DNS Over HTTPS Docs (#676)

Author: mageddo

docs/content/2-features/doh/_index.en.md

@@ -0,0 +1,35 @@
+---
+title: DNS Over HTTPS
+---
+
+DPS supports [DNS over HTTPS][2].
+When using DPS, the main benefit is that you can configure the DNS server directly in the browser, so you don’t need to change the system’s default DNS to access hostnames in your browser.
+
+### Enabling
+Set `server.doh.port` for a free port, then doH will be enabled. See the [configs reference][1] for details.
+
+```bash
+$ docker run --rm -p 8443:8443 -e DPS_SERVER__DOH__PORT=8443 defreitas/dns-proxy-server:5.8.2-snapshot
+```
+
+```bash
+$ curl -k https://localhost:8443/health
+ok
+```
+
+### Using DoH on the Browser
+* Startup DPS with DoH enabled
+* Import DPS auto assigned certificate authority
+* Configure DPS as the Browser DoH 
+* Disable [RFC-1918][3] restrictions on the Browser
+* You are done!
+
+Configuring browsers
+
+{{%children style="li"  %}}
+
+
+[1]: {{%relref "3-configuration/_index.md" %}}#doh-server
+[2]: https://en.wikipedia.org/wiki/DNS_over_HTTPS
+[3]: https://datatracker.ietf.org/doc/html/rfc1918
+[4]: https://raw.githubusercontent.com/mageddo/dns-proxy-server/607af35d2fc985a8ad9b6cb4b7953f6e87335d97/doh/ca.crt

docs/content/2-features/doh/chrome-setup/_index.en.md

@@ -0,0 +1,80 @@
+---
+title: Configure DPS DoH on Chrome (Not confirmed)
+---
+
+### Import DPS auto assigned certificate authority
+
+Chrome relies on the **operating system trust store**, so the DPS CA must be imported at the OS level.
+
+**Linux (Ubuntu / Debian-based):**
+
+* Copy the [CA file][4] to the system certificates directory
+
+  ```bash
+  sudo cp ca.crt /usr/local/share/ca-certificates/dps-ca.crt
+  ```
+* Update the system trust store
+
+  ```bash
+  sudo update-ca-certificates
+  ```
+* Restart Google Chrome
+
+**macOS:**
+
+* Open **Keychain Access**
+* Select **System** keychain
+* Drag and drop `ca.crt` into the certificates list
+* Double-click the imported certificate
+* Expand **Trust**
+* Set **When using this certificate** to **Always Trust**
+* Close the window and authenticate
+* Restart Google Chrome
+
+**Windows:**
+
+* Double-click `ca.crt`
+* Click **Install Certificate**
+* Choose **Local Machine**
+* Select **Place all certificates in the following store**
+* Choose **Trusted Root Certification Authorities**
+* Finish the wizard
+* Restart Google Chrome
+
+---
+
+### Configure DPS as the Browser DoH
+
+* Access `chrome://settings/security`
+* Scroll down to `Advanced`
+* Find `Use secure DNS`
+* Enable the `Use secure DNS` toggle
+* Select `With Custom`
+* Put `https://localhost:8443/dns-query` in the provider input
+* The secure DNS section must indicate that a **custom provider is in use**
+
+---
+
+### Disable RFC-1918 restrictions on the Browser
+
+We need to disable RFC-1918 restrictions on the browser to make it able to accept private IPs for hostnames resolved via DoH.
+The [RFC-1918][3] defines what are private and public IPs, and browsers restrict their use in DoH responses because this is
+not considered a typical production use case.
+
+Chrome blocks private IP resolution via DoH by default as a security measure.
+
+* Access `chrome://flags`
+* Search for `Insecure Private Network Requests`
+* Set **Block insecure private network requests** to **Disabled**
+* Restart Google Chrome
+
+## Additional Considerations
+In my tests, some real domains like `.dev` won't work depending on the combination
+of private ip + default port (80, 443), the browser will not accept to solve, so evict them, **.com** seems to work
+normally;
+
+You can track which names are being solved by accessing `chrome://net-internals/#dns`
+
+[2]: https://en.wikipedia.org/wiki/DNS_over_HTTPS
+[3]: https://datatracker.ietf.org/doc/html/rfc1918
+[4]: https://raw.githubusercontent.com/mageddo/dns-proxy-server/607af35d2fc985a8ad9b6cb4b7953f6e87335d97/doh/ca.crt

docs/content/2-features/doh/firefox-setup/_index.en.md

@@ -0,0 +1,40 @@
+---
+title: Configure DPS DoH on Firefox
+---
+
+## Step by Step for Firefox
+
+### Import DPS auto assigned certificate authority
+* Access `about:preferences#privacy`
+* Scroll Down to `Certificates`
+* Click on `View Certificates`
+* Go to `Authorities` Tab
+* Click on `Import...`, import [ca.crt][4] file, click on checkboxes to trust and confirm.
+
+### Configure DPS as the Browser DoH
+* Access `about:preferences#privacy`
+* Scroll down to `DNS over HTTPS`
+* Tick `Increased Protection` radio button
+* Choose `Custom` on `Custom Provider` Combo Box
+* Put `https://localhost:8443/dns-query` on the input which appear below
+* `Status: Active  Provider: localhost` must appear below `DNS over HTTPS` title
+
+### Disable RFC-1918 restrictions on the Browser
+We need to disable RFC-1918 on the browser to make browser able to accept private IPs for hostnames solved on DoH server.
+The [RFC-1918][3] defines what are private, public IPs, when and where they should be used. For this reason, Browsers
+won't accept to resolve private IPs from hostnames solved using DoH because it probably is not a production usecase,
+the environment which DoH was thought to be used.
+
+* Access `about:config`
+* Find `network.trr.allow-rfc1918` and change it to **true**
+
+## Additional Considerations
+In my tests, some real domains like `.dev` won't work depending on the combination
+of private ip + default port (80, 443), the browser will not accept to solve, so evict them, **.com** seems to work
+normally;
+
+You can track which names are being solved by accessing `about:networking#dns`
+
+[2]: https://en.wikipedia.org/wiki/DNS_over_HTTPS
+[3]: https://datatracker.ietf.org/doc/html/rfc1918
+[4]: https://raw.githubusercontent.com/mageddo/dns-proxy-server/607af35d2fc985a8ad9b6cb4b7953f6e87335d97/doh/ca.crt

docs/content/2-features/solver-docker/_index.en.md

@@ -6,4 +6,3 @@ weight: 2
 ## Features
 
 {{%children style="li"  %}}
-