From a519b5a9c491fa5ae1f9f62745796bb5292e478a Mon Sep 17 00:00:00 2001
From: gdm85 <gdm85@users.noreply.github.com>
Date: Sat, 3 Sep 2022 10:54:06 +0200
Subject: [PATCH] docs: explain how to use DNS-over-TLS with nginx/STunnel

---
 Readme.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/Readme.md b/Readme.md
index 23f466b..1e8613e 100644
--- a/Readme.md
+++ b/Readme.md
@@ -269,6 +269,24 @@ services:
 
 > IPV6 Support for Docker Compose based configuration TBA
 
+### Example configuration: DNS-over-TLS
+
+There is no native [DNS-over-TLS](https://en.wikipedia.org/wiki/DNS_over_TLS) support but you can easily add it via nginx:
+```
+stream {
+    server {
+        listen                  *:853 ssl;
+        proxy_pass              ipofyourdnsresolver:port  #127.0.0.1:53
+    }
+
+    ssl_certificate /etc/letsencrypt/live/site.yourdomain/fullchain.pem; 
+    ssl_certificate_key /etc/letsencrypt/live/site.yourdomain/privkey.pem; 
+}
+```
+
+The DoT service can also be provided by running a [STunnel](https://www.stunnel.org/) instance to wrap dnsmasq (or any other resolver of your choice, listening on a TCP port);
+this approach does not need a stand-alone daemon to provide the DoT service.
+
 ## DNSSEC
 
 DNS-over-HTTPS is compatible with DNSSEC, and requests DNSSEC signatures by