Total Pageviews

Tuesday 3 December 2019

使用https-dns-by-honwen解决dns污染问题

在mac机器上。
wget https://github.com/honwen/https-dns/releases/download/v20180510/https-dns_darwin-amd64-ce07cfc.tar.gz

tar xvf https-dns_darwin-amd64-ce07cfc.tar.gz

./https-dns_darwin_amd64 -h

sudo ./https-dns_darwin_amd64 -l 127.0.0.1:53 --proxy socks5://127.0.0.1:1080 --udp --endpoint-uri https://dns.google.com/resolve?

使用例子:
运行全局代理程序mellow

sudo networksetup -setdnsservers "Wi-Fi" 127.0.0.1

运行ss-libev客户端

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:1080 --udp --endpoint-uri https://dns.google.com/resolve? 或:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:1080 --udp --endpoint-uri https://doh.dns.sb/dns-query  或:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:1080 --udp --endpoint-uri https://cloudflare-dns.com/dns-query (cloudflare的这个doh server不稳定)


运行ss-libev客户端也行,只要是运行某个本地的socks proxy client就行,比如v2ray:
v2ray -config bwg2-v2ray.json


sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dns.adguard.com/dns-query  or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dns.google.com/resolve?  或:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh.dns.sb/dns-query  或:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dns.quad9.net/dns-query   or:


sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dns.dnsoverhttps.net/dns-query  or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh.opendns.com/dns-query or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh.xfinity.com/dns-query   or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dohdot.coxlab.net/dns-query or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dns.nextdns.io/  or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh.crypto.sx/dns-query    or:


sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri  https://doh-jp.blahdns.com/dns-query  or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dns.dns-over-https.com/dns-query  or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh.securedns.eu/dns-query  or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dns.containerpi.com/dns-query  or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh-2.seby.io/dns-query  or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh.seby.io:8443/dns-query  or:


sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh.li/dns-query  or:


sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh.42l.fr/dns-query  or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dns.hostux.net/dns-query  or:


sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://ibksturm.synology.me/dns-query  or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://jcdns.fun/dns-query  or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://ibuki.cgnat.net/dns-query  or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dns.twnic.tw/dns-query  or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://example.doh.blockerdns.com/dns-query  or:



项目地址:
https://github.com/honwen/https-dns/
https://github.com/honwen/https-dns/releases/

其实,上面的命令:
sudo ./https-dns_darwin_amd64 -l 127.0.0.1:53 --proxy socks5://127.0.0.1:1080 --udp --endpoint-uri https://dns.google.com/resolve?可以改成这样:

sudo ./https-dns_darwin_amd64 -l 127.0.0.1:53 --udp --endpoint-uri https://mydomain.com/dns-query ,不过需先添加一行:my-vps-ip mydomain.com到/etc/hosts文件的底部。至于服务器端(doh server端)的搭建见此文:
https://briteming.blogspot.com/2019/06/high-performance-dns-over-https-client.html 里面的“我的补充说明”部分。

(https://dns.sb/doh/) 
https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers ,公共doh server列表
(https://developers.google.com/speed/public-dns/docs/doh)
-------------------------------------------------


Publicly available doh servers


Who runs itBase URLComment
AdGuardDefault: https://dns.adguard.com/dns-query
Family protection: https://dns-family.adguard.com/dns-query
Default provides ad blocking at DNS level, while Family protection adds adult site blocking.
Googlehttps://dns.google/dns-queryFull RFC 8484 support
Cloudflarehttps://cloudflare-dns.com/dns-query
also available via Tor onion service
Supports both -04 and -13 content-types
Quad9Recommended: https://dns.quad9.net/dns-query
Secured: https://dns9.quad9.net/dns-query
Unsecured: https://dns10.quad9.net/dns-query
Secured w/ECS Support: https://dns11.quad9.net/dns-query
Secured provides: Security blocklist, DNSSEC, no EDNS Client-Subnet
Unsecured provides: No security blocklist, no DNSSEC, no EDNS Client-Subnet
Recommend is currently identical to secure.
Cisco Umbrella/OpenDNShttps://doh.opendns.com/dns-queryExperimental, No DNSSEC
CleanBrowsinghttps://doh.cleanbrowsing.org/doh/family-filter/anycast DoH server with parental control (restricts access to adult content + enforces safe search)
Comcasthttps://doh.xfinity.com/dns-queryExperimental, DNSSEC
Coxhttps://dohdot.coxlab.net/dns-queryExperimental, No DNSSEC
nextdns.iohttps://dns.nextdns.io/
Create a config ID
The first cloud-based private DNS service that gives you full control over what is allowed and what is blocked on the Internet.
@chantrahttps://dns.dnsoverhttps.net/dns-query"toy server" which runs https://github.com/facebookexperimental/doh-proxy, 垃圾,放弃此项目
@jedisct1https://doh.crypto.sx/dns-querya server which runs another project called doh-proxy, written in Rust.
PowerDNShttps://doh.powerdns.orgBased on dnsdist-doh branch (未成功)
blahdns.comFinland: https://doh-fi.blahdns.com/dns-query
Japan: https://doh-jp.blahdns.com/dns-query
Germany: https://doh-de.blahdns.com/dns-query
Based on Go implementation, knot-resolver, Unbound with DNSSEC, No ECS, No logs, Adsblock
NekomimiRouter.comhttps://dns.dns-over-https.com/dns-queryRuns Go implementation. Does recursion itself with no upstream servers. Toy server may fail, please report if fails
SecureDNS.euhttps://doh.securedns.eu/dns-queryNo Logging & DNSSEC



ContainerPIUnfiltered by CloudFlare:
https://dns.containerpi.com/dns-query
Filtered by CleanBrowsing, blocks adult content:
https://dns.containerpi.com/doh/family-filter/
Filtered, blocks malicious domains only:
https://dns.containerpi.com/doh/secure-filter/
Based on m13253/DNS-over-HTTPS, no logging, EDNS Client Subnet enabled. Multiple nodes in China Mainland, Japan and Germany.
@publicarray dns.seby.iohttps://doh-2.seby.io/dns-query https://doh.seby.io:8443/dns-queryAustralian server that runs @m13253's Go implementation, Unbound with DNSSEC, No ECS and No logs
Commons Hosthttps://commons.host~20 PoPs worldwide, Node.js/playdoh over Knot Resolver.  (未成功)
(项目地址:https://github.com/commonshost/dohnut)
DnsWardenAdblocking DNS: https://doh.dnswarden.com/adblock
Uncensored DNS: https://doh.dnswarden.com/uncensored
Adult-filter DNS: https://doh.dnswarden.com/adult-filter
No query/IP logging with DNSSEC enabled.
Blocks ads and trackers in Adblocking DNS.
No filtering in Uncensored DNS.
Blocks adult content, ads, trackers and also enforces force safe search for search engines and youtube in Adult-filter DNS.  (未成功)
aaflalo.meServer US: https://dns-nyc.aaflalo.me/dns-query
Server EU: https://dns.aaflalo.me/dns-query
Runs on Star Brilliant's dns-over-https
Both servers check for DNSSEC and block advertising
Foundation for Applied Privacyhttps://doh.appliedprivacy.net/queryNo query/IP logging, no filtering, QNAME minimization, no EDNS client subnet, TLS 1.3, DNSSEC, RFC7706,  (未成功)RFC8198; https://appliedprivacy.net/services/dns/
captnemo.inhttps://doh.captnemo.in/dns-queryRuns dnss with local unbound resolver. running DNSCrypt with DNSSEC support as the upstream. Privacy Policy. More details at https://captnemo.in/doh/. No logging or filtering. Runs in Bangalore, India  (未成功)
Tiaraphttps://doh.tiar.app/dns-query
https://doh.tiarap.org/dns-query
Based in Singapore, No logging, block Ad/Ad-tracking/Malware, No ECS, DNSSEC    (未成功)
DNS.SBhttps://doh.dns.sb/dns-queryDNSSEC enabled
FAELIXhttps://rdns.faelix.net/No logging, based on dnsdist-doh RC querying our powerdns-recursor resolvers, multiple nodes in UK and CH, more info   (未成功)
doh.lihttps://doh.li/dns-queryRuns on dns-over-https, no logging, EDNS Client Subnet enabled, based in DigitalOcean London. DNSSEC and adblock not currently enabled.




Association 42lhttps://doh.42l.fr/dns-queryDNSSEC, not logging queries' content, uses doh-proxy and edgedns for caching. Queries proxied randomly through FFDN members' open DNS resolvers (French ISPs commiting for net neutrality).
Hostux.netUncensored DNS: https://dns.hostux.net/dns-query
Adblocking DNS: https://dns.hostux.net/ads
DNSSEC, no EDNS Client-Subnet, not logging queries' content, hosted in Luxembourg.
Andrews & Arnoldhttps://dns.aa.net.uk/dns-queryno logging (see DNS Disclaimer), (未成功)
@matthewgall - mydns.networkhttps://adblock.mydns.network/dns-query (adblock, using PiHole)no logging, DNSSEC enforcing, DDoS protected (using Spectrum by Cloudflare), anycast) , (未成功)
ibksturm.synology.mehttps://ibksturm.synology.me/dns-querydoh-server (nginx - dnsproxy - unbound), DNSSEC / Non-Logged / Uncensored, OpenNIC and Root DNS-Zone Copy Hosted in Switzerland by ibksturm, aka Andreas Ziegler.
jcdns.funhttps://jcdns.fun/dns-querysecure nginx, Non-Logged / Uncensored, hosted on Digital Ocean VPS by jamesacampbell AKA James Campbell.
@null31https://ibuki.cgnat.net/dns-queryBrazilian server that runs dnsdist.orgUnbound with DNSSEC doing recursion with no upstream servers, QNAME minimization, TLS 1.3, DoT, uncensored, no logging, no ECS, hosted on Google Cloud VPS by null31. Toy server, may fail.
TWNIChttps://dns.twnic.tw/dns-queryNo source IP logging. Operated by Quad101 project, according to this announcement
blockerDNShttps://example.doh.blockerdns.com/dns-queryDNS-based ad blocking service; One-man operation; ZERO IP and DNS query logging for DoH and DoT. Charges 99c per month for https DOH service

https://libredns.gr/提供的doh server:

https://doh.libredns.gr/dns-query并不稳定。

Supported in browsers and clients

NameVersionComments
Firefox62temporary docs
Bromite67.0.3396.88How to enable DoH
curl7.62.0See DOH-implementation
OkHttp3.11See Providers



Chrome66https://bugs.chromium.org/p/chromium/issues/detail?id=799753

DOH Tools

Frank Denis' https://github.com/jedisct1/rust-doh (server-side proxy) and dnscrypt-proxy (client proxy).
doh server程序rust-doh的搭建说明:
在linux vps上。首先安装rust环境,然后,
git clone https://github.com/jedisct1/rust-doh rust-doh-by-jedisct1
cd rust-doh-by-jedisct1
cargo build --release
(在当前目录下,会生成target/release目录;在target/release目录里面会生成可执行文件
doh-proxy。)
cd target/release
./doh-proxy -l 127.0.0.1:3001 --path /dns-query --server-address 8.8.8.8:53
不过此命令是运行在前台的,我们可以利用systemd把此命令运行为service:
nano /etc/systemd/system/rust-doh.service
cat rust-doh.service
[Unit]
After=network.target

[Service]
ExecStart=/root/rust-doh-by-jedisct1/target/release/doh-proxy -l 127.0.0.1:3001 --path /dns-query --server-address 8.8.8.8:53
Restart=always

[Install]
WantedBy=multi-user.target

然后,
systemctl start rust-doh
systemctl enable rust-doh

然后用nginx做反向代理,代理http://127.0.0.1:3001 ,nginx的server段内容如下:
server {
    listen       443 ssl http2;
    listen       [::]:443 ssl http2;
    server_name  MY_SERVER_NAME;

    server_tokens off;

    ssl_protocols TLSv1.2 TLSv1.3;          # TLS 1.3 requires nginx >= 1.13.0
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparam.pem;     # openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
    ssl_ecdh_curve secp384r1;               # Requires nginx >= 1.1.0
    ssl_session_timeout  10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;                # Requires nginx >= 1.5.9
    ssl_stapling on;                        # Requires nginx >= 1.3.7
    ssl_stapling_verify on;                 # Requires nginx => 1.3.7 
    resolver 1.1.1.1 valid=300s;            # Replace with your local resolver
    resolver_timeout 5s;
    # HTTP Security Headers
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Strict-Transport-Security "max-age=63072000";
    ssl_certificate /path/to/your/server/certificates/fullchain.pem;
    ssl_certificate_key /path/to/your/server/certificates/privkey.pem;
    location /dns-query {
        proxy_pass       http://localhost:3001/dns-query;
        proxy_set_header Host      $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}
然后在vps上,安装nginx1.14,按上面的Nginx段的内容,添加该段内容至你的nginx的配置文件内,然后重启nginx.
doh server程序rust-doh的搭建完成。至于doh client程序,可以使用
dnsproxy-by-AdguardTeam,命令为:
sudo dnsproxy --listen=127.0.0.1 --port=53 --upstream=https://mydomain.com/dns-query
因为我没有加"--bootstrap=208.67.222.222:5353"参数,所以需修改/etc/hosts文件,在其底部加上一行:
vps-ip mydomain.com
详见https://briteming.blogspot.com/2019/09/dnsproxy-by-adguardteamdns.html

Peter Lai's doh-js-client client-side implementation of DoH, can be used in nodejs backend.(https://github.com/sc0Vu/doh-js-client/issues/1 ,作者没有具体说其用法)
Travis Burtrum's jDnsProxy DNS proxy and cache, implementing DNS-over-TLSDNS-over-HTTPS, and Serve-Stale( 试过,遇错)
Frank Olbricht's RouteDNS, a flexible stub resolver, proxy, and router with support for DoH, DoT, and plain DNS written in Go.
https://github.com/folbricht/routedns/blob/master/cmd/routedns/example-config/simple-doh.toml
RouteDNS的用法:
在mac机器上安装go环境(go1.13),然后,
go get -u -v github.com/folbricht/routedns/cmd/routedns
(会生成可执行文件routedns)
routedns -h
nano simple-doh.toml
cat simple-doh.toml
# All queries are forwarded to DNS-over-HTTPS resolver. The goal is to
# provide encrypted DNS for the machine if 127.0.0.1 is configured in /etc/resolv.conf.

title = "RouteDNS configuration for providing DNS-over-HTTP locally"

[resolvers]

  [resolvers.brite-doh]
  address = "https://mydomain.com/dns-query{?dns}"
  protocol = "doh"

[listeners]

  [listeners.local-udp]
  address = "127.0.0.1:53"
  protocol = "udp"
  resolver = "brite-doh"

  [listeners.local-tcp]
  address = "127.0.0.1:53"
  protocol = "tcp"

  resolver = "brite-doh"

然后运行:

sudo routedns simple-doh.toml
这是客户端程序。至于服务器端doh server: https://mydomain.com/dns-query的搭建见此文https://briteming.blogspot.com/2019/06/high-performance-dns-over-https-client.html 里的“我的补充说明”部分。

Frank Denis' Encrypted DNS Server, written in Rust, can serve DNSCrypt and DoH traffic simultaneously. A Docker image including a recursive server is also available.
ElevenPaths EasyDoH, a simple addon for Firefox that allows to easily activate DNS over HTTPS and its working mode with just one click.


相关帖子:
https://briteming.blogspot.com/2019/06/high-performance-dns-over-https-client.html

https://github.com/nextdns/nextdns