你的DNS Query不會被加密,直接以明文的方式傳輸,這樣ISP或者網路中的任何人都可以清楚的瞭解到你瀏覽了哪些網站。所以就來折騰一下Caddy DoH Server (Caddy + DoH server + overture)

雖然說Cloudflare等有提供免費的DoH DNS服務,但是查詢DNS的使用自己的ip/域名總是要好玩那麼一點。

同時在翻了一邊網上的資料以後,發現基本都是基於Nginx的,麻煩死了,Caddy他不好嗎?

Unfortunately, by default, DNS is usually slow and insecure. Your ISP, and anyone else listening in on the Internet, can see every site you visit and every app you use — even if their content is encrypted. Creepily, some DNS providers sell data about your Internet activity or use it to target you with ads.

DoH的原理可以參見:https://blog.mrsheep.xyz/posts/dot-vs-doh/#dns-over-https

架構

圖是我畫的,不想做圖。。。

GoodNote真是好東西(剛更換貼膜見諒)

photo_2020-05-03_02-12-17.jpg

好吧你要是覺得我畫的丑,你可以看看Nginx版本的或者下面的圖(都是抄的)

Architecture

+--------------+                                +------------------------+
| Application  |                                |  Recursive DNS Server  |
+-------+------+                                +-----------+------------+
        |                                                   |
+-------+------+                                +-----------+------------+
| Client side  |                                |      doh-server        |
| cache (nscd) |                                +-----------+------------+
+-------+------+                                            |
        |         +--------------------------+  +-----------+------------+
+-------+------+  |    HTTP cache server /   |  |   HTTP service muxer   |
|  doh-client  +--+ Content Delivery Network +--+ (Apache, Nginx, Caddy) |
+--------------+  +--------------------------+  +------------------------+

服務端

Overture

Overture means an orchestral piece at the beginning of a classical music composition, just like DNS which is nearly the first step of surfing the Internet.

序曲是古典音樂創作開始時的管弦樂作品,就像DNS一樣,這幾乎是上網的第一步。

我用overture來向upstream轉發我的請求

下載overture

前往shawn1m/overture獲取最新編譯版本,以1.6.1版本amd64爲例:

wget https://github.com/shawn1m/overture/releases/download/v1.6.1/overture-linux-amd64.zip
mv overture-linux-amd64.zip /usr/local/bin/overture && unzip overture-linux-amd64.zip

配置

Overture本身是支持分流的,這裏只貼出我自己的配置文件,具體可以參見作者github readme或者我的另一篇文章

{
  "BindAddress": ":53",
  "DebugHTTPAddress": "127.0.0.1:5555",
  "PrimaryDNS": [
    {
      "Name": "DNSPod",
      "Address": "119.29.29.29:53",
      "Protocol": "udp",
      "SOCKS5Address": "",
      "Timeout": 6,
      "EDNSClientSubnet": {
        "Policy": "disable",
        "ExternalIP": "",
        "NoCookie": true
      }
    },
    {
      "Name": "AliDNS",
      "Address": "223.5.5.5:53",
      "Protocol": "udp",
      "SOCKS5Address": "",
      "Timeout": 6,
      "EDNSClientSubnet": {
        "Policy": "auto",
        "ExternalIP": "",
        "NoCookie": true
      }
    }
  ],
  "AlternativeDNS": [
    {
      "Name": "CloudFlareDNS DoT",
      "Address": "one.one.one.one:853",
      "Protocol": "tcp-tls",
      "SOCKS5Address": "",
      "Timeout": 6,
      "EDNSClientSubnet": {
        "Policy": "disable",
        "ExternalIP": "",
        "NoCookie": true
      }
    },
    {
      "Name": "CloudFlareDNS DoH",
      "Address": "https://cloudflare-dns.com/dns-query",
      "Protocol": "https",
      "SOCKS5Address": "",
      "Timeout": 6,
      "EDNSClientSubnet": {
        "Policy": "disable",
        "ExternalIP": "",
        "NoCookie": true
      }
    },
    {
      "Name": "GoogleDNS",
      "Address": "dns.google:853",
      "Protocol": "tcp-tls",
      "SOCKS5Address": "",
      "Timeout": 6,
      "EDNSClientSubnet": {
        "Policy": "disable",
        "ExternalIP": "",
        "NoCookie": true
      }
    },
    {
      "Name": "OpenDNS",
      "Address": "208.67.222.222:443",
      "Protocol": "tcp",
      "SOCKS5Address": "",
      "Timeout": 6,
      "EDNSClientSubnet": {
        "Policy": "auto",
        "ExternalIP": "",
        "NoCookie": true
      }
    }
  ],
  "OnlyPrimaryDNS": false,
  "IPv6UseAlternativeDNS": false,
  "AlternativeDNSConcurrent": false,
  "PoolIdleTimeout": 15,
  "PoolMaxCapacity": 15,
  "WhenPrimaryDNSAnswerNoneUse": "PrimaryDNS",
  "IPNetworkFile": {
    "Primary": "./china_ip_list.txt",
    "Alternative": ""
  },
  "DomainFile": {
    "Primary": "",
    "Alternative": "./gfwlist_domain.txt",
    "Matcher":  "regex-list"
  },
  "HostsFile": {
    "HostsFile": "./hosts_sample",
    "Finder": "full-map"
  },
  "MinimumTTL": 0,
  "DomainTTLFile" : "./domain_ttl_sample",
  "CacheSize" : 99,
  "RejectQType": [255]
}

完成之後可以dig一下測試

DoH-Server

安裝

因爲海綿寶寶找我有事情(其實就是懶),我直接用了Antoine Aflalo編譯好的2.0.1版本.

wget https://www.aaflalo.me/doh-server/doh-server_2.0.1_amd64.deb
dpkg -i doh-server_2.0.1_amd64.deb

當然我建議你自己編譯一下,你需要一個Go環境。Golang官方寫的Instruction

git clone https://github.com/m13253/dns-over-https
cd dns-over-https
make
make install

配置

配置文件位於/etc/dns-over-https/doh-server.conf

# HTTP listen port
# 監聽的端口,上面v4下面v6
listen = [
    "127.0.0.1:8053",
    "[::1]:8053",
]
# 這個部分可以忽略,等下用Caddy解決
# TLS certification file
# If left empty, plain-text HTTP will be used.
# You are recommended to leave empty and to use a server load balancer (e.g.
# Caddy, Nginx) and set up TLS there, because this program does not do OCSP
# Stapling, which is necessary for client bootstrapping in a network
# environment with completely no traditional DNS service.
cert = ""

# TLS private key file
key = ""

# HTTP path for resolve application
path = "/dns-query"

# 上游dns伺服器,我用overture
# Upstream DNS resolver
# If multiple servers are specified, a random one will be chosen each time.
upstream = [
    "127.0.0.1:53",
]

# Upstream timeout
timeout = 60

# Number of tries if upstream DNS fails
tries = 10

# Only use TCP for DNS query
tcp_only = false

# Enable logging
verbose = false

systemctl restart doh-server
systemctl status doh-server

Caddy

域名:443 {
   gzip
   tls 證書 金鑰
   proxy /dns-query localhost:8053 {
	transparent
   }

}

測試可用性

root@lax:~# curl "https://域名/dns-query?ct=application/dns-json&name=baidu.com&type=A"

{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"baidu.com.","type":1}],"Answer":[{"name":"baidu.com.","type":1,"TTL":527,"Expires":"Sat, 02 May 2020 18:50:25 UTC","data":"220.181.38.148"},{"name":"baidu.com.","type":1,"TTL":527,"Expires":"Sat, 02 May 2020 18:50:25 UTC","data":"39.156.69.79"}]}

參考

Github m13253/dns-over-https

Tutorial to setup your own DNS-over-HTTPS (DoH) server