dns over https DoH 简介
传统 DNS 使用 udp 53 端口,也可以使用 tcp ,明文传输,安全性和保护用户隐私都做的不好,虽然有一些技术方案如 :DNSCrypt 。
现在 dns over https DoH 技术成熟起来了,在新版的 Firefox 可以直接启用,chrome 还在实现阶段。
常规-》网络设置-》启用基于 HTTPS 的 DNS: 提供商选 cloudflare 即可。
chrome 打开方法 chrome://flags/#dns-httpssvc
使用 curl 进行测试下
curl "https://1.0.0.1/dns-query?ct=application/dns-json&name=baidu.com&type=A" -v * Trying 1.0.0.1... * TCP_NODELAY set * Connected to 1.0.0.1 (1.0.0.1) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/cert.pem CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305 * ALPN, server accepted to use h2 * Server certificate: * subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=cloudflare-dns.com * start date: Jan 11 00:00:00 2021 GMT * expire date: Jan 18 23:59:59 2022 GMT * subjectAltName: host "1.0.0.1" matched cert's IP address! * issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1 * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x7f8922810e00) > GET /dns-query?ct=application/dns-json&name=baidu.com&type=A HTTP/2 > Host: 1.0.0.1 > User-Agent: curl/7.64.1 > Accept: */* > * Connection state changed (MAX_CONCURRENT_STREAMS == 256)! < HTTP/2 200 < date: Sun, 06 Jun 2021 02:13:50 GMT < content-type: application/dns-json < content-length: 243 < access-control-allow-origin: * < cf-request-id: 0a80b223110000e7f1b8877000000001 < expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" < server: cloudflare < cf-ray: 65ae1fb1bb01e7f1-LAX < * Connection #0 to host 1.0.0.1 left intact {"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"baidu.com","type":1}],"Answer":[{"name":"baidu.com","type":1,"TTL":65,"data":"39.156.69.79"},{"name":"baidu.com","type":1,"TTL":65,"data":"220.181.38.148"}]}* Closing connection 0
aliyun 也有提供这个服务 http://dns.alidns.com/resolve?name=www.taobao.com.&type=1
经过测试 aliyun 的 DoH 服务也存在DNS 污染问题。
curl "https://1.0.0.1/dns-query?ct=application/dns-json&name=www.google.com&type=A" {"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"www.google.com","type":1}],"Answer":[{"name":"www.google.com","type":1,"TTL":39,"data":"172.217.14.100"}]} curl "http://dns.alidns.com/resolve?name=www.google.com.&type=1" {"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":{"name":"www.google.com.","type":1},"Answer":[{"name":"www.google.com.","TTL":15,"type":1,"data":"162.125.32.6"}]}
在启用以后 yahoo jp 搜索功能正常了,可能是仅执行了 dns 污染,没有加入什么 SNI 、IP之类的,可能是用日语搜索的的人太少。
思考:DoH 虽然解决了 DNS 污染的问题,但是可用的节点就那么固定几个,除非自建,win10 好像有计划支持 DoH,但是 在不支持的系统上面如 win7 xp ,实际用处比较少,现在绝大多数工作使用浏览器就能搞定,无非就是装个新版浏览器的问题。
非要让整个系统都用上 DoH 而系统又不支持的情况下,只能自行实现一个 本地 DNS server ,上行用 DoH ,下行用传统的 UDP ,确实用处极少,暂无开发计划。
2021-06-16 20:33 更新,这个方法也不好用了,还是 TCP RST 阻断 DoH ,被逼退回普通 DNS 。
client hello
SNI : mozilla.cloudflare-dns.com
RST 阻断
而上图的 ip 根本就是错的,哪里也不对,给丢到黑洞里面了。
对于 yahoo jp 来说,由于阻的不是那么厉害,可以通过 修改 hosts 也可以先用着,或者修改 上面为 https://1.0.0.1/dns-query
哇,原来,到更新到 12话了。 驚く
