Is it possible to forward dns requests to self-hosted DoH server?


I self-host my own DoH server behind a firewall that isn’t exposed.

Is it possible to add a DNS record that forwards requests for a sub-domain?

For example, I’d like to forward requests for to my self-hosted DNS server but only DoH requests. I realize that I’d first have to open 443/tcp on the firewall but having trouble figuring out how to wire the rest.

Is cloudflared an option?

I used to open port 53/udp on my firewall but I suffered from DNS amplification attacks.

Thanks for any help.

If the origin were accessible through your firewall, you could proxy (orange-cloud) the DoH hostname and use a firewall rule like the following with a Block action to block non-DoH requests to the hostname.

( eq ""
    and not cf.edge.server_port eq 443
    and (
            http.request.method eq "GET"
            and not http.request.uri.query contains "dns="
        ) or (
            http.request.method eq "POST"
            and (
                not any(
                    lower(http.request.headers.names[*])[*] contains "content-type"
                ) or not any(
                    http.request.headers["content-type"][*] eq "application/dns-message"

If you were to do something like that though, you’d probably want to restrict the ingress in your firewall to requests from Cloudflare only. Additionally, you may want to further restrict the requests allowed through Cloudflare to yourself.

Not possible

Yes I can write a rule for my proxy to route based on headers but i don’t understand what sort of DNS entry I need to get this working.

Probably not possible but thought I’d ask.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.