DNS over HTTPS - xxooxxooxx/xxooxxooxx.github.io GitHub Wiki
Install dnsdist
Using dnsdist for DoT and DoH
https://developers.google.com/speed/public-dns/docs/doh?hl=zh-cn
- Confige
addDOHLocal("127.0.0.1:7777", "/etc/letsencrypt/live/example.com/fullchain.pem", "/etc/letsencrypt/live/example.com/privkey.pem", nil, { reusePort=true })
or
addDOHLocal("127.0.0.1:7777", nil, nil, nil, { reusePort=true, trustForwardedForHeader=true })
- NGINX Reverse Proxy
stream {
upstream web {
server 127.0.0.1:443;
}
upstream doh {
server 127.0.0.1:8111;
}
map $ssl_preread_server_name $name {
# doh.example.com unix:/run/nginx-doh-stream.sock;
doh.example.com doh;
default web;
}
server {
# listen unix:/run/nginx-doh-stream.sock proxy_protocol;
listen 127.0.0.1:8111 proxy_protocol;
proxy_pass 127.0.0.1:7777;
}
server {
listen 443 reuseport;
proxy_pass $name;
proxy_protocol on;
ssl_preread on;
access_log /var/log/nginx/stream_443.log stream_routing;
}
}
- NGINX Server
location = /dns-query {
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
proxy_pass http://127.0.0.1:7777;
if ($request_method !~ ^(GET|POST)$) {
return 404;
}
}
- Testing
apt-get purge curl
apt-get install libnghttp2-dev
wget https://github.com/curl/curl/releases/download/curl-7_73_0/curl-7.73.0.tar.gz
./configure --disable-shared --with-ca-fallback
make && make install
exec bash -l
curl -v --doh-url https://doh.example.com/dns-query https://www.google.com -o /dev/null
or
https://github.com/curl/doh
curl -L https://pkg.cloudflare.com/cloudflare-main.gpg | tee /usr/share/keyrings/cloudflare-archive-keyring.gpg >/dev/null
echo "deb [signed-by=/usr/share/keyrings/cloudflare-archive-keyring.gpg] https://pkg.cloudflare.com/cloudflared $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/cloudflared.list
apt update &&apt install cloudflared
mkdir -p /usr/local/etc/cloudflared
tee /etc/systemd/system/cloudflared-proxy-dns.service >/dev/null <<EOF
[Unit]
Description=DNS over HTTPS (DoH) proxy client
Wants=network-online.target nss-lookup.target
Before=nss-lookup.target
[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
DynamicUser=yes
ExecStart=/usr/local/bin/cloudflared --config /usr/local/etc/cloudflared/config.yml
[Install]
WantedBy=multi-user.target
EOF
tee /usr/local/etc/cloudflared/config.yml >/dev/null <<EOF
proxy-dns: true
proxy-dns-address: 127.0.0.1
proxy-dns-port: 5553
proxy-dns-bootstrap:
- 8.8.8.8
- 8.8.4.4
- 9.9.9.9
- 1.1.1.1
proxy-dns-upstream:
- https://1.1.1.1/dns-query
- https://doh.opendns.com/dns-query
- https://chewbacca.meganerd.nl/dns-query
- https://public.dns.iij.jp/dns-query
- https://dns.rubyfish.cn/dns-query
- https://doh.ibr.cs.tu-bs.de/dns-query
#tunnel: <UUID>
#credentials-file: /root/.cloudflared/<UUID>.json
#ingress:
# - hostname: example.com
# service: ssh://localhost:22
# - service: http_status:404
EOF
systemctl enable --now cloudflared-proxy-dns
systemctl restart cloudflared-proxy-dns
systemctl status cloudflared-proxy-dns
dig +short @127.0.0.1 -p5553 twitter.com A
https://blog.bgme.me/posts/how-to-create-an-anti-pollution-dns/
iptables -t raw -A PREROUTING -m bpf --bytecode '38,48 0 0 0,84 0 0 240,21 34 0 96,48 0 0 0,84 0 0 240,21 0 31 64,48 0 0 9,21 0 29 17,40 0 0 6,69 27 0 8191,177 0 0 0,72 0 0 0,21 0 24 53,40 0 0 2,37 22 0 128,72 0 0 12,21 0 20 1,72 0 0 14,21 0 18 1,72 0 0 16,21 0 16 0,72 0 0 18,21 0 14 1,72 0 0 4,20 0 0 8,12 0 0 0,7 0 0 0,64 0 0 0,21 0 8 268435456,177 0 0 0,72 0 0 4,20 0 0 4,12 0 0 0,7 0 0 0,64 0 0 0,21 0 1 0,6 0 0 65535,6 0 0 0' -j DROP
iptables -t raw -A PREROUTING -m bpf --bytecode '27,48 0 0 0,84 0 0 240,21 23 0 96,48 0 0 0,84 0 0 240,21 0 20 64,48 0 0 9,21 0 18 17,40 0 0 6,69 16 0 8191,177 0 0 0,72 0 0 0,21 0 13 53,40 0 0 4,21 0 11 0,40 0 0 6,21 0 9 0,48 0 0 8,37 7 0 40,72 0 0 12,21 0 5 1,72 0 0 14,21 0 3 1,72 0 0 16,21 0 1 0,6 0 0 65535,6 0 0 0' -j DROP
iptables -t raw -A PREROUTING -p udp -m bpf --bytecode '39,40 0 0 20,21 0 36 53,32 0 0 36,21 0 34 0,32 0 0 32,21 3 0 65537,21 0 31 65536,40 0 0 30,21 15 29 33152,40 0 0 30,84 0 0 65487,21 17 0 34176,40 0 0 24,7 0 0 0,64 0 0 4,21 5 0 3222011905,21 0 21 536936448,64 0 0 8,21 0 19 0,64 0 0 12,21 3 17 0,64 0 0 10,37 15 0 255,53 0 14 64,32 0 0 4,21 11 0 0,21 11 0 16384,84 0 0 65535,21 8 9 16384,40 0 0 6,21 0 7 0,40 0 0 24,7 0 0 0,64 0 0 6,21 0 3 65537,64 0 0 10,21 0 1 60,6 0 0 1,6 0 0 0' -j DROP
ip6tables -t raw -A PREROUTING -m bpf --bytecode '29,48 0 0 0,84 0 0 240,21 0 25 96,48 0 0 6,21 0 23 17,40 0 0 40,21 0 21 53,40 0 0 4,37 19 0 128,40 0 0 52,21 0 17 1,40 0 0 54,21 0 15 1,40 0 0 56,21 0 13 0,40 0 0 58,21 0 11 1,40 0 0 4,20 0 0 8,7 0 0 1,64 0 0 40,21 0 6 268435456,40 0 0 4,20 0 0 4,7 0 0 6,64 0 0 40,21 0 1 0,6 0 0 65535,6 0 0 0' -j DROP
ip6tables -t raw -A PREROUTING -m bpf --bytecode '19,48 0 0 0,84 0 0 240,21 0 15 96,48 0 0 6,21 0 13 17,40 0 0 40,21 0 11 53,32 0 0 0,21 0 9 1610612736,40 0 0 4,37 7 0 128,40 0 0 52,21 0 5 1,40 0 0 54,21 0 3 1,40 0 0 56,21 0 1 0,6 0 0 65535,6 0 0 0' -j DROP
ip6tables -t raw -A PREROUTING -p udp -m bpf --bytecode '23,40 0 0 40,21 0 20 53,32 0 0 52,21 0 18 65537,32 0 0 56,21 0 16 0,40 0 0 0,84 0 0 65520,21 0 13 24576,40 0 0 44,7 0 0 0,64 0 0 24,21 5 0 3222011905,21 0 8 536936448,64 0 0 28,21 0 6 0,64 0 0 32,21 3 4 0,64 0 0 30,37 2 0 255,53 0 1 64,6 0 0 1,6 0 0 0' -j DROP