they have an official build too: https://hub.docker.com/r/adguard/dnsproxy

Technitium is very powerful and could perfectly handle being a DNS forwarder + DHCP provider for your LAN, replacing both Pihole + cloudflared. Though it does many other things too, which can make the UI overwhelming for starters. But in my opinion if you’d like to fine-tune a lot of things like cache and custom DNS logic (via installable applets), this would be the software for you

Edit: If you want something simpler to replace Pihole + cloudflared, AdGuard Home is pretty good too. It uses dnsproxy under the hood and has a nice UI

For the upstream provider I guess Quad9 is popular enough to give you fairly good geolocated IPs, but also has some sense of privacy. The main thing is to always validate your andwers with DNSSEC as to detect and refuse any DNS tampering attempts

Yes you’ll need a way to query the domain of the DoH service in plaintext before using it. In many software you can define “bootstrap DNS addresses” to do exactly that. Or you can hardcode the DoH service’s IPs, which for most upstream providers are almost always the same as their “normal” IPs anyways

deleted by creator

Yes it involves nginx’s stream directive

As continued from my answer for ypur previous post I suggest you route pure TCP traffic all the way to your backend and terminate TLS (with a Let’s Encrypt cert) there. In fact, I prefer not to mount any certs on the VPS. This does not involve separate certs nor internal domains.

Is there a way for you to talk to upstream DNS bypassing Ubiquiti’s firewall? Maybe do it on a different port? (idk if the RFC permits this)

There are many ways to do this and you got the right gist, but my recommendation:

• Set up a WireGuard tunnel connecting your VPS and homeserver
• Set up a layer-4 TCP reverse proxy (Nginx’s stream module/Traefik TCP routers/Caddy-L4/HAProxy are all doable) on the VPS
• Use that reverse proxy to route all TCP traffic back to the homeserver’s HTTPS service(s), via the wg tunnel

Here’s a guide that helped me with such a setup: https://theorangeone.net/posts/wireguard-haproxy-gateway/

Wireguard only need one peer to open a silent UDP port, so use the VPS’ IP and no need to portforward your homeserver. There are other more convenient solutions like Tailscale or Pangolin, but being Wireguard-based they all follow the same principle. Lastly this keeps your certs locally for TLS all the way through

For the DNS provider I recommend https://desec.io/. It’s a nonprofit running worldwide DNS servers, supports DNSSEC, and has a plugin for Lego. If your registrar supports DNSSEC as well, I’d recommend enabling it to protect from DNS forgery.

For the DDoS protection I don’t have a recommendation as they’re all “just another SaaS”, but maybe you could limit many more selfhosted things behind auth as to not expose more surface to potential scrapers.

Non-federated Matrix server with rooms bridged to Discord/Whatsapp/Slack/whatever, so everyone can join.

Use standard webapps for other stuff like polls, surveys, events etc and send the URL to an announcement channel. Not sure of exact solutions but if one app can do it all and send email reminders for them, thatd be great. Same can be done for VoIP with Jitsi links, or even Z**m links.

Backup the databases if you need the chat logs. All of this should be doable with a small VPS, but a mini PCs cluster could be better

Those are not authoritative DNS providers where you can publish records…