This tutorial will be showing you how to set up your own DNS over HTTPS (DoH) resolver on Debian with DNSdist, so your DNS queries can be encrypted and protected from prying eyes.
What is DNS over HTTPS and Why It’s Important
DNS (Domain Name System) is responsible for translating domain names to IP addresses. It’s designed in 1987 with no security or privacy in mind. By default, DNS queries are not encrypted. They are sent in plain text on the wire and can be exploited by middle entities. For example, the Great Firewall (GFW) of China uses a technique called DNS cache poison to censor the Chinese Internet. (They also use other methods, which are beyond the scope of this article.)
GFW checks every DNS query sent to a DNS server outside of China. Since plain text DNS protocol is based on UDP, which is a connection-less protocol, GFW can spoof both the client IP and server IP. When GFW finds a domain name on its block list, it changes the DNS response. For instance, if a Chinese Internet user wants to visit google.com, GFW returns an IP address located in China instead of Google’s real IP address, to the user’s DNS resolver. Then the DNS resolver returns the bogus IP address to the user’s computer, so the user cannot visit google.com.
Read full tutorial here: https://www.linuxbabe.com/debian/set-up-dns-over-https-doh-resolver-debian-dnsdist