我的是 ubuntu18.04 64位系统。
然后,
然后按此文https://briteming.blogspot.com/2018/10/acmeshletsencryptssl.html ,生成你的域名yourdomain.com的证书。生成证书之前,你需把你的域名指向你的服务器的ip.
cd /usr/local/etc/unbound
cp /root/.acme.sh/yourdomain.com/fullchain.cer ./
cp /root/.acme.sh/yourdomain.com/yourdomain.com.key ./
nano unbound-by-me.conf
cat unbound-by-me.conf
期间会提示没有用户unbound,运行命令:useradd unbound解决它 。)
保護 TLS 的 Hostname
看到「Encrypted Server Name Indication for TLS 1.3」這個,由 Fastly、Cloudflare、Apple 的人聯手推出的 draft,想要保護 TLS 連線一開始明文傳輸的 hostname 部分。看起來是透過 DNS 發佈 public key,然後使用者用這把 public key 保護 hostname 的部分...
而 DNS 的部分可以透過 DNS over TLS 或是 DNS over HTTPS 來保護,這樣讓 ISP 沒有任何資訊可以看到 hostname,把暴露的資訊再降低...
-------------------
mv /usr/include/openssl /usr/include/openssl.bak
mv /usr/lib64/openssl/ /usr/lib64/openssl.bak
wget https://www.openssl.org/source/openssl-1.1.1a.tar.gz
tar xvf openssl-1.1.1a.tar.gz
cd openssl-1.1.1a
ls /root/openssl-1.1.1a/.openssl/
bin include lib
wget https://nlnetlabs.nl/downloads/unbound/unbound-1.9.6.tar.gz
tar xvf unbound-1.9.6.tar.gz
cd unbound-1.9.6
./configure --enable-subnet --with-libevent —with-ssl=/root/openssl-1.1.1a/.openssl/
make
make install
(then unbound is compiled successfully)
ln -s /root/openssl-1.1.1a/.openssl/bin/openssl /usr/local/bin/openssl
然后运行:
在「How to Protect Your DNS Privacy on Ubuntu 18.04 with DNS over TLS」這邊看到 Stubby 這個軟體。
Stubby 在 Ubuntu 18.04 上可以直接裝,但在 Ubuntu 16.04 上需要透過 PPA 裝,我是透過「DNS Utils : James Newell」這個安裝的,裝好後 /etc/stubby/stubby.yml
檔裡 upstream_recursive_servers
的設定改成:
upstream_recursive_servers: - address_data: 1.1.1.1 tls_auth_name: "cloudflare-dns.com" - address_data: 1.0.0.1 tls_auth_name: "cloudflare-dns.com"
就可以走 port 853 的 DNS over TLS 了,而 Stubby 預設會聽 127.0.0.1
與 ::1
的 port 53,所以把 /etc/resolv.conf
或是 NetworkManager 的設定改成 127.0.0.1
就可以了。
目前這樣設看起來沒辦法擋 MITM attack (偽造 SSL certificate),Stubby 看起來只能用 tls_pubkey_pinset
鎖住,但實在不愛這個方法 (因為 Cloudflare 有可能會換成其他的 SSL certificate),之後看看有沒有可以吃 Root CA 架構的認證再來調整...)
客户端程序7: dnsproxy-by-adguardteam
先在mac 上安装go1.13环境,然后,
cd $GOPATH
go get -u -v github.com/AdguardTeam/dnsproxy
然后,
mkdir mydomain.com-certs
cd mydomain.com-certs
把vps上的/etc/letsencrypt/live/mydomain.com/fullchain.pem文件和/etc/letsencrypt/live/mydomain.com/privkey.pem文件下载到当前目录。
------------------
客户端程序8: tinydnsproxy
先在mac 上安装rust环境。(如果你以前装过rust,请运行rustup update ,来更新rust环境)
然后,
git clone https://github.com/sewh/tinydnsproxy tinydnsproxy-by-sewh
cd tinydnsproxy-by-sewh
sudo cargo build --release
(会在当前目录,生成子目录target/release/,在target/release/里,会生成可执行文件tinydnsproxy)
cd target/release/
wget https://github.com/sewh/tinydnsproxy/raw/master/config/example.toml -O config.toml
nano config.toml
把第9行的port的值改为53
把第61行的ip_address的值改为your-vps-ip
把第63行的hostname的值改为yourdomain.com
注释掉第65行至第68行。
然后运行:
-------
客户端程序9: dns-proxy
在mac 上。先fork此项目https://github.com/jonathanbeber/dns-proxy为
https://github.com/your-username/dns-proxy
然后访问https://github.com/your-username/dns-proxy/blob/master/config/config.go
修改第9行,改1.1.1.1为你所绑定的域名。
cd $GOPATH
go get -u -v github.com/your-username/dns-proxy
sudo dns-proxy
项目地址:https://github.com/jonathanbeber/dns-proxy
--------
客户端程序10: dns-to-dns-tls (这个程序不稳定,不建议使用)
先在mac 上安装go1.13环境,然后,
cd $GOPATH
go get -u -v github.com/Onlinehead/dns-to-dns-tls
cd ~
wget https://github.com/Onlinehead/dns-to-dns-tls/raw/master/config.yaml -O dns-to-dns-tls-config.yaml
nano dns-to-dns-tls-config.yaml
cat dns-to-dns-tls-config.yaml
------
客户端程序11. blocky,
详见https://briteming.blogspot.com/2020/03/blockydotdohdns.html
Encrypted-DNS
Issues | Pull requests | Contributors
Introduction
Encrypted-DNS operates as a DNS server that forward DNS queries over UDP, TCP, TLS or HTTPS, thus preventing your device from DNS cache poisoning and censorship. It could also cache DNS records to accelerate further queries, block specific client, and ignore particular domain names.
Features
- Encrypted DNS upstream servers (DNS-over-HTTPS, DNS-over-TLS)
- Improve accuracy with EDNS-Client-Subnet
- Authenticate DNS response with DNSSEC
- Transparent redirection of specific domains to specific resolvers
- Send queries through HTTP proxies
- Cache DNS response with default or customized TTL to reduce latency
- Force Safe search on search engines such as Google, Bing, DuckDuckGo
- Firewall rules: Rate limiting, client blacklist, and disable AAAA or ANY lookups
Installation
Install Python 3.6+
Install
encrypted-dns
package viapip
$ python3 -m pip install encrypted-dns
- Generate and edit config file
$ sudo encrypted-dns
$ vim ~/.config/encrypted_dns/config.json
- Run Encrypted-DNS Server
$ sudo encrypted-dns
- Test DNS Lookup
Linux or MacOS:
$ dig @127.0.0.1 www.google.com
Windows:
$ nslookup www.google.com 127.0.0.1
- Change DNS Address to
127.0.0.1
Configuration
Encrypted-DNS will generate a JSON file ~/.config/encrypted_dns/config.json
Inbounds
Encrypted-DNS will listen on the address and ports to receive DNS lookups.
The format of each inbound is protocol://address:port
.
Currently, Encrypted-DNS only supports inbounds with udp
and tcp
protocols.
If protocol
is not provided, Encrypted-DNS will listen to this inbound address through the udp
protocol.
If port
is not provided, Encrypted-DNS will use the default port of each protocol. (53
for udp
and tcp
)
'inbounds': [
'0.0.0.0',
'0.0.0.0:5301',
'tcp://0.0.0.0:5302'
]
Outbounds
Encrypted-DNS will forward the DNS quires to the upstream DNS servers.
The Outbounds
is a JSON array of DNS groups.
Here is an example of a DNS group:
'outbounds': [
{
'tag': 'unencrypted',
'dns': ['1.0.0.1', 'tcp://8.8.4.4'],
'concurrent': False,
'domains': ['time.windows.com', sub:youtube.com', 'include:netflix.com']
},
{
'tag': 'encrypted',
'dns': ['https://cloudflare-dns.com', 'tls://dns.google'],
'proxies': {
'http': 'http://127.0.0.1:1088',
'https': 'http://127.0.0.1:1088'
},
'concurrent': False,
'domains': ['all']
}
]
tag
is the name of the DNS group
dns
is an array of DNS upstreams
- The format of each upstream is
protocol://address:port
- Encrypted-DNS supports these protocols:
udp
,tcp
,tls
,https
- If
protocol
is not provided, Encrypted-DNS will connect to the upstream throughudp
protocol. - If
port
is not provided, Encrypted-DNS will use the default port of each protocol. (53
forudp
andtcp
,853
fortls
,443
forhttps
)
concurrent
- If
concurrent
isTrue
, Encrypted-DNS will forward queries to all servers in this group concurrently and send the first response to the client - If
concurrent
isFalse
, Encrypted-DNS will forward queries to a random server in this group.
Encrypted-DNS will only forward queries to this group only if the domain is included in the domains
. For example:
www.google.com
: exact domainsub:youtube.com
: subdomains ofyoutube.com
, such asm.youtube.com
,www.youtube.com
include:netflix.com
: domains includenetflix.com
, such aswww.netflix.com
,netflix.com.example.com
,whatisnetflix.command
all
: all domains
Bootstrap DNS Group
Encrypted-DNS will send DNS queries to the server in the bootstrap
DNS group to retrieve the IP addresses of DNS-over-HTTPS or DNS-over-TLS server.
If the group is not specified, Encrypted-DNS will use 1.0.0.1
to resolve the IP addresses.
'outbounds': [
{
'tag': 'bootstrap',
'dns': ['1.0.0.1', '8.8.4.4']
},
...
]
DNS Cache
Cache DNS responses to reduce latency for further queries.
If override_ttl
is -1
, Encrypted-DNS will use default TTL for each record.
'dns_cache': {
'enable': True,
'override_ttl': 3600
}
Firewall
refuse_ANY
will ignore all queries withANY
type since it's often used in DNS reflection attacks.AAAA_disabled
will ignore all quires withAAAA
type.rate_limit
will limit the amount of quires Encrypted-DNS could process every minute.client_blacklist
will ignore all quires sent by specific clients.
'firewall': {
'refuse_ANY': True,
'AAAA_disabled': False,
'rate_limit': 30,
'client_blacklist': [
'128.97.0.0',
` '128.97.0.1'
]
}
Rules
force_safe_search
will enable Safe search on search engines: Google, Bing, Yahoo, DuckDuckGo, and Youtube.hosts
will specify A record or CNAME record for domain names.
Rules to match domain in hosts
:
www.google.com
: exact domainsub:youtube.com
: subdomains ofyoutube.com
, such asm.youtube.com
,www.youtube.com
include:netflix.com
: domains includenetflix.com
, such aswww.netflix.com
,netflix.com.example.com
,whatisnetflix.command
all
: all domains
'rules': {
'force_safe_search': False,
'hosts': {
'localhost': '127.0.0.1',
'sub:cloudflare-dns.com': '1.0.0.1',
'dns.google': '8.8.4.4'
}
},
EDNS Client Subnet
EDNS Client Subnet is a DNS extension that allows Encrypted-DNS to specify the network subnet for the host on which behalf it is making a DNS query.
This is generally intended to help speed up the delivery of data from CDN, by allowing better use of DNS-based load balancing to select a service address serving the content expected to be hosted at that domain name, when the client computer is in a different network location from the recursive resolver.
To disable this feature, set ecs_ip_address
to null
.
'ecs_ip_address': '128.97.0.0'
from https://github.com/xiaoyang-liu-cs/encrypted-dns
https://github.com/xiaoyang-liu-cs/encrypted-dns/releases
-------
Ideas about Unbound DNS server
i have used the combination of Unbound and dnscrypt-proxy on my PC for a period of time. I was using dnsmasq
with dnscrypt-proxy
, but dnsmasq
seemed unstable (Even if it was deployed on my computer and used by
just me!). Replacing dnsmasq with unbound seems to be a good solution.
Configuration
Here (Chinese Simplified) is a great example by phoenixlzx.
Fallback servers
Unbound will do load-balancing on the listed forward-addr
s,
instead of requesting the servers one by one, skipping to next server
only if the previous one fails. In the instance of me, I want it to
request my dnscrypt-proxy
server first, and use other servers as fallback. It’s obviously not doing me good.
Finally I moved the fallback configures and wrote it in /etc/resolv.conf
. Not so exciting but it also works.
Forwarding rules
dnscrypt-proxy
apply the first matching rule it comes across. Unbound is more rational and will match the most accurate one.
DNS over TLS (DoT) support of Unbound
Unbound supports DNS over TLS (but not DNS over HTTPS) at forwarding DNS queries. By adding forward-tls-upstream: yes
(or forward-ssl-upstream: yes
) you can ask the server to send DoH request to servers you specify. Then we don’t need dnscrypt-proxy
to make secured DNS queries.
See this article for detailed configurations.
My config file (working on a Manjaro Linux):
server:
verbosity: 1
do-daemonize: no
use-syslog: yes
username: unbound
directory: "/etc/unbound"
root-hints: "root.hints" # Get it here: https://www.internic.net/domain/named.root
trust-anchor-file: trusted-key.key # Run `sudo unbound-anchor` for this file
module-config: "iterator" # "validator iterator" if you want DNSSEC
interface: 127.0.0.54
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt # Differ per distribution
access-control: 127.0.0.1/8 allow
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 8.8.8.8@853#dns.google
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 1.0.0.1@853#cloudflare-dns.com
-----------------------------
An easy to install, high-performance, zero maintenance proxy to run an encrypted DNS server.
ProtocolsThe proxy supports the following protocols:
- DNSCrypt v2
- Anonymized DNSCrypt
- DNS-over-HTTP (DoH) forwarding
All of these can be served simultaneously, on the same port (usually port 443). The proxy automatically detects what protocol is being used by each client.
Installation
Option 1: precompiled binary for LinuxPrecompiled tarballs and Debian packages for Linux/x86_64 can be downloaded here.
Nothing else has to be installed. The server doesn't require any external dependencies.
In the Debian package, the example configuration file can be found in /usr/share/doc/encrypted-dns/
.
Option 2: compilation from source codeThe proxy requires rust >= 1.0.39 or rust-nightly.
Rust can installed with:
curl -sSf https://sh.rustup.rs | bash -s -- -y --default-toolchain nightly
source $HOME/.cargo/env
Once rust is installed, the proxy can be compiled and installed as follows:
cargo install encrypted-dns
strip ~/.cargo/bin/encrypted-dns
The executable file will be copied to ~/.cargo/bin/encrypted-dns
by default.
Options 3: Dockerdnscrypt-server-docker is the most popular way to deploy an encrypted DNS server.
This Docker image that includes a caching DNS resolver, the encrypted DNS proxy, and scripts to automatically configure everything.
SetupThe proxy requires a recursive DNS resolver, such as Knot, PowerDNS or Unbound.
That resolver can run locally and only respond to 127.0.0.1
. External resolvers such as Quad9 or Cloudflare DNS can also be used, but this may be less reliable due to rate limits.
In order to support DoH in addition to DNSCrypt, a DoH proxy must be running as well. rust-doh is the recommended DoH proxy server. DoH support is optional, as it is currently way more complicated to setup than DNSCrypt due to certificate management.
Make a copy of the example-encrypted-dns.toml
configuration file named encrypted-dns.toml
.
Then, review the encrypted-dns.toml
file. This is where all the parameters can be configured, including the IP addresses to listen to.
You should probably at least change the listen_addresses
and provider_name
settings.
Start the proxy. It will automatically create a new provider key pair if there isn't any.
The DNS stamps are printed. They can be used directly with dnscrypt-proxy
.
There is nothing else to do. Certificates are automatically generated and rotated.
Migrating from dnscrypt-wrapperIf you are currently running an encrypted DNS server using dnscrypt-wrapper
, moving to the new proxy is simple:
- Double check that the provider name in
encrypted-dns.toml
matches the one you previously configured. If you forgot it, it can be recovered from its DNS stamp. - Run
encrypted-dns --import-from-dnscrypt-wrapper secret.key
, with secret.key
being the file with the dnscrypt-wrapper
provider secret key.
Done. Your server is now running the new proxy.
Built-in DNS cacheThe proxy includes a key cache, as well as a DNS cache to significantly reduce the load on upstream servers.
In addition, if a server is slow or unresponsive, expired cached queries will be returned, ensuring that popular domain names always keep being served.
State fileThe proxy creates and updates a file named encrypted-dns.state
by default. That file contains the provider secret key, as well as certificates and encryption keys.
Do not delete the file, unless you want to change parameters (such as the provider name), and keep it secret, or the keys will be lost.
Putting it in a directory that is only readable by the super-user is not a bad idea.
FilteringDomains can be filtered directly by the proxy, see the [filtering]
section of the configuration file.
Access controlAccess control can be enabled in the [access_control]
section and configured with the query_meta
configuration value of dnscrypt-proxy
.
Prometheus metricsPrometheus metrics can optionally be enabled in order to monitor performance, cache efficiency, and more.
Anonymized DNSCryptEnabling Anonymized DNSCrypt allows the server to be used as an encrypted DNS relay.
from https://github.com/DNSCrypt/encrypted-dns-server
------
Encrypted DNS Party
Configuration files to easily set your Apple device to use encrypted DNS by your chosen provider systemwide.
NextDNS' Profile Generator
Install Instructions from Install on iOS and iPadOS
- Use Safari web browser for opening the
.mobileconfig
to recieve the install prompt.
Install on macOS
- Open the downloaded
.mobileconfig
file. - Open System Preferences.
- Go to Profiles.
- Click Install.
Install on tvOS
- Open the Settings app.
- Go to General → Privacy.
- Hover over "Share Apple TV Analytics" without pressing.
- Press Play on the remote.
- Select Add Profile.
- Make the downloaded
.mobileconfig
file accessible publicly and enter its URL. You can use TinyURL. - Install the profile following the onscreen instructions.
ValidateYou can use these online tools for validating your DNS resolver:
NoteIf you're not comfortable installing from the website, you can also install straight from GitLab.com by navigating to a profile (in Safari) within /mobileconfig and selecting "Open raw." For example, this is 42l's DoH profile from the repo:
Site based on the john-doe template.
from https://github.com/aniksarakash/encrypted-dns
----------
These are encrypted DNS over HTTPS (and some DNS over TLS) configuration profiles for Apple devices I created for convenience Requires iOS 14, iPadOS 14, tvOS 14, or macOS Big Sur.
Source code and more info are available here. You can also use dns.notjakob.com or the DNSecure app to create your own profiles.
Subscribe to updates I make via RSS. And if any profile appears broken and needs updating, please let me know. Thanks! ~nitrohorse
- 42l (privacy policy)
- aaflalo.me (privacy policy)
- AdGuard (privacy policy)
- AhaDNS (privacy policy)
- Alekberg (privacy policy)
- BlahDNS (privacy policy)
- CDN
- Finland
- Germany
- Japan
- Singapore
- Switzerland
- Blokada (privacy policy)
- CIRA Canadian Shield (privacy policy)
- CleanBrowsing (privacy policy)
- Cloudflare (privacy policy)
- ControlD (privacy policy)
- Block Malware
- Block Malware + Ads
- Block Malware + Ads + Social
- CZ.NIC (privacy policy)
- Digitalcourage (privacy policy) [DNS over TLS only]
- Digital Society (privacy policy)
- dismail.de (privacy policy) [DNS over TLS only]
- DNS for Family (privacy policy) [signed]
- dnsforge.de (privacy policy) [signed]
- dns.seby.io (privacy policy)
- Emerald Onion (privacy policy)
- Faelix Privacy DNS (privacy policy)
- Foundation for Applied Privacy (privacy policy)
- Free Radio Munich (privacy policy)
- Hostux (privacy policy)
- LavaDNS (privacy policy)
- lelux.fi (privacy policy)
- LibreDNS (privacy policy)
- Adblock [DNS over HTTPS only]
- Unfiltered
- Moulticast (privacy policy) [IPv6 only]
- Mullvad (privacy policy)
- Adblock
- Unfiltered
- NextDNS (privacy policy)
- Njalla (privacy policy)
- OpenDNS (privacy policy)
- Quad9 (privacy policy)
- Secured
- Secured with ECS support
- Quad101 (privacy policy)
- RethinkDNS (Unfiltered) (privacy policy)
- Snopyta (privacy policy)
- SWITCH (privacy policy)
- Tiarap DNS (privacy policy) [signed]
- Uncensored DNS (privacy policy)
- Anycast
- Unicast
- Denmark
- Usable Privacy (privacy policy)
- from https://encrypted-dns.party/
- --------
Configuration profiles for 'DNS over HTTPS' and 'DNS over TLS' for iOS 14 and MacOS Big Sur.
encrypted-dns-configs
Configuration profiles for DNS over HTTPS and DNS over TLS.
Check out the article for more info: paulmillr.com/posts/encrypted-dns/
Providers"Censorship=yes" means the profile will not send true information about hostname=IP relation for some hosts.
Name Country Censorship Notes Install button AdGuard 🇷🇺 Yes 🔴 Operated by AdGuard in Russia HTTPS AdGuard Family 🇷🇺 Yes Filters malware & adult content HTTPS AdGuard No Filter 🇷🇺 No 🟢 Filters Unfiltered HTTPS, TLS Alekberg 🇳🇱 No Independent hoster in Netherlands HTTPS BlahDNS CDN Filtered 🇺🇸 Yes Independent HTTPS BlahDNS CDN Unfiltered 🇺🇸 No Independent HTTPS BlahDNS Finland Adsblock 🇫🇮 Yes Independent HTTPS BlahDNS Germany Adsblock 🇩🇪 Yes Independent HTTPS BlahDNS Japan Adsblock 🇯🇵 Yes Independent HTTPS BlahDNS Singapore Adsblock 🇸🇬 Yes Independent HTTPS BlahDNS Swiss Adsblock 🇨🇭 Yes Independent TLS Canadian Shield Private 🇨🇦 No Operated by the Canadian Internet Registration Authority (CIRA) HTTPS, TLS Canadian Shield Protected 🇨🇦 Yes Filters malware HTTPS, TLS Canadian Shield Family 🇨🇦 Yes Filters malware & adult content HTTPS, TLS Cloudflare 🇺🇸 No Operated by Cloudflare 1.1.1.1 HTTPS, TLS Cloudflare Malware 🇺🇸 Yes Filters malware HTTPS Cloudflare Family 🇺🇸 Yes Filters malware & adult content HTTPS DNSPod 🇨🇳 Yes Operated in mainland China HTTPS, TLS Google 🇺🇸 No Operated by Google HTTPS, TLS OpenDNS 🇺🇸 No Operated by OpenDNS HTTPS OpenDNS Family 🇺🇸 Yes Filters malware & adult content HTTPS Quad9 🇨🇭 Yes Operated by CleanerDNS, Inc. Filters malware HTTPS, TLS Quad9 With ECS 🇨🇭 Yes Operated by CleanerDNS, Inc. Filters malware HTTPS, TLS Tiar.app 🇸🇬 🇺🇸 Yes "Privacy-first DNS provider" from SG, hosted on Digital Ocean. Filters malware HTTPS, TLS
InstallationTo make settings work across all apps in iOS 14 & MacOS Big Sur, you’ll need to install configuration profile. This profile would tell operating system to use DOH / DOT. Note: it’s not enough to simply set server IPs in System Preferences — you need to install a profile.
To install, simply open the file in GitHib, and then click/tap on install button. The profile should download. On macOS, double click on the downloaded file to open it in settings, and approve instalation. On iOS, go to System Settings => General => Profile, select downloaded profile and tap the “Install” button.
Signed ProfilesIn the signed folder, we have signed versions of the profiles in this repository. These profiles have been signed by @Candygoblen123 so that when you install the profiles, they will have a verified check box on the installation screen. It also ensures that these profiles have not been tampered with. However, since they were signed by a third party, they may lag behind their unsigned counterparts a little.
To verify resolver IPs and hostnames, compare mobileconfig files to their documentation URLs. Internal workings of the profiles are described on developer.apple.com. In order to verify signed mobileconfigs, you will need to download them to your computer and open them in a text editor, because signing profiles makes GitHub think that they are binary files.
Known issuesWe can't fix the issues, only Apple can:
- Little Snitch / Lulu disable Encrypted DNS
- Some traffic e.g. Terminal / App Store is except from EDNS
- Chrome is except from EDNS
- VPN disable EDNS
from https://github.com/paulmillr/encrypted-dns