在mac机器上。
wget https://github.com/honwen/https-dns/releases/download/v20180510/https-dns_darwin-amd64-ce07cfc.tar.gz
tar xvf https-dns_darwin-amd64-ce07cfc.tar.gz
./https-dns_darwin_amd64 -h
sudo ./https-dns_darwin_amd64 -l 127.0.0.1:53 --proxy socks5://127.0.0.1:1080 --udp --endpoint-uri https://dns.google.com/resolve?
使用例子:
运行全局代理程序mellow
sudo networksetup -setdnsservers "Wi-Fi" 127.0.0.1
运行ss-libev客户端
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:1080 --udp --endpoint-uri https://dns.google.com/resolve? 或:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:1080 --udp --endpoint-uri https://doh.dns.sb/dns-query 或:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:1080 --udp --endpoint-uri https://cloudflare-dns.com/dns-query (cloudflare的这个doh server不稳定)
不运行ss-libev客户端也行,只要是运行某个本地的socks proxy client就行,比如v2ray:
v2ray -config bwg2-v2ray.json
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dns.google.com/resolve? 或:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh.dns.sb/dns-query 或:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dns.quad9.net/dns-query or:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh.opendns.com/dns-query or:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh.xfinity.com/dns-query or:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dohdot.coxlab.net/dns-query or:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dns.nextdns.io/ or:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh.crypto.sx/dns-query or:
https://github.com/honwen/https-dns/
https://github.com/honwen/https-dns/releases/
其实,上面的命令:
sudo ./https-dns_darwin_amd64 -l 127.0.0.1:53 --proxy socks5://127.0.0.1:1080 --udp --endpoint-uri https://dns.google.com/resolve?可以改成这样:
sudo ./https-dns_darwin_amd64 -l 127.0.0.1:53 --udp --endpoint-uri https://mydomain.com/dns-query ,不过需先添加一行:my-vps-ip mydomain.com到/etc/hosts文件的底部。至于服务器端(doh server端)的搭建见此文:
https://briteming.blogspot.com/2019/06/high-performance-dns-over-https-client.html 里面的“我的补充说明”部分。
(https://dns.sb/doh/)
(https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers ,公共doh server列表)
(https://developers.google.com/speed/public-dns/docs/doh)
-------------------------------------------------
(会生成可执行文件routedns)
routedns -h
nano simple-doh.toml
然后运行:
相关帖子:
https://briteming.blogspot.com/2019/06/high-performance-dns-over-https-client.html
https://github.com/nextdns/nextdns
wget https://github.com/honwen/https-dns/releases/download/v20180510/https-dns_darwin-amd64-ce07cfc.tar.gz
tar xvf https-dns_darwin-amd64-ce07cfc.tar.gz
./https-dns_darwin_amd64 -h
sudo ./https-dns_darwin_amd64 -l 127.0.0.1:53 --proxy socks5://127.0.0.1:1080 --udp --endpoint-uri https://dns.google.com/resolve?
使用例子:
运行全局代理程序mellow
sudo networksetup -setdnsservers "Wi-Fi" 127.0.0.1
运行ss-libev客户端
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:1080 --udp --endpoint-uri https://dns.google.com/resolve? 或:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:1080 --udp --endpoint-uri https://doh.dns.sb/dns-query 或:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:1080 --udp --endpoint-uri https://cloudflare-dns.com/dns-query (cloudflare的这个doh server不稳定)
不运行ss-libev客户端也行,只要是运行某个本地的socks proxy client就行,比如v2ray:
v2ray -config bwg2-v2ray.json
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dns.adguard.com/dns-query or:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dns.google.com/resolve? 或:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh.dns.sb/dns-query 或:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dns.quad9.net/dns-query or:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dns.dnsoverhttps.net/dns-query or:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh.opendns.com/dns-query or:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh.xfinity.com/dns-query or:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dohdot.coxlab.net/dns-query or:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dns.nextdns.io/ or:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh.crypto.sx/dns-query or:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh-jp.blahdns.com/dns-query or:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dns.dns-over-https.com/dns-query or:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh.securedns.eu/dns-query or:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dns.containerpi.com/dns-query or:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh-2.seby.io/dns-query or:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh.seby.io:8443/dns-query or:
项目地址:sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh-2.seby.io/dns-query or:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh.seby.io:8443/dns-query or:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh.li/dns-query or:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://doh.42l.fr/dns-query or:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dns.hostux.net/dns-query or:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://ibksturm.synology.me/dns-query or:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://jcdns.fun/dns-query or:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://ibuki.cgnat.net/dns-query or:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://dns.twnic.tw/dns-query or:
sudo ./https-dns_darwin_amd64 -l :53 --proxy socks5://127.0.0.1:2080 --udp --endpoint-uri https://example.doh.blockerdns.com/dns-query or:
https://github.com/honwen/https-dns/
https://github.com/honwen/https-dns/releases/
其实,上面的命令:
sudo ./https-dns_darwin_amd64 -l 127.0.0.1:53 --proxy socks5://127.0.0.1:1080 --udp --endpoint-uri https://dns.google.com/resolve?可以改成这样:
sudo ./https-dns_darwin_amd64 -l 127.0.0.1:53 --udp --endpoint-uri https://mydomain.com/dns-query ,不过需先添加一行:my-vps-ip mydomain.com到/etc/hosts文件的底部。至于服务器端(doh server端)的搭建见此文:
https://briteming.blogspot.com/2019/06/high-performance-dns-over-https-client.html 里面的“我的补充说明”部分。
(https://dns.sb/doh/)
(https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers ,公共doh server列表)
(https://developers.google.com/speed/public-dns/docs/doh)
-------------------------------------------------
Publicly available doh servers
Who runs it | Base URL | Comment |
---|---|---|
AdGuard | Default: https://dns.adguard.com/dns-query Family protection: https://dns-family.adguard.com/dns-query | Default provides ad blocking at DNS level, while Family protection adds adult site blocking. |
https://dns.google/dns-query | Full RFC 8484 support | |
Cloudflare | https://cloudflare-dns.com/dns-query also available via Tor onion service | Supports both -04 and -13 content-types |
Quad9 | Recommended: https://dns.quad9.net/dns-query Secured: https://dns9.quad9.net/dns-query Unsecured: https://dns10.quad9.net/dns-query Secured w/ECS Support: https://dns11.quad9.net/dns-query | Secured provides: Security blocklist, DNSSEC, no EDNS Client-Subnet Unsecured provides: No security blocklist, no DNSSEC, no EDNS Client-Subnet Recommend is currently identical to secure. |
Cisco Umbrella/OpenDNS | https://doh.opendns.com/dns-query | Experimental, No DNSSEC |
CleanBrowsing | https://doh.cleanbrowsing.org/doh/family-filter/ | anycast DoH server with parental control (restricts access to adult content + enforces safe search) |
Comcast | https://doh.xfinity.com/dns-query | Experimental, DNSSEC |
Cox | https://dohdot.coxlab.net/dns-query | Experimental, No DNSSEC |
nextdns.io | https://dns.nextdns.io/ Create a config ID | The first cloud-based private DNS service that gives you full control over what is allowed and what is blocked on the Internet. |
@chantra | https://dns.dnsoverhttps.net/dns-query | "toy server" which runs https://github.com/facebookexperimental/doh-proxy, 垃圾,放弃此项目 |
@jedisct1 | https://doh.crypto.sx/dns-query | a server which runs another project called doh-proxy, written in Rust. |
PowerDNS | https://doh.powerdns.org | Based on dnsdist-doh branch (未成功) |
blahdns.com | Finland: https://doh-fi.blahdns.com/dns-query Japan: https://doh-jp.blahdns.com/dns-query Germany: https://doh-de.blahdns.com/dns-query | Based on Go implementation, knot-resolver, Unbound with DNSSEC, No ECS, No logs, Adsblock |
NekomimiRouter.com | https://dns.dns-over-https.com/dns-query | Runs Go implementation. Does recursion itself with no upstream servers. Toy server may fail, please report if fails |
SecureDNS.eu | https://doh.securedns.eu/dns-query | No Logging & DNSSEC |
ContainerPI | Unfiltered by CloudFlare: https://dns.containerpi.com/dns-query Filtered by CleanBrowsing, blocks adult content: https://dns.containerpi.com/doh/family-filter/ Filtered, blocks malicious domains only: https://dns.containerpi.com/doh/secure-filter/ | Based on m13253/DNS-over-HTTPS, no logging, EDNS Client Subnet enabled. Multiple nodes in China Mainland, Japan and Germany. |
@publicarray dns.seby.io | https://doh-2.seby.io/dns-query https://doh.seby.io:8443/dns-query | Australian server that runs @m13253's Go implementation, Unbound with DNSSEC, No ECS and No logs |
Commons Host | https://commons.host | ~20 PoPs worldwide, Node.js/playdoh over Knot Resolver. (未成功) (项目地址:https://github.com/commonshost/dohnut) |
DnsWarden | Adblocking DNS: https://doh.dnswarden.com/adblock Uncensored DNS: https://doh.dnswarden.com/uncensored Adult-filter DNS: https://doh.dnswarden.com/adult-filter | No query/IP logging with DNSSEC enabled. Blocks ads and trackers in Adblocking DNS. No filtering in Uncensored DNS. Blocks adult content, ads, trackers and also enforces force safe search for search engines and youtube in Adult-filter DNS. (未成功) |
aaflalo.me | Server US: https://dns-nyc.aaflalo.me/dns-query Server EU: https://dns.aaflalo.me/dns-query | Runs on Star Brilliant's dns-over-https Both servers check for DNSSEC and block advertising |
Foundation for Applied Privacy | https://doh.appliedprivacy.net/query | No query/IP logging, no filtering, QNAME minimization, no EDNS client subnet, TLS 1.3, DNSSEC, RFC7706, (未成功)RFC8198; https://appliedprivacy.net/services/dns/ |
captnemo.in | https://doh.captnemo.in/dns-query | Runs dnss with local unbound resolver. running DNSCrypt with DNSSEC support as the upstream. Privacy Policy. More details at https://captnemo.in/doh/. No logging or filtering. Runs in Bangalore, India (未成功) |
Tiarap | https://doh.tiar.app/dns-query https://doh.tiarap.org/dns-query | Based in Singapore, No logging, block Ad/Ad-tracking/Malware, No ECS, DNSSEC (未成功) |
DNS.SB | https://doh.dns.sb/dns-query | DNSSEC enabled |
FAELIX | https://rdns.faelix.net/ | No logging, based on dnsdist-doh RC querying our powerdns-recursor resolvers, multiple nodes in UK and CH, more info (未成功) |
doh.li | https://doh.li/dns-query | Runs on dns-over-https, no logging, EDNS Client Subnet enabled, based in DigitalOcean London. DNSSEC and adblock not currently enabled. |
Association 42l | https://doh.42l.fr/dns-query | DNSSEC, not logging queries' content, uses doh-proxy and edgedns for caching. Queries proxied randomly through FFDN members' open DNS resolvers (French ISPs commiting for net neutrality). |
Hostux.net | Uncensored DNS: https://dns.hostux.net/dns-query Adblocking DNS: https://dns.hostux.net/ads | DNSSEC, no EDNS Client-Subnet, not logging queries' content, hosted in Luxembourg. |
Andrews & Arnold | https://dns.aa.net.uk/dns-query | no logging (see DNS Disclaimer), (未成功) |
@matthewgall - mydns.network | https://adblock.mydns.network/dns-query (adblock, using PiHole) | no logging, DNSSEC enforcing, DDoS protected (using Spectrum by Cloudflare), anycast) , (未成功) |
ibksturm.synology.me | https://ibksturm.synology.me/dns-query | doh-server (nginx - dnsproxy - unbound), DNSSEC / Non-Logged / Uncensored, OpenNIC and Root DNS-Zone Copy Hosted in Switzerland by ibksturm, aka Andreas Ziegler. |
jcdns.fun | https://jcdns.fun/dns-query | secure nginx, Non-Logged / Uncensored, hosted on Digital Ocean VPS by jamesacampbell AKA James Campbell. |
@null31 | https://ibuki.cgnat.net/dns-query | Brazilian server that runs dnsdist.org, Unbound with DNSSEC doing recursion with no upstream servers, QNAME minimization, TLS 1.3, DoT, uncensored, no logging, no ECS, hosted on Google Cloud VPS by null31. Toy server, may fail. |
TWNIC | https://dns.twnic.tw/dns-query | No source IP logging. Operated by Quad101 project, according to this announcement |
blockerDNS | https://example.doh.blockerdns.com/dns-query | DNS-based ad blocking service; One-man operation; ZERO IP and DNS query logging for DoH and DoT. Charges 99c per month for https DOH service |
https://libredns.gr/提供的doh server:
https://doh.libredns.gr/dns-query并不稳定。
Supported in browsers and clients
Name | Version | Comments |
---|---|---|
Firefox | 62 | temporary docs |
Bromite | 67.0.3396.88 | How to enable DoH |
curl | 7.62.0 | See DOH-implementation |
OkHttp | 3.11 | See Providers |
Chrome | 66 | https://bugs.chromium.org/p/chromium/issues/detail?id=799753 |
DOH Tools
Frank Denis' https://github.com/jedisct1/rust-doh (server-side proxy) and dnscrypt-proxy (client proxy).
doh server程序rust-doh的搭建说明:
在linux vps上。首先安装rust环境,然后,
git clone https://github.com/jedisct1/rust-doh rust-doh-by-jedisct1
cd rust-doh-by-jedisct1
cargo build --release
(在当前目录下,会生成target/release目录;在target/release目录里面会生成可执行文件
doh-proxy。)
cd target/release
./doh-proxy -l 127.0.0.1:3001 --path /dns-query --server-address 8.8.8.8:53
不过此命令是运行在前台的,我们可以利用systemd把此命令运行为service:
nano /etc/systemd/system/rust-doh.service
cat rust-doh.service
[Unit]
After=network.target
[Service]
ExecStart=/root/rust-doh-by-jedisct1/target/release/doh-proxy -l 127.0.0.1:3001 --path /dns-query --server-address 8.8.8.8:53
Restart=always
[Install]
WantedBy=multi-user.target
然后,
systemctl start rust-doh
systemctl enable rust-doh
然后用nginx做反向代理,代理http://127.0.0.1:3001 ,nginx的server段内容如下:
然后用nginx做反向代理,代理http://127.0.0.1:3001 ,nginx的server段内容如下:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name MY_SERVER_NAME;
server_tokens off;
ssl_protocols TLSv1.2 TLSv1.3; # TLS 1.3 requires nginx >= 1.13.0
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 1.1.1.1 valid=300s; # Replace with your local resolver
resolver_timeout 5s;
# HTTP Security Headers
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=63072000";
ssl_certificate /path/to/your/server/certificates/fullchain.pem;
ssl_certificate_key /path/to/your/server/certificates/privkey.pem;
location /dns-query {
proxy_pass http://localhost:3001/dns-query;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
然后在vps上,安装nginx1.14,按上面的Nginx段的内容,添加该段内容至你的nginx的配置文件内,然后重启nginx.
doh server程序rust-doh的搭建完成。至于doh client程序,可以使用dnsproxy-by-AdguardTeam,命令为:
sudo dnsproxy --listen=127.0.0.1 --port=53 --upstream=https://mydomain.com/dns-query
因为我没有加"--bootstrap=208.67.222.222:5353"参数,所以需修改/etc/hosts文件,在其底部加上一行:
vps-ip mydomain.com
详见https://briteming.blogspot.com/2019/09/dnsproxy-by-adguardteamdns.html
doh server程序rust-doh的搭建完成。至于doh client程序,可以使用dnsproxy-by-AdguardTeam,命令为:
sudo dnsproxy --listen=127.0.0.1 --port=53 --upstream=https://mydomain.com/dns-query
因为我没有加"--bootstrap=208.67.222.222:5353"参数,所以需修改/etc/hosts文件,在其底部加上一行:
vps-ip mydomain.com
详见https://briteming.blogspot.com/2019/09/dnsproxy-by-adguardteamdns.html
Peter Lai's doh-js-client client-side implementation of DoH, can be used in nodejs backend.(https://github.com/sc0Vu/doh-js-client/issues/1 ,作者没有具体说其用法)
Travis Burtrum's jDnsProxy DNS proxy and cache, implementing DNS-over-TLS, DNS-over-HTTPS, and Serve-Stale( 试过,遇错)
Frank Olbricht's RouteDNS, a flexible stub resolver, proxy, and router with support for DoH, DoT, and plain DNS written in Go.
https://github.com/folbricht/routedns/blob/master/cmd/routedns/example-config/simple-doh.toml
https://github.com/folbricht/routedns/blob/master/cmd/routedns/example-config/simple-doh.toml
RouteDNS的用法:
在mac机器上安装go环境(go1.13),然后,
go get -u -v github.com/folbricht/routedns/cmd/routedns(会生成可执行文件routedns)
routedns -h
nano simple-doh.toml
cat simple-doh.toml
# All queries are forwarded to DNS-over-HTTPS resolver. The goal is to
# provide encrypted DNS for the machine if 127.0.0.1 is configured in /etc/resolv.conf.
title = "RouteDNS configuration for providing DNS-over-HTTP locally"
[resolvers]
[resolvers.brite-doh]
address = "https://mydomain.com/dns-query{?dns}"
protocol = "doh"
[listeners]
[listeners.local-udp]
address = "127.0.0.1:53"
protocol = "udp"
resolver = "brite-doh"
[listeners.local-tcp]
address = "127.0.0.1:53"
protocol = "tcp"
resolver = "brite-doh"
然后运行:
sudo routedns simple-doh.toml
这是客户端程序。至于服务器端doh server: https://mydomain.com/dns-query的搭建见此文https://briteming.blogspot.com/2019/06/high-performance-dns-over-https-client.html 里的“我的补充说明”部分。
这是客户端程序。至于服务器端doh server: https://mydomain.com/dns-query的搭建见此文https://briteming.blogspot.com/2019/06/high-performance-dns-over-https-client.html 里的“我的补充说明”部分。
Frank Denis' Encrypted DNS Server, written in Rust, can serve DNSCrypt and DoH traffic simultaneously. A Docker image including a recursive server is also available.
ElevenPaths EasyDoH, a simple addon for Firefox that allows to easily activate DNS over HTTPS and its working mode with just one click.
相关帖子:
https://briteming.blogspot.com/2019/06/high-performance-dns-over-https-client.html
https://github.com/nextdns/nextdns