# DNS upstream poolupstream dns-servers { zone dns 64k;

1.  
2.  
3. # DNS upstream pool
4. upstream dns-servers {
5. zone dns 64k;
6. server 127.0.0.1:53;
7. }
8.  
9.  
10. # DoT server for decryption
11. server {
12. listen *:853 ssl; # managed by Certbot
13.  
14. proxy_pass dns-servers;
15. ssl_certificate /etc/letsencrypt/live/doh.example.com/fullchain.pem; # managed by Certbot
16. ssl_certificate_key /etc/letsencrypt/live/doh.example.com/privkey.pem; # managed by Certbot
17.  
18. ssl_session_timeout 4h;
19. ssl_session_tickets off;
20.  
21. ssl_protocols TLSv1.2 TLSv1.3;
22. ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
23.  
24. ssl_handshake_timeout 10s;
25. ssl_session_cache shared:DoT:10m;
26. }
27.