the top of the file key file insert file for let's encrypt so the privkey dot PEM and full chain dot PEM you need the full directory to them then we're going to add HTTP local HTTP server endpoints DNS query. Okay and then in the options we're going to do listen on listen on port 53 and I got to remember to change that for v6 as well actually why don't I just do it right now listen on v6 53. Okay and actually I need to put port in there port 53 and good same thing down here but HTTP port 80 HTTPS port 443 and I'm going to copy these two lines because they're kind of long listen on port 443 TLS local blah blah blah and then same thing for v6. Okay so we're going to save that now we're going to again check it to make sure or check the configuration file to make sure that it's okay so named check comp let's see bind name D dot comp dot options. Let me see check comp checked comp needs to be check comp. Okay that's working and now we're going to reload name D we don't need to restart the whole game in this time just reload the file and let me see we're getting a TLS error so let me try to figure out what's wrong with this here alright so I finally got my configuration working after trying a bunch of different things and thinking that I didn't have let's encrypt installed properly turns out I simply did not run this extra chmod command so that's the reason why I didn't have access to TLS you know that's just how things go in Linux okay file permissions they cause a lot of problems okay so I should be able to now dig plus HTTPS at DNS dot base dot when Gnu dot org a and as you can see we got the response with HTTPS enabled great so we've got a working DNS server doing DNS over HTTPS and our configuration file has it set to only do DNS over HTTPS so now we're going to go ahead and configure this on our system now there's several ways to do this the best way if you wanted to use every single device on your network to use this DNS server would be to configure it on your router to use this DNS server and then telling all your devices to just use the routers config but I'm probably not going to do that until I can set up a local DNS server which will be a lot faster with encrypted client hello so right now I'm just going to set this up on my browser or I'm going to set it up on my system do a dig command and then I'm also going to set it up on my browser to show you you know multiple different tests that this is indeed working so we'll go into Etsy resolve dot com if you're on a Linux system and all we have to do is comment out these default settings and then change it to the DNS dot base dot when name server you know whatever the name of your DNS server is so now if I do the dig command here dig plus HTTPS at DNS dot base dot when can you dot org a mm hmm okay what did I do wrong in my resolve dot comp let's see name server DNS dot base dot when hmm try just with the IPs only all right there we go CC it is working on my system now and then let's go over to the browser now in Firefox you need to go into your settings privacy and security and when you've got the default protection like it can be a little bit confusing in Firefox because with default protection doesn't let you change your DNS server so just choose you know one of these options and then you get this you get this drop down menu for custom and then I've got my DNS dot base dot when already in here from when I was testing so let's first do a DNS leak test to verify that we are only using this DNS server and this is my real public IP guys okay so please don't DDoS me as you saw my internet is not great here in rural land you'll probably end up taking out my whole ISP if you DDoS me all right so this is going to do the extended tests which I think does like five or six query rounds and you know it's going to try to see if it can somehow some way use a different DNS server but it's going to be impossible because I've configured Firefox to only use DNS dot base dot when and of course you can do this configuration and chromium base browsers it's probably a little bit more straightforward to actually configure your own custom DNS and chromium base browser because it doesn't have that weird setting that Firefox does you know where you have to change your default protection to increase protection or max protection or something else in order to get that other setting so here you see the IP for my server hostname DNS dot base dot when ISP says Volter just because that's you know where the box is located so boom confirmation that we don't have any DNS leaks and now we're going to use cloud flares secure DNS check so this is going to check for a bunch of different things including encrypted client hello which is not enabled so that test is going to fail but all the rest should pass DNS sec and um encrypted DNS you know DOH DOH is what it should show up as all right and so you can see secure DNS well it says it's not sure about secure DNS because they're only really sure if you use one dot one dot one dot one but you know we've got DNS sec working and TLS 1.3 working nobody snooping on the wire can see the certificate of the website you made a TLS connection to and no encrypted SNI not yet lamp lamp but very soon very very soon but that is it for this video guys please like it and share it to hack the algorithm and check out my merch on base dot when where you can save an additional 10% automatically on checkout store wide as long as you pay in Monero XMR have a great rest of your day