To deploy the server locally, first acquire a TLS certificate using mkcert as follows:
$ mkcert -key-file key.pem -cert-file cert.pem 127.0.0.1 localhost
Then build and run the server as follows:
$ make all
$ CERT=cert.pem KEY=key.pem PORT=4567 ./odoh-server
By default, the proxy listens on /proxy
and the target listens on /dns-query
.
You may then run the corresponding client as follows:
$ ./odoh-client odoh --proxy localhost:4567 --target odoh.cloudflare-dns.com --domain cloudflare.com
;; opcode: QUERY, status: NOERROR, id: 14306
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;cloudflare.com. IN AAAA
;; ANSWER SECTION:
cloudflare.com. 271 IN AAAA 2606:4700::6810:84e5
cloudflare.com. 271 IN AAAA 2606:4700::6810:85e5
This section describes deployment instructions for odoh-server-go.
This server can also be manually deployed on any bare metal machine, or in cloud providers such as GCP. Instructions for both follow.
Deployment on bare metal servers, such as Equinix, can be done following
the instructions below. These steps assume that git
and go
are both installed on the metal.
- Configure a certificate on the metal using certbot. Once complete, the output should be something like the following, assuming the server domain name is "example.com":
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/example.com/privkey.pem
You must configure certbot to renew this certificate periodically. The simplest way to do this is via a cron job:
$ 00 00 1 * 1 certbot renew
- Configure two environment variables to reference these files:
$ export CERT=/etc/letsencrypt/live/example.com/fullchain.pem
$ export KEY=/etc/letsencrypt/live/example.com/privkey.pem
- Clone and build the server:
$ git clone git@github.com:cloudflare/odoh-server-go.git
$ cd odoh-server-go
$ go build ./...
- Run the server:
$ PORT=443 ./odoh-server &
This will run the server until completion. You must configure the server to restart should it terminate prematurely.
To deploy, run:
$ gcloud app deploy proxy.yaml
...
$ gcloud app deploy target.yaml
...
To check on its status, run:
$ gcloud app browse
To stream logs when deployed, run
$ gcloud app logs tail -s default
You need to deploy a reverse proxy with a valid TLS server certificate for clients to be able to authenticate the target or proxy.
The simplest option for this is using Caddy. Caddy will automatically provision a TLS certificate using ACME from Let's Encrypt.
For instance:
caddy reverse-proxy --from https://odoh.example.net:443 --to 127.0.0.1:8080
Alternatively, use a Caddyfile similar to:
odoh.example.net
reverse_proxy localhost:8080
and run caddy start
.