Total Pageviews

Tuesday, 7 January 2020

利用unbound搭建dns over tls服务器,以解决dns污染问题

登陆linux vps.
我的是 ubuntu18.04 64位系统。

apt-get install libexpat1 libexpat1-dev -y

然后,

wget https://nlnetlabs.nl/downloads/unbound/unbound-1.9.6.tar.gz
tar xvf unbound-1.9.6.tar.gz
cd unbound-1.9.6
./configure --enable-subnet --with-libevent --with-ssl
make && make install
unbound编译完成。

然后按此文https://briteming.blogspot.com/2018/10/acmeshletsencryptssl.html ,生成你的域名yourdomain.com的证书。生成证书之前,你需把你的域名指向你的服务器的ip.

cd /usr/local/etc/unbound
cp /root/.acme.sh/yourdomain.com/fullchain.cer ./
cp /root/.acme.sh/yourdomain.com/yourdomain.com.key  ./
nano unbound-by-me.conf
cat unbound-by-me.conf
server:
        directory: "/usr/local/etc/unbound"
username: unbound
        chroot: "/usr/local/etc/unbound"
        interface: 0.0.0.0@853
        access-control: 0.0.0.0/0 allow 
tls-service-key: "yourdomain.com.key"
        tls-service-pem: "fullchain.cer"
        tls-port: 853
        incoming-num-tcp: 1000
        udp-upstream-without-downstream: yes
        qname-minimisation: yes
forward-zone:
        name: "."
        forward-tls-upstream: yes

        forward-addr: 8.8.8.8@853

然后运行:
unbound -c unbound-by-me.conf
(此命令是运行在后台的。如果你重启了服务器,记得重新运行该命令。
期间会提示没有用户unbound,运行命令:useradd unbound解决它 。)
服务器端搭建完毕。

在客户端机器mac上。
首先安装go环境,然后,
cd $GOPATH
go get -u -v github.com/mikispag/dns-over-tls-forwarder

sudo dns-over-tls-forwarder -a 127.0.0.1:53 -s yourdomain.com:853@your-vps-ip
不要关闭此terminal.

使用例子:
sudo wg-quick down wg0
sudo networksetup -setdnsservers "Wi-Fi" 127.0.0.1
sudo wg-quick up wg0
sudo networksetup -setdnsservers "Wi-Fi" 127.0.0.1
sudo dns-over-tls-forwarder -a 127.0.0.1:53 -s yourdomain.com:853@your-vps-ip

项目地址:
https://nlnetlabs.nl/downloads/unbound/unbound-1.9.6.tar.gz


保護 TLS 的 Hostname

看到「Encrypted Server Name Indication for TLS 1.3」這個,由 FastlyCloudflareApple 的人聯手推出的 draft,想要保護 TLS 連線一開始明文傳輸的 hostname 部分。看起來是透過 DNS 發佈 public key,然後使用者用這把 public key 保護 hostname 的部分...

而 DNS 的部分可以透過 DNS over TLS 或是 DNS over HTTPS 來保護,這樣讓 ISP 沒有任何資訊可以看到 hostname,把暴露的資訊再降低...

-------------------

mv /usr/bin/openssl /usr/bin/openssl.bak
mv /usr/include/openssl /usr/include/openssl.bak
mv /usr/lib64/openssl/ /usr/lib64/openssl.bak
then,
wget https://www.openssl.org/source/openssl-1.1.1a.tar.gz
tar xvf openssl-1.1.1a.tar.gz
cd openssl-1.1.1a
ls /root/openssl-1.1.1a/.openssl/
bin include lib
cd ~
wget https://nlnetlabs.nl/downloads/unbound/unbound-1.9.6.tar.gz
tar xvf unbound-1.9.6.tar.gz
cd unbound-1.9.6
./configure --enable-subnet --with-libevent —with-ssl=/root/openssl-1.1.1a/.openssl/
make
make install
(then unbound is compiled successfully)
rm -rf /usr/local/bin/openssl
ln -s /root/openssl-1.1.1a/.openssl/bin/openssl /usr/local/bin/openssl
----

一些公共的dot server:
----

客户端程序2: Encrypted-DNS

在客户端机器mac上。
首先安装python3环境: brew install python3
然后,
sudo pip3 install encrypted-dns

第一次运行命令:encrypted-dns
会生成目录~/.config/encrypted_dns/,在此目录下,还会生成配置文件config.json,
nano ~/.config/encrypted_dns/config.json
upstream_dns段改为:
 "upstream_dns": [
        {
        "protocol": "tls",
        "address": "yourdomain.com",
        "ip": "your-vps-ip",
        "port": 853,
        "weight": 100
        }
    ],

bootstrap_dns_address段改为:
 "bootstrap_dns_address": {
        "address": "208.67.222.222",
        "port": 5353
    },

保存更改。
然后,运行:
sudo encrypted-dns

------

客户端程序3: dnsovertlsproxy

在客户端机器mac上。
wget https://github.com/leighmcculloch/dnsovertlsproxy/releases/download/v0.0.5/dnsovertlsproxy_0.0.5_macos_x64.tar.gz
mkdir dnsovertlsproxy_0.0.5_macos_x64
mv dnsovertlsproxy_0.0.5_macos_x64.tar.gz dnsovertlsproxy_0.0.5_macos_x64
cd dnsovertlsproxy_0.0.5_macos_x64
tar xvf dnsovertlsproxy_0.0.5_macos_x64.tar.gz
cd dnsovertlsproxy_0.0.5_macos_x64
sudo ./dnsovertlsproxy  -listen :53  -server yourdomain.com:853

--------

客户端程序4: dns-over-tls-by-hellobhaskar

在客户端机器mac上。
首先安装go环境,然后,
git clone https://github.com/hellobhaskar/dns-over-tls dns-over-tls-by-hellobhaskar
cd dns-over-tls-by-hellobhaskar
nano srv.go
修改第16行的1.1.1.1为你的vps的ip,
修改第30行的cloudflare-dns.com为你的域名。

然后运行:
go build
就会在当前目录下,生成可执行文件dns-over-tls。
sudo ./dns-over-tls

---------

客户端程序5: dns-proxy-python-by-ftzimmer

在客户端机器mac上。
首先安装python3环境,然后,
git clone https://github.com/ftzimmer/dns-proxy-python dns-proxy-python-by-ftzimmer
cd dns-proxy-python-by-ftzimmer
nano dns-proxy.py
修改第14行的1.1.1.1为你的vps的ip
修改第28行的cloudflare-dns.com为你的域名
然后运行:
sudo python3 dns-proxy.py


客户端程序6: stubby

在客户端机器mac上。运行:
brew install stubby
会生成可执行文件stubby: /usr/local/bin/stubby和配置文件所在的目录/usr/local/etc/stubby/。
cd /usr/local/etc/stubby/
nano stubby-from-bwg.yml
cat stubby-from-bwg.yml
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 256
edns_client_subnet_private : 0
idle_timeout: 10000
listen_addresses:
  - 127.0.0.1
  - 0::1
round_robin_upstreams: 1
upstream_recursive_servers:
  - address_data: your-vps-ip
    tls_auth_name: "yourdomain.com"
    tls_pubkey_pinset:
    - digest: "sha256"
      value: 一串字符

上面的“一串字符”是指运行命令:
echo | openssl s_client -connect ‘your-vps-ip:853’ 2> /dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64所生成的字符串。这里的your-vps-ip:853不要换成yourdomain.com:853,否则可能遇错。(如果your-vps-ip:853换成yourdomain.com:853,那么还需在 -noout 的前面加上 -in fullchain.pem才行。这样加了一个参数:-in fullchain.pem ,何必去多费这个神呢)

然后,
sudo stubby -C stubby-from-bwg.yml

项目地址:
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby
https://github.com/getdnsapi/getdns

注意:stubby的配置文件非常讲究格式,见:
https://github.com/NLnetLabs/unbound/files/4040506/stubby-from-bwg.yml.gz

(用 Stubby 在 Ubuntu 上跑 DNS over TLS

在「How to Protect Your DNS Privacy on Ubuntu 18.04 with DNS over TLS」這邊看到 Stubby 這個軟體。

Stubby 在 Ubuntu 18.04 上可以直接裝,但在 Ubuntu 16.04 上需要透過 PPA 裝,我是透過「DNS Utils : James Newell」這個安裝的,裝好後 /etc/stubby/stubby.yml 檔裡 upstream_recursive_servers 的設定改成:

upstream_recursive_servers:
  - address_data: 1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
  - address_data: 1.0.0.1
    tls_auth_name: "cloudflare-dns.com"

就可以走 port 853 的 DNS over TLS 了,而 Stubby 預設會聽 127.0.0.1 與 ::1 的 port 53,所以把 /etc/resolv.conf 或是 NetworkManager 的設定改成 127.0.0.1 就可以了。

目前這樣設看起來沒辦法擋 MITM attack (偽造 SSL certificate),Stubby 看起來只能用 tls_pubkey_pinset 鎖住,但實在不愛這個方法 (因為 Cloudflare 有可能會換成其他的 SSL certificate),之後看看有沒有可以吃 Root CA 架構的認證再來調整...)

-------------------

客户端程序7: dnsproxy-by-adguardteam

先在mac 上安装go1.13环境,然后,
cd $GOPATH
go get -u -v github.com/AdguardTeam/dnsproxy


然后,
mkdir  mydomain.com-certs
cd mydomain.com-certs

把vps上的/etc/letsencrypt/live/mydomain.com/fullchain.pem文件和/etc/letsencrypt/live/mydomain.com/privkey.pem文件下载到当前目录。


sudo dnsproxy --listen=0.0.0.0 --port=53 --upstream=tls://mydomain.com:853 --tls-crt=fullchain.pem --tls-key=privkey.pem

项目地址:https://github.com/AdguardTeam/dnsproxy

(相关帖子:https://briteming.blogspot.com/2019/09/dnsproxy-by-adguardteamdns.html)
------------------

客户端程序8: tinydnsproxy

先在mac 上安装rust环境。(如果你以前装过rust,请运行rustup update ,来更新rust环境)
然后,
git clone https://github.com/sewh/tinydnsproxy tinydnsproxy-by-sewh
cd tinydnsproxy-by-sewh
sudo cargo build --release

(会在当前目录,生成子目录target/release/,在target/release/里,会生成可执行文件tinydnsproxy)
cd target/release/
wget https://github.com/sewh/tinydnsproxy/raw/master/config/example.toml -O config.toml
nano config.toml
把第9行的port的值改为53
把第61行的ip_address的值改为your-vps-ip
把第63行的hostname的值改为yourdomain.com
注释掉第65行至第68行。

然后运行:

sudo ./tinydnsproxy config.toml

项目地址:
https://github.com/sewh/tinydnsproxy/issues/1
-------

客户端程序9: dns-proxy

在mac 上。先fork此项目https://github.com/jonathanbeber/dns-proxy
https://github.com/your-username/dns-proxy
然后访问https://github.com/your-username/dns-proxy/blob/master/config/config.go
修改第9行,改1.1.1.1为你所绑定的域名。

cd $GOPATH
go get -u  -v github.com/your-username/dns-proxy

sudo dns-proxy

项目地址:https://github.com/jonathanbeber/dns-proxy
--------

客户端程序10: dns-to-dns-tls (这个程序不稳定,不建议使用

先在mac 上安装go1.13环境,然后,
cd $GOPATH
go get -u -v github.com/Onlinehead/dns-to-dns-tls

cd ~
wget https://github.com/Onlinehead/dns-to-dns-tls/raw/master/config.yaml - dns-to-dns-tls-config.yaml
nano dns-to-dns-tls-config.yaml
cat dns-to-dns-tls-config.yaml
server:
  host: 0.0.0.0 # Interface to listen
  port: 53 # Port to listen
  tcp: true # Enable TCP serving
  udp: true # Enable UDP serving
requestTimeout: 1s
responseTimeout: 1s
#useHTTPS: true # Use DNS-over-HTTPS instead of DNS-over-TLS
#upstreams: # DNS-over-HTTPS upstreams
#  - https://1.0.0.1/dns-query
upstreams: # DNS-over-TLS upstreams
   - yourdomain.com:853
#  - 1.1.1.1:853

#  - 1.0.0.1:853

然后,
sudo dns-to-dns-tls -config ~/dns-to-dns-tls-config.yaml

另外从这个配置文件dns-to-dns-tls-config.yaml可以看出此程序其实还可用作doh client:
cp dns-to-dns-tls-config.yaml dns-to-dns-tls-config-2.yaml
nano dns-to-dns-tls-config-2.yaml
cat dns-to-dns-tls-config-2.yaml
server:
  host: 0.0.0.0 # Interface to listen
  port: 53 # Port to listen
  tcp: true # Enable TCP serving
  udp: true # Enable UDP serving
requestTimeout: 1s
responseTimeout: 1s
useHTTPS: true # Use DNS-over-HTTPS instead of DNS-over-TLS
upstreams: # DNS-over-HTTPS upstreams
  - https://some-domain.com/dns-query
#  - https://1.0.0.1/dns-query
#upstreams: # DNS-over-TLS upstreams
#  - 1.1.1.1:853
#  - 1.0.0.1:853

然后,
sudo dns-to-dns-tls -config ~/dns-to-dns-tls-config-2.yaml

------

客户端程序12. encrypted-dns-by-xiaoyang-liu-cs

Encrypted-DNS

License Releases Downloads

Issues | Pull requests | Contributors

Introduction

Encrypted-DNS operates as a DNS server that forward DNS queries over UDP, TCP, TLS or HTTPS, thus preventing your device from DNS cache poisoning and censorship. It could also cache DNS records to accelerate further queries, block specific client, and ignore particular domain names.

Features

  • Encrypted DNS upstream servers (DNS-over-HTTPS, DNS-over-TLS)
  • Improve accuracy with EDNS-Client-Subnet
  • Authenticate DNS response with DNSSEC
  • Transparent redirection of specific domains to specific resolvers
  • Send queries through HTTP proxies
  • Cache DNS response with default or customized TTL to reduce latency
  • Force Safe search on search engines such as Google, Bing, DuckDuckGo
  • Firewall rules: Rate limiting, client blacklist, and disable AAAA or ANY lookups

Installation

  • Install Python 3.6+

  • Install encrypted-dns package via pip

$ python3 -m pip install encrypted-dns
  • Generate and edit config file
$ sudo encrypted-dns
$ vim ~/.config/encrypted_dns/config.json
  • Run Encrypted-DNS Server
$ sudo encrypted-dns
  • Test DNS Lookup
Linux or MacOS:
$ dig @127.0.0.1 www.google.com

Windows:
$ nslookup www.google.com 127.0.0.1
  • Change DNS Address to 127.0.0.1

Configuration

Encrypted-DNS will generate a JSON file ~/.config/encrypted_dns/config.json

Inbounds

Encrypted-DNS will listen on the address and ports to receive DNS lookups.

The format of each inbound is protocol://address:port.

Currently, Encrypted-DNS only supports inbounds with udp and tcp protocols.

If protocol is not provided, Encrypted-DNS will listen to this inbound address through the udp protocol.

If port is not provided, Encrypted-DNS will use the default port of each protocol. (53 for udp and tcp)

'inbounds': [
                '0.0.0.0',
                '0.0.0.0:5301',
                'tcp://0.0.0.0:5302'
            ]

Outbounds

Encrypted-DNS will forward the DNS quires to the upstream DNS servers.

The Outbounds is a JSON array of DNS groups.

Here is an example of a DNS group:

'outbounds': [
    {
        'tag': 'unencrypted',
        'dns': ['1.0.0.1', 'tcp://8.8.4.4'],
        'concurrent': False,
        'domains': ['time.windows.com', sub:youtube.com', 'include:netflix.com']
    },
    {
        'tag': 'encrypted',
        'dns': ['https://cloudflare-dns.com', 'tls://dns.google'],
        'proxies': {
            'http': 'http://127.0.0.1:1088',
            'https': 'http://127.0.0.1:1088'
        },
        'concurrent': False,
        'domains': ['all']
    }
]

tag is the name of the DNS group

dns is an array of DNS upstreams

  • The format of each upstream is protocol://address:port
  • Encrypted-DNS supports these protocols: udptcptlshttps
  • If protocol is not provided, Encrypted-DNS will connect to the upstream through udp protocol.
  • If port is not provided, Encrypted-DNS will use the default port of each protocol. (53 for udp and tcp853 for tls443 for https)

concurrent

  • If concurrent is True, Encrypted-DNS will forward queries to all servers in this group concurrently and send the first response to the client
  • If concurrent is False, Encrypted-DNS will forward queries to a random server in this group.

Encrypted-DNS will only forward queries to this group only if the domain is included in the domains. For example:

  • www.google.com: exact domain
  • sub:youtube.com: subdomains of youtube.com, such as m.youtube.comwww.youtube.com
  • include:netflix.com: domains include netflix.com, such as www.netflix.comnetflix.com.example.comwhatisnetflix.command
  • all: all domains

Bootstrap DNS Group

Encrypted-DNS will send DNS queries to the server in the bootstrap DNS group to retrieve the IP addresses of DNS-over-HTTPS or DNS-over-TLS server.

If the group is not specified, Encrypted-DNS will use 1.0.0.1 to resolve the IP addresses.

'outbounds': [
    {
        'tag': 'bootstrap',
        'dns': ['1.0.0.1', '8.8.4.4']
    },
    ...
]

DNS Cache

Cache DNS responses to reduce latency for further queries.

If override_ttl is -1, Encrypted-DNS will use default TTL for each record.

'dns_cache': {
    'enable': True,
    'override_ttl': 3600
}

Firewall

  • refuse_ANY will ignore all queries with ANY type since it's often used in DNS reflection attacks.
  • AAAA_disabled will ignore all quires with AAAA type.
  • rate_limit will limit the amount of quires Encrypted-DNS could process every minute.
  • client_blacklist will ignore all quires sent by specific clients.
'firewall': {
    'refuse_ANY': True,
    'AAAA_disabled': False,
    'rate_limit': 30,
    'client_blacklist': [
        '128.97.0.0',
    `   '128.97.0.1'
    ]
}

Rules

  • force_safe_search will enable Safe search on search engines: Google, Bing, Yahoo, DuckDuckGo, and Youtube.
  • hosts will specify A record or CNAME record for domain names.

Rules to match domain in hosts:

  • www.google.com: exact domain
  • sub:youtube.com: subdomains of youtube.com, such as m.youtube.comwww.youtube.com
  • include:netflix.com: domains include netflix.com, such as www.netflix.comnetflix.com.example.comwhatisnetflix.command
  • all: all domains
'rules': {
    'force_safe_search': False,
    'hosts': {
        'localhost': '127.0.0.1',
        'sub:cloudflare-dns.com': '1.0.0.1',
        'dns.google': '8.8.4.4'
    }
},

EDNS Client Subnet

EDNS Client Subnet is a DNS extension that allows Encrypted-DNS to specify the network subnet for the host on which behalf it is making a DNS query.

This is generally intended to help speed up the delivery of data from CDN, by allowing better use of DNS-based load balancing to select a service address serving the content expected to be hosted at that domain name, when the client computer is in a different network location from the recursive resolver.

To disable this feature, set ecs_ip_address to null.

'ecs_ip_address': '128.97.0.0'
from https://github.com/xiaoyang-liu-cs/encrypted-dns
https://github.com/xiaoyang-liu-cs/encrypted-dns/releases
-------

Ideas about Unbound DNS server

i have used the combination of Unbound and dnscrypt-proxy on my PC for a period of time. I was using dnsmasq with dnscrypt-proxy, but dnsmasq seemed unstable (Even if it was deployed on my computer and used by just me!). Replacing dnsmasq with unbound seems to be a good solution.

Configuration

Here (Chinese Simplified) is a great example by phoenixlzx.

Fallback servers

Unbound will do load-balancing on the listed forward-addrs, instead of requesting the servers one by one, skipping to next server only if the previous one fails. In the instance of me, I want it to request my dnscrypt-proxy server first, and use other servers as fallback. It’s obviously not doing me good.

Finally I moved the fallback configures and wrote it in /etc/resolv.conf. Not so exciting but it also works.

Forwarding rules

dnscrypt-proxy apply the first matching rule it comes across. Unbound is more rational and will match the most accurate one.

DNS over TLS (DoT) support of Unbound

Unbound supports DNS over TLS (but not DNS over HTTPS) at forwarding DNS queries. By adding forward-tls-upstream: yes (or forward-ssl-upstream: yes) you can ask the server to send DoH request to servers you specify. Then we don’t need dnscrypt-proxy to make secured DNS queries.

See this article for detailed configurations.

My config file (working on a Manjaro Linux):

server:
  verbosity: 1
  do-daemonize: no
  use-syslog: yes
  username: unbound
  directory: "/etc/unbound"
  root-hints: "root.hints" # Get it here: https://www.internic.net/domain/named.root
  trust-anchor-file: trusted-key.key # Run `sudo unbound-anchor` for this file
  module-config: "iterator"  # "validator iterator" if you want DNSSEC
  interface: 127.0.0.54
  tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt # Differ per distribution
  access-control: 127.0.0.1/8 allow

  forward-zone:
      name: "."
      forward-ssl-upstream: yes
      forward-addr: 8.8.8.8@853#dns.google
      forward-addr: 9.9.9.9@853#dns.quad9.net
      forward-addr: 1.0.0.1@853#cloudflare-dns.com
-----------------------------

An easy to install, high-performance, zero maintenance proxy to run an encrypted DNS server.

Protocols

The proxy supports the following protocols:

All of these can be served simultaneously, on the same port (usually port 443). The proxy automatically detects what protocol is being used by each client.

Installation

Option 1: precompiled binary for Linux

Precompiled tarballs and Debian packages for Linux/x86_64 can be downloaded here.

Nothing else has to be installed. The server doesn't require any external dependencies.

In the Debian package, the example configuration file can be found in /usr/share/doc/encrypted-dns/.

Option 2: compilation from source code

The proxy requires rust >= 1.0.39 or rust-nightly.

Rust can installed with:

curl -sSf https://sh.rustup.rs | bash -s -- -y --default-toolchain nightly
source $HOME/.cargo/env

Once rust is installed, the proxy can be compiled and installed as follows:

cargo install encrypted-dns
strip ~/.cargo/bin/encrypted-dns

The executable file will be copied to ~/.cargo/bin/encrypted-dns by default.

Options 3: Docker

dnscrypt-server-docker is the most popular way to deploy an encrypted DNS server.

This Docker image that includes a caching DNS resolver, the encrypted DNS proxy, and scripts to automatically configure everything.

Setup

The proxy requires a recursive DNS resolver, such as Knot, PowerDNS or Unbound.

That resolver can run locally and only respond to 127.0.0.1. External resolvers such as Quad9 or Cloudflare DNS can also be used, but this may be less reliable due to rate limits.

In order to support DoH in addition to DNSCrypt, a DoH proxy must be running as well. rust-doh is the recommended DoH proxy server. DoH support is optional, as it is currently way more complicated to setup than DNSCrypt due to certificate management.

Make a copy of the example-encrypted-dns.toml configuration file named encrypted-dns.toml.

Then, review the encrypted-dns.toml file. This is where all the parameters can be configured, including the IP addresses to listen to.

You should probably at least change the listen_addresses and provider_name settings.

Start the proxy. It will automatically create a new provider key pair if there isn't any.

The DNS stamps are printed. They can be used directly with dnscrypt-proxy.

There is nothing else to do. Certificates are automatically generated and rotated.

Migrating from dnscrypt-wrapper

If you are currently running an encrypted DNS server using dnscrypt-wrapper, moving to the new proxy is simple:

  • Double check that the provider name in encrypted-dns.toml matches the one you previously configured. If you forgot it, it can be recovered from its DNS stamp.
  • Run encrypted-dns --import-from-dnscrypt-wrapper secret.key, with secret.key being the file with the dnscrypt-wrapper provider secret key.

Done. Your server is now running the new proxy.

Built-in DNS cache

The proxy includes a key cache, as well as a DNS cache to significantly reduce the load on upstream servers.

In addition, if a server is slow or unresponsive, expired cached queries will be returned, ensuring that popular domain names always keep being served.

State file

The proxy creates and updates a file named encrypted-dns.state by default. That file contains the provider secret key, as well as certificates and encryption keys.

Do not delete the file, unless you want to change parameters (such as the provider name), and keep it secret, or the keys will be lost.

Putting it in a directory that is only readable by the super-user is not a bad idea.

Filtering

Domains can be filtered directly by the proxy, see the [filtering] section of the configuration file.

Access control

Access control can be enabled in the [access_control] section and configured with the query_meta configuration value of dnscrypt-proxy.

Prometheus metrics

Prometheus metrics can optionally be enabled in order to monitor performance, cache efficiency, and more.

Anonymized DNSCrypt

Enabling Anonymized DNSCrypt allows the server to be used as an encrypted DNS relay.


from  https://github.com/DNSCrypt/encrypted-dns-server

------


Encrypted DNS Party

Website Netlify Status License Mastodon Follow

https://encrypted-dns.party

Configuration files to easily set your Apple device to use encrypted DNS by your chosen provider systemwide.

Install Instructions from NextDNS' Profile Generator

Install on iOS and iPadOS

  1. Use Safari web browser for opening the .mobileconfig to recieve the install prompt.

Install on macOS

  1. Open the downloaded .mobileconfig file.
  2. Open System Preferences.
  3. Go to Profiles.
  4. Click Install.

Install on tvOS

  1. Open the Settings app.
  2. Go to General → Privacy.
  3. Hover over "Share Apple TV Analytics" without pressing.
  4. Press Play on the remote.
  5. Select Add Profile.
  6. Make the downloaded .mobileconfig file accessible publicly and enter its URL. You can use TinyURL.
  7. Install the profile following the onscreen instructions.

Validate

You can use these online tools for validating your DNS resolver:

Note

If you're not comfortable installing from the website, you can also install straight from GitLab.com by navigating to a profile (in Safari) within /mobileconfig and selecting "Open raw." For example, this is 42l's DoH profile from the repo:

Site based on the john-doe template.

from https://github.com/aniksarakash/encrypted-dns

----------

These are encrypted DNS over HTTPS (and some DNS over TLS) configuration profiles for Apple devices I created for convenience Requires iOS 14, iPadOS 14, tvOS 14, or macOS Big Sur.

Source code and more info are available here. You can also use dns.notjakob.com or the DNSecure app to create your own profiles.

Subscribe to updates I make via RSS. And if any profile appears broken and needs updating, please let me know. Thanks! ~nitrohorse

Configuration profiles for 'DNS over HTTPS' and 'DNS over TLS' for iOS 14 and MacOS Big Sur.

encrypted-dns-configs

Configuration profiles for DNS over HTTPS and DNS over TLS.

Check out the article for more info: paulmillr.com/posts/encrypted-dns/

Providers

"Censorship=yes" means the profile will not send true information about hostname=IP relation for some hosts.

NameCountryCensorshipNotesInstall button
AdGuard🇷🇺Yes 🔴Operated by AdGuard in RussiaHTTPS
AdGuard Family🇷🇺YesFilters malware & adult contentHTTPS
AdGuard No Filter🇷🇺No 🟢Filters UnfilteredHTTPSTLS
Alekberg🇳🇱NoIndependent hoster in NetherlandsHTTPS
BlahDNS CDN Filtered🇺🇸YesIndependentHTTPS
BlahDNS CDN Unfiltered🇺🇸NoIndependentHTTPS
BlahDNS Finland Adsblock🇫🇮YesIndependentHTTPS
BlahDNS Germany Adsblock🇩🇪YesIndependentHTTPS
BlahDNS Japan Adsblock🇯🇵YesIndependentHTTPS
BlahDNS Singapore Adsblock🇸🇬YesIndependentHTTPS
BlahDNS Swiss Adsblock🇨🇭YesIndependentTLS
Canadian Shield Private🇨🇦NoOperated by the Canadian Internet Registration Authority (CIRA)HTTPSTLS
Canadian Shield Protected🇨🇦YesFilters malwareHTTPSTLS
Canadian Shield Family🇨🇦YesFilters malware & adult contentHTTPSTLS
Cloudflare🇺🇸NoOperated by Cloudflare 1.1.1.1HTTPSTLS
Cloudflare Malware🇺🇸YesFilters malwareHTTPS
Cloudflare Family🇺🇸YesFilters malware & adult contentHTTPS
DNSPod🇨🇳YesOperated in mainland ChinaHTTPSTLS
Google🇺🇸NoOperated by GoogleHTTPSTLS
OpenDNS🇺🇸NoOperated by OpenDNSHTTPS
OpenDNS Family🇺🇸YesFilters malware & adult contentHTTPS
Quad9🇨🇭YesOperated by CleanerDNS, Inc. Filters malwareHTTPSTLS
Quad9 With ECS🇨🇭YesOperated by CleanerDNS, Inc. Filters malwareHTTPSTLS
Tiar.app🇸🇬 🇺🇸Yes"Privacy-first DNS provider" from SG, hosted on Digital Ocean. Filters malwareHTTPSTLS

Installation

To make settings work across all apps in iOS 14 & MacOS Big Sur, you’ll need to install configuration profile. This profile would tell operating system to use DOH / DOT. Note: it’s not enough to simply set server IPs in System Preferences — you need to install a profile.

To install, simply open the file in GitHib, and then click/tap on install button. The profile should download. On macOS, double click on the downloaded file to open it in settings, and approve instalation. On iOS, go to System Settings => General => Profile, select downloaded profile and tap the “Install” button.

Signed Profiles

In the signed folder, we have signed versions of the profiles in this repository. These profiles have been signed by @Candygoblen123 so that when you install the profiles, they will have a verified check box on the installation screen. It also ensures that these profiles have not been tampered with. However, since they were signed by a third party, they may lag behind their unsigned counterparts a little.

To verify resolver IPs and hostnames, compare mobileconfig files to their documentation URLs. Internal workings of the profiles are described on developer.apple.com. In order to verify signed mobileconfigs, you will need to download them to your computer and open them in a text editor, because signing profiles makes GitHub think that they are binary files.

Known issues

We can't fix the issues, only Apple can:


from  https://github.com/paulmillr/encrypted-dns