DNS-over-HTTPS is the new normal. Google, Cloudflare, and Quad9 are happy to handle your DNS queries — for free. But free in tech means you're the product. Your browsing habits, your metadata, your digital footprint — all up for grabs. Running your own DoH server isn't paranoia. It's the only rational response to a system designed to watch you.
The Surveillance Default
Every time you visit a website, your device asks a DNS resolver where to find it. That query — unencrypted by default — is visible to your ISP, your government, and anyone sniffing your network. DoH fixes the encryption part. But if you're using Cloudflare's 1.1.1.1, you're still handing your query log to a company whose business model depends on data. Cloudflare claims they don't log — but claims aren't contracts. Trust is for suckers.
“If you're not paying for the product, you are the product.” — Andrew Lewis
This isn't about hiding from the NSA. It's about taking back control of a basic internet function. DoH is a protocol — a way to encrypt DNS queries inside HTTPS traffic. It stops your ISP from seeing what sites you visit. But if you use a public DoH resolver, you've just shifted that trust from your ISP to a third party. That's not privacy. That's outsourcing surveillance.
Building Your Own: Easier Than You Think
Running your own DoH server sounds like sysadmin arcana. It's not. The tools have matured. You can set up a DoH resolver on a $5 VPS in under an hour. Here's the stack: Unbound as the recursive resolver, Nginx as the reverse proxy, and a Let's Encrypt certificate for TLS. No magic, just config files.
Start with Unbound. It's lean, fast, and supports DNS-over-TLS natively. Point it to root servers, enable validation, and you're resolving queries without any middleman. Then slap Nginx in front to handle HTTPS termination. Use certbot for the certificate. The whole setup fits in a few hundred lines of configuration.
The real win: you own the logs. You decide retention. You decide who gets access. Nobody else sees the queries unless you want them to. That's the difference between privacy and theater.
Why This Matters Now
ISPs are fighting DoH. They want to sell your browsing data. Governments want backdoors. The EU is debating ePrivacy rules that could mandate DNS logging. The US has no federal privacy law. Your DNS queries are a goldmine — and everyone wants a cut.
Running your own DoH server isn't just about privacy. It's about resilience. Public resolvers go down. They get blocked. They get pressured to censor. Your own server answers only to you.
“Self-hosting is the ultimate act of digital defiance.”
The technical barrier is lower than ever. Use a Raspberry Pi at home with Pi-hole for ad blocking and Unbound upstream. Or spin up a $3.50/month VPS from a no-log provider. Point your devices at it. Done.
The Catch: You Need to Maintain It
Self-hosting isn't set-and-forget. You'll need to update software, handle certificate renewals, and monitor for abuse. If your server gets compromised, it becomes a weapon for DNS amplification attacks. You're responsible. That's the trade-off: control for effort.
But the payoff is real. No more wondering if your resolver is logging. No more worrying about subpoenas. No more ads based on your DNS queries. Your browsing habits stay yours.
Start small. Use a test domain. Configure one device. See how it feels. Then expand. The internet wasn't supposed to be a collection of walled gardens. It was supposed to be a network of autonomous nodes. Running your own DNS server is a step back toward that vision.
Don't trust. Verify. And run your own damn server.



