DoH和DoT——很符合SASE的模式啊!!!

公共DNS服务器列表

已有一些公共DNS服务提供商提供免费DNS over TLS服务器,参见下表。

提供 DNS over TLS 的厂家
提供商IP封锁特性
Cloudflare 1.1.1.1
1.0.0.1
2606:4700:4700::1111
2606:4700:4700::1001
DNS over TLS 于 853 端口、[11]DNSSEC认证
Google Public DNS 8.8.8.8

8.8.4.4
2001:4860:4860::8888
2001:4860:4860::8844

DNS over TLS 于 853 端口。
Quad9 9.9.9.9
149.112.112.112
2620:fe::fe
2620:fe::9
恶意域名 DNS over TLS 于 853 端口、[12]DNSSEC认证
CleanBrowsing 185.228.168.168
185.228.168.169
2a0d:2a00:1::
2a0d:2a00:2::
成人内容 DNS over TLS 于 853 端口、[13]DNSSEC认证
CleanBrowsing 185.228.168.9

185.228.169.9

2a0d:2a00:1::2

2a0d:2a00:2::2

恶意域名 DNS over TLS 于 853 端口、DNSSEC认证
Quadrant Information Security 12.159.2.159

2001:1890:140c::159

DNS over TLS 于 853 端口、DNSSEC认证
阿里巴巴DNS 223.5.5.5

223.6.6.6

2400:3200::1

2400:3200:baba::1

防火长城 DNS over TLS 于 853 端口、DNSSEC认证

公共DNS[编辑]

DNS over HTTPS 功能已由部分公共DNS支持。[9][10]列表如下:

提供商网址协议屏蔽功能
AdGuard https://dns-unfiltered.adguard.com/dns-query
https://dns.adguard.com/dns-query
https://dns-family.adguard.com/dns-query
不适用
阻挡广告
广告与成人内容
DoH端点[11]
阿里巴巴DNS[12] https://dns.alidns.com/dns-query

https://223.5.5.5/dns-query
https://223.6.6.6/dns-query
https://[2400:3200::1]/dns-query
https://[2400:3200:baba::1]/dns-query

不适用 防火长城 DoH端点
Cloudflare https://cloudflare-dns.com/dns-query[13]

https://1.1.1.1/dns-query
https://1.0.0.1/dns-query
https://[2606:4700:4700::1111]/dns-query
https://[2606:4700:4700::1001]/dns-query
https://[2606:4700:4700::64]/dns-query
https://[2606:4700:4700::6464]/dns-query
https://security.cloudflare-dns.com/dns-query
https://family.cloudflare-dns.com/dns-query [14]

IETF草案

恶意软件
恶意软件与成人内容
DoH端点[15]
DNSPod DNS[16] https://doh.pub/dns-query

https://dns.pub/dns-query
https://dot.pub/dns-query

不适用 DoH端点
Google Public DNS https://dns.google/dns-query

https://dns.google/resolve[2]
https://dns64.dns.google/dns-query
https://dns64.dns.google/resolve?name=ipv4only.arpa&type=AAAA [17]

Google实验室 DoH端点[18]
Open DNS[19] https://doh.opendns.com

https://doh.familyshield.opendns.com

不适用

成人内容

DoH端点
QUAD9 DNS[20] https://dns.quad9.net/dns-query

https://dns11.quad9.net/dns-query
https://dns10.quad9.net/dns-query

不适用 恶意软件
恶意软件、ECS
DoH端点
台湾网络信息中心
Quad 101[21]
https://dns.twnic.tw/dns-query[22] 不适用 DoH端点[23]

 

基于 HTTPS 的 DNS 和基于 TLS 的 DNS | 安全 DNS

DNS 查询以明文形式发送,这意味着任何人都可以读取它们。基于 HTTPS 的 DNS 和基于 TLS 的 DNS 都会加密 DNS 查询和响应,以确保用户浏览的安全性和私密性。不过,两种方法各有缺点。

为什么 DNS 需要额外的安全层?

DNS is the phonebook of the Internet; DNS resolvers translate human-readable domain names into machine-readable IP addresses. By default, DNS queries and responses are sent in plaintext (via UDP), which means they can be read by networks, ISPs, or anybody able to monitor transmissions. Even if a website uses HTTPS, the DNS query required to navigate to that website is exposed.

This lack of privacy has a huge impact on security and, in some cases, human rights; if DNS queries are not private, then it becomes easier for governments to censor the Internet and for attackers to stalk users' online behavior.

Attacker views unsecured DNS traffic

Think of a normal, unencrypted DNS query as being like a postcard sent through the mail: anyone handling the mail may happen to catch a glimpse of the text written on the back side, so it is not wise to mail a postcard that contains sensitive or private information.

DNS over TLS and DNS over HTTPS are two standards developed for encrypting plaintext DNS traffic in order to prevent malicious parties, advertisers, ISPs, and others from being able to interpret the data. Continuing the analogy, these standards aim to put an envelope around all postcards going through the mail, so that anyone can send a postcard without worrying that someone is snooping on what they are up to.

DNS queries secured over TLS or HTTPS, attacker blocked

什么是基于 TLS 的 DNS?

DNS over TLS, or DoT, is a standard for encrypting DNS queries to keep them secure and private. DoT uses the same security protocol, TLS, that HTTPS websites use to encrypt and authenticate communications. (TLS is also known as "SSL.") DoT adds TLS encryption on top of the user datagram protocol (UDP), which is used for DNS queries. Additionally, it ensures that DNS requests and responses are not tampered with or forged via on-path attacks.

什么是基于 HTTPS 的 DNS?

DNS over HTTPS, or DoH, is an alternative to DoT. With DoH, DNS queries and responses are encrypted, but they are sent via the HTTP or HTTP/2 protocols instead of directly over UDP. Like DoT, DoH ensures that attackers can't forge or alter DNS traffic. DoH traffic looks like other HTTPS traffic – e.g. normal user-driven interactions with websites and web apps – from a network administrator's perspective.

In February 2020, the Mozilla Firefox browser began enabling DoH for U.S. users by default. DNS queries from the Firefox browser are encrypted by DoH and go to either Cloudflare or NextDNS. Several other browsers also support DoH, although it is not turned on by default.

等等,HTTPS 不也是将 TLS 用于加密的?基于 HTTPS 的 DNS 和基于 TLS 的 DNS 有何区别?

Each standard was developed separately and has its own RFC* documentation, but the most important difference between DoT and DoH is what port they use. DoT only uses port 853, while DoH uses port 443, which is the port that all other HTTPS traffic uses as well.

Because DoT has a dedicated port, anyone with network visibility can see DoT traffic coming and going, even though the requests and responses themselves are encrypted. In contrast, with DoH, DNS queries and responses are camouflaged within other HTTPS traffic, since it all comes and goes from the same port.

*RFC stands for "Request for Comments", and an RFC is a collective attempt by developers, networking experts, and thought leaders to standardize an Internet technology or protocol.

什么是端口?

在网络中,端口是计算机上的虚拟位置,开放给来自其他计算机的连接。每台联网计算机都有标准数量的端口,并且每个端口都保留用于特定类型的通信。

这可以比作港口中船舶的泊位:每个运输泊位都有编号,不同种类的船舶应该要前往特定的运输泊位来卸货或下客。网络中同样如此:某些类型的通信应该前往特定的网络端口。区别在于网络端口是虚拟的;它们是用于数字连接而非物理连接的地方。

DoT 和 DoH 哪个更好?

This is up for debate. From a network security standpoint, DoT is arguably better. It gives network administrators the ability to monitor and block DNS queries, which is important for identifying and stopping malicious traffic. DoH queries, meanwhile, are hidden in regular HTTPS traffic, meaning they cannot easily be blocked without blocking all other HTTPS traffic as well.

但从隐私角度来看,DoH 可以说是更可取的。使用 DoH 时,DNS 查询隐藏在较大的 HTTPS 流量中。这削弱了网络管理员的可见性,但增强了用户的隐私性。

1.1.1.1 是 Cloudflare 的免费 DNS 解析器,同时支持 DoT 和 DoH。

基于 TLS/HTTPS DNS 和 DNSSEC 之间有何区别?

DNSSEC is a set of security extensions for verifying the identity of DNS root servers and authoritative nameservers in communications with DNS resolvers. It is designed to prevent DNS cache poisoning, among other attacks. It does not encrypt communications. DNS over TLS or HTTPS, on the other hand, does encrypt DNS queries. 1.1.1.1 supports DNSSEC as well.

若要进一步了解 1.1.1.1,请参阅什么是 1.1.1.1

posted @ 2021-11-05 15:45  bonelee  阅读(1695)  评论(0编辑  收藏  举报