Created
November 3, 2025 22:49
-
-
Save williamzujkowski/48bd7c6e1d18e0d12cfcad67ff4a644c to your computer and use it in GitHub Desktop.
DoH Security Hardening - Firewall rules and certificate pinning for DNS-over-HTTPS
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # DoH Certificate Pinning for Self-Hosted Servers | |
| import ssl | |
| import hashlib | |
| import base64 | |
| class SecureDoHClient: | |
| # ... (additional implementation details) | |
| return context |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # DoH Security Hardening - Firewall Rules | |
| # iptables rules to force DoH | |
| # Block standard DNS (port 53) except from DoH proxy | |
| iptables -A OUTPUT -p udp --dport 53 -m owner ! --uid-owner cloudflared -j DROP | |
| iptables -A OUTPUT -p tcp --dport 53 -m owner ! --uid-owner cloudflared -j DROP | |
| # Block DNS-over-TLS (port 853) | |
| iptables -A OUTPUT -p tcp --dport 853 -j DROP | |
| # Allow only DoH proxy to make HTTPS connections to DNS providers | |
| iptables -A OUTPUT -p tcp --dport 443 -d 1.1.1.1 -m owner ! --uid-owner cloudflared -j DROP | |
| iptables -A OUTPUT -p tcp --dport 443 -d 8.8.8.8 -m owner ! --uid-owner cloudflared -j DROP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment