人生在世，看得透，又看得远者prevail everywhere.

gg.gg/13nbnz gg.gg/13p5tj gg.gg/13p9s5 gg.gg/13tljl gg.gg/13xudz gg.gg/13xy3p gg.gg/143tqc linux.die.net linux.it.net.cn ostechnix.com unix.com gg.gg/19yv96 man.linuxde.net gg.gg/148erg bit.ly/2vsM34J bit.ly/2EzoUDo bit.ly/2wCsZSI bit.ly/2v6jGJi bit.ly/2tW6eYT bit.ly/2u2MMtm bit.ly/2X6vadl bit.ly/2viLpHU bit.ly/2fzzbEU linuxprobe.com linuxtechi.com ttlsa.com systutorials.com ghacks.net linuxopsys.com reurl.cc/8W1x3X reurl.cc/NpzMWe reurl.cc/WrgYdx reurl.cc/Yv4Yvo reurl.cc/Lmy90K reurl.cc/Rr5aeG

Tuesday 3 December 2019

使用https-dns-by-honwen解决dns污染问题

在mac机器上。
wget https://github.com/honwen/https-dns/releases/download/v20180510/https-dns_darwin-amd64-ce07cfc.tar.gz

tar xvf https-dns_darwin-amd64-ce07cfc.tar.gz

./https-dns_darwin_amd64 -h

sudo ./https-dns_darwin_amd64 -l 127.0.0.1:53 --proxy socks5://127.0.0.1:1080 --udp --endpoint-uri https://dns.google.com/resolve?

使用例子：
运行全局代理程序mellow

sudo networksetup -setdnsservers "Wi-Fi" 127.0.0.1

运行ss-libev客户端

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:1080 --udp --endpoint-uri https://dns.google.com/resolve? 或：

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:1080 --udp --endpoint-uri https://doh.dns.sb/dns-query 或：

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:1080 --udp --endpoint-uri https://cloudflare-dns.com/dns-query (cloudflare的这个doh server不稳定）

不运行ss-libev客户端也行，只要是运行某个本地的socks proxy client就行，比如v2ray:
v2ray -config bwg2-v2ray.json

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dns.adguard.com/dns-query or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dns.google.com/resolve? 或：

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh.dns.sb/dns-query 或：

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dns.quad9.net/dns-query or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dns.dnsoverhttps.net/dns-query or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh.opendns.com/dns-query or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh.xfinity.com/dns-query or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dohdot.coxlab.net/dns-query or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dns.nextdns.io/ or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh.crypto.sx/dns-query or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh-jp.blahdns.com/dns-query or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dns.dns-over-https.com/dns-query or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh.securedns.eu/dns-query or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dns.containerpi.com/dns-query or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh-2.seby.io/dns-query or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh.seby.io:8443/dns-query or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh.li/dns-query or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh.42l.fr/dns-query or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dns.hostux.net/dns-query or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://ibksturm.synology.me/dns-query or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://jcdns.fun/dns-query or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://ibuki.cgnat.net/dns-query or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dns.twnic.tw/dns-query or:

sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://example.doh.blockerdns.com/dns-query or:

项目地址：
https://github.com/honwen/https-dns/
https://github.com/honwen/https-dns/releases/

其实，上面的命令：
sudo ./https-dns_darwin_amd64 -l 127.0.0.1:53 --proxy socks5://127.0.0.1:1080 --udp --endpoint-uri https://dns.google.com/resolve?可以改成这样：

sudo ./https-dns_darwin_amd64 -l 127.0.0.1:53 --udp --endpoint-uri https://mydomain.com/dns-query ,不过需先添加一行：my-vps-ip mydomain.com到/etc/hosts文件的底部。至于服务器端（doh server端）的搭建见此文：
https://briteming.blogspot.com/2019/06/high-performance-dns-over-https-client.html 里面的“我的补充说明”部分。

（https://dns.sb/doh/）
（https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers ，公共doh server列表）
(https://developers.google.com/speed/public-dns/docs/doh)
-------------------------------------------------

Publicly available doh servers

https://dns.oszx.co/

Who runs it	Base URL	Comment
AdGuard	Default: https://dns.adguard.com/dns-query Family protection: https://dns-family.adguard.com/dns-query	Default provides ad blocking at DNS level, while Family protection adds adult site blocking.
Google	https://dns.google/dns-query	Full RFC 8484 support
Cloudflare	https://cloudflare-dns.com/dns-query also available via Tor onion service	Supports both -04 and -13 content-types
Quad9	Recommended: https://dns.quad9.net/dns-query Secured: https://dns9.quad9.net/dns-query Unsecured: https://dns10.quad9.net/dns-query Secured w/ECS Support: https://dns11.quad9.net/dns-query	Secured provides: Security blocklist, DNSSEC, no EDNS Client-Subnet Unsecured provides: No security blocklist, no DNSSEC, no EDNS Client-Subnet Recommend is currently identical to secure.
Cisco Umbrella/OpenDNS	https://doh.opendns.com/dns-query	Experimental, No DNSSEC
CleanBrowsing	https://doh.cleanbrowsing.org/doh/family-filter/	anycast DoH server with parental control (restricts access to adult content + enforces safe search)
Comcast	https://doh.xfinity.com/dns-query	Experimental, DNSSEC
Cox	https://dohdot.coxlab.net/dns-query	Experimental, No DNSSEC
nextdns.io	https://dns.nextdns.io/ Create a config ID	The first cloud-based private DNS service that gives you full control over what is allowed and what is blocked on the Internet.
@chantra	https://dns.dnsoverhttps.net/dns-query	"toy server" which runs https://github.com/facebookexperimental/doh-proxy, 垃圾，放弃此项目
@jedisct1	https://doh.crypto.sx/dns-query	a server which runs another project called doh-proxy, written in Rust.
PowerDNS	https://doh.powerdns.org	Based on dnsdist-doh branch (未成功）
blahdns.com	Finland: https://doh-fi.blahdns.com/dns-query Japan: https://doh-jp.blahdns.com/dns-query Germany: https://doh-de.blahdns.com/dns-query	Based on Go implementation, knot-resolver, Unbound with DNSSEC, No ECS, No logs, Adsblock
NekomimiRouter.com	https://dns.dns-over-https.com/dns-query	Runs Go implementation. Does recursion itself with no upstream servers. Toy server may fail, please report if fails
SecureDNS.eu	https://doh.securedns.eu/dns-query	No Logging & DNSSEC

ContainerPI	Unfiltered by CloudFlare: https://dns.containerpi.com/dns-query Filtered by CleanBrowsing, blocks adult content: https://dns.containerpi.com/doh/family-filter/ Filtered, blocks malicious domains only: https://dns.containerpi.com/doh/secure-filter/	Based on m13253/DNS-over-HTTPS, no logging, EDNS Client Subnet enabled. Multiple nodes in China Mainland, Japan and Germany.
@publicarray dns.seby.io	https://doh-2.seby.io/dns-query https://doh.seby.io:8443/dns-query	Australian server that runs @m13253's Go implementation, Unbound with DNSSEC, No ECS and No logs
Commons Host	https://commons.host	~20 PoPs worldwide, Node.js/playdoh over Knot Resolver. (未成功） (项目地址：https://github.com/commonshost/dohnut）
DnsWarden	Adblocking DNS: https://doh.dnswarden.com/adblock Uncensored DNS: https://doh.dnswarden.com/uncensored Adult-filter DNS: https://doh.dnswarden.com/adult-filter	No query/IP logging with DNSSEC enabled. Blocks ads and trackers in Adblocking DNS. No filtering in Uncensored DNS. Blocks adult content, ads, trackers and also enforces force safe search for search engines and youtube in Adult-filter DNS. (未成功）
aaflalo.me	Server US: https://dns-nyc.aaflalo.me/dns-query Server EU: https://dns.aaflalo.me/dns-query	Runs on Star Brilliant's dns-over-https Both servers check for DNSSEC and block advertising
Foundation for Applied Privacy	https://doh.appliedprivacy.net/query	No query/IP logging, no filtering, QNAME minimization, no EDNS client subnet, TLS 1.3, DNSSEC, RFC7706, (未成功）RFC8198; https://appliedprivacy.net/services/dns/
captnemo.in	https://doh.captnemo.in/dns-query	Runs dnss with local unbound resolver. running DNSCrypt with DNSSEC support as the upstream. Privacy Policy. More details at https://captnemo.in/doh/. No logging or filtering. Runs in Bangalore, India (未成功）
Tiarap	https://doh.tiar.app/dns-query https://doh.tiarap.org/dns-query	Based in Singapore, No logging, block Ad/Ad-tracking/Malware, No ECS, DNSSEC (未成功）
DNS.SB	https://doh.dns.sb/dns-query	DNSSEC enabled
FAELIX	https://rdns.faelix.net/	No logging, based on dnsdist-doh RC querying our powerdns-recursor resolvers, multiple nodes in UK and CH, more info (未成功）
doh.li	https://doh.li/dns-query	Runs on dns-over-https, no logging, EDNS Client Subnet enabled, based in DigitalOcean London. DNSSEC and adblock not currently enabled.


Association 42l	https://doh.42l.fr/dns-query	DNSSEC, not logging queries' content, uses doh-proxy and edgedns for caching. Queries proxied randomly through FFDN members' open DNS resolvers (French ISPs commiting for net neutrality).
Hostux.net	Uncensored DNS: https://dns.hostux.net/dns-query Adblocking DNS: https://dns.hostux.net/ads	DNSSEC, no EDNS Client-Subnet, not logging queries' content, hosted in Luxembourg.
Andrews & Arnold	https://dns.aa.net.uk/dns-query	no logging (see DNS Disclaimer)， (未成功）
@matthewgall - mydns.network	https://adblock.mydns.network/dns-query (adblock, using PiHole)	no logging, DNSSEC enforcing, DDoS protected (using Spectrum by Cloudflare), anycast) ， (未成功）
ibksturm.synology.me	https://ibksturm.synology.me/dns-query	doh-server (nginx - dnsproxy - unbound), DNSSEC / Non-Logged / Uncensored, OpenNIC and Root DNS-Zone Copy Hosted in Switzerland by ibksturm, aka Andreas Ziegler.
jcdns.fun	https://jcdns.fun/dns-query	secure nginx, Non-Logged / Uncensored, hosted on Digital Ocean VPS by jamesacampbell AKA James Campbell.
@null31	https://ibuki.cgnat.net/dns-query	Brazilian server that runs dnsdist.org, Unbound with DNSSEC doing recursion with no upstream servers, QNAME minimization, TLS 1.3, DoT, uncensored, no logging, no ECS, hosted on Google Cloud VPS by null31. Toy server, may fail.
TWNIC	https://dns.twnic.tw/dns-query	No source IP logging. Operated by Quad101 project, according to this announcement
blockerDNS	https://example.doh.blockerdns.com/dns-query	DNS-based ad blocking service; One-man operation; ZERO IP and DNS query logging for DoH and DoT. Charges 99c per month for https DOH service

https://libredns.gr/提供的doh server:

https://doh.libredns.gr/dns-query并不稳定。

Supported in browsers and clients

Name	Version	Comments
Firefox	62	temporary docs
Bromite	67.0.3396.88	How to enable DoH
curl	7.62.0	See DOH-implementation
OkHttp	3.11	See Providers

Chrome	66	https://bugs.chromium.org/p/chromium/issues/detail?id=799753

DOH Tools

Frank Denis' https://github.com/jedisct1/rust-doh (server-side proxy) and dnscrypt-proxy (client proxy).

doh server程序rust-doh的搭建说明：

在linux vps上。首先安装rust环境，然后，

git clone https://github.com/jedisct1/rust-doh rust-doh-by-jedisct1

cd rust-doh-by-jedisct1

cargo build --release

(在当前目录下，会生成target/release目录；在target/release目录里面会生成可执行文件

doh-proxy。）

cd target/release

./doh-proxy -l 127.0.0.1:3001 --path /dns-query --server-address 8.8.8.8:53

不过此命令是运行在前台的，我们可以利用systemd把此命令运行为service:

nano /etc/systemd/system/rust-doh.service

cat rust-doh.service

[Unit]

After=network.target

[Service]

ExecStart=/root/rust-doh-by-jedisct1/target/release/doh-proxy -l 127.0.0.1:3001 --path /dns-query --server-address 8.8.8.8:53

Restart=always

[Install]

WantedBy=multi-user.target

然后，

systemctl start rust-doh

systemctl enable rust-doh

然后用nginx做反向代理，代理http://127.0.0.1:3001 ,nginx的server段内容如下：

server {
    listen       443 ssl http2;
    listen       [::]:443 ssl http2;
    server_name  MY_SERVER_NAME;

    server_tokens off;

    ssl_protocols TLSv1.2 TLSv1.3;          # TLS 1.3 requires nginx >= 1.13.0
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparam.pem;     # openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
    ssl_ecdh_curve secp384r1;               # Requires nginx >= 1.1.0
    ssl_session_timeout  10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;                # Requires nginx >= 1.5.9
    ssl_stapling on;                        # Requires nginx >= 1.3.7
    ssl_stapling_verify on;                 # Requires nginx => 1.3.7 
    resolver 1.1.1.1 valid=300s;            # Replace with your local resolver
    resolver_timeout 5s;
    # HTTP Security Headers
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Strict-Transport-Security "max-age=63072000";
    ssl_certificate /path/to/your/server/certificates/fullchain.pem;
    ssl_certificate_key /path/to/your/server/certificates/privkey.pem;
    location /dns-query {
        proxy_pass       http://localhost:3001/dns-query;
        proxy_set_header Host      $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

然后在vps上，安装nginx1.14,按上面的Nginx段的内容，添加该段内容至你的nginx的配置文件内，然后重启nginx.
doh server程序rust-doh的搭建完成。至于doh client程序，可以使用dnsproxy-by-AdguardTeam，命令为：
sudo dnsproxy --listen=127.0.0.1 --port=53 --upstream=https://mydomain.com/dns-query
因为我没有加"--bootstrap=208.67.222.222:5353"参数，所以需修改/etc/hosts文件，在其底部加上一行：
vps-ip mydomain.com
详见https://briteming.blogspot.com/2019/09/dnsproxy-by-adguardteamdns.html

Peter Lai's doh-js-client client-side implementation of DoH, can be used in nodejs backend.(https://github.com/sc0Vu/doh-js-client/issues/1 ,作者没有具体说其用法）

Travis Burtrum's jDnsProxy DNS proxy and cache, implementing DNS-over-TLS, DNS-over-HTTPS, and Serve-Stale( 试过，遇错）

Frank Olbricht's RouteDNS, a flexible stub resolver, proxy, and router with support for DoH, DoT, and plain DNS written in Go.
https://github.com/folbricht/routedns/blob/master/cmd/routedns/example-config/simple-doh.toml

RouteDNS的用法：

在mac机器上安装go环境（go1.13),然后，

go get -u -v github.com/folbricht/routedns/cmd/routedns
（会生成可执行文件routedns）
routedns -h
nano simple-doh.toml

cat simple-doh.toml

# All queries are forwarded to DNS-over-HTTPS resolver. The goal is to

# provide encrypted DNS for the machine if 127.0.0.1 is configured in /etc/resolv.conf.

title = "RouteDNS configuration for providing DNS-over-HTTP locally"

[resolvers]

[resolvers.brite-doh]

address = "https://mydomain.com/dns-query{?dns}"

protocol = "doh"

[listeners]

[listeners.local-udp]

address = "127.0.0.1:53"

protocol = "udp"

resolver = "brite-doh"

[listeners.local-tcp]

address = "127.0.0.1:53"

protocol = "tcp"

resolver = "brite-doh"

然后运行：

sudo routedns simple-doh.toml
这是客户端程序。至于服务器端doh server: https://mydomain.com/dns-query的搭建见此文https://briteming.blogspot.com/2019/06/high-performance-dns-over-https-client.html 里的“我的补充说明”部分。

Frank Denis' Encrypted DNS Server, written in Rust, can serve DNSCrypt and DoH traffic simultaneously. A Docker image including a recursive server is also available.

ElevenPaths EasyDoH, a simple addon for Firefox that allows to easily activate DNS over HTTPS and its working mode with just one click.

from https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers

Total Pageviews