dns over https 已經成為了標准了,給予我們的dns 解析添加了安全的支持
測試項目使用docker && docker-compose 運行
一張參考圖
環境准備
- dnscrypt-proxy (dns 代理的)
直接下載了linux 版本,並安裝依賴
https://github.com/jedisct1/dnscrypt-proxy/releases- doh server
使用源碼編譯安裝,使用docker 的multi stage 構建- nginx
使用openrestydocker-compose
- 文件
version: "3"
services:
nginx:
image: openresty/openresty:alpine
ports:
- "443:443"
- "8080:80"
volumes:
- "./nginx/nginx.conf:/usr/local/openresty/nginx/conf/nginx.conf"
- "./nginx/cert/apicaddy.com/cert1.pem:/usr/local/openresty/nginx/conf/cert1.pem"
- "./nginx/cert/apicaddy.com/privkey1.pem:/usr/local/openresty/nginx/conf/privkey1.pem"
dns-server:
image: dalongrong/doh-server
volumes:
- "./dns-server/doh-server.conf:/app/doh-server.conf"
build:
context: ./dns-server
dockerfile: Dockerfile
dns-proxy:
image: dalongrong/dnscrypt-proxy
build:
context: ./dns-proxy
dockerfile: Dockerfile- nginx 配置
worker_processes auto;
events {
worker_connections 65535;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
gzip on;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
server {
listen 80;
server_name localhost;
charset utf-8;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
client_body_buffer_size 10M;
client_max_body_size 10G;
proxy_buffers 1024 4k;
proxy_pass http://dns-server:8053;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
}
location /dns-query {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_redirect off;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 86400;
proxy_pass http://dns-server:8053/dns-query ;
}
}
server {
listen 443 ssl http2;
server_name app.apicaddy.com;
ssl_certificate cert1.pem;
ssl_certificate_key privkey1.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
client_body_buffer_size 10M;
client_max_body_size 10G;
proxy_buffers 1024 4k;
proxy_pass http://dns-server:8053;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
}
location /dns-query {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_redirect off;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 86400;
proxy_pass http://dns-server:8053/dns-query ;
}
}
}
- 修改配置文件
因為運行的時候沒有啟動ipv6 ,同時默認大部分軟件綁定的端口是127.0.0.1
doh-server 配置修改
listen = [
"0.0.0.0:8053",
]
。。。。
upstream = [
# "1.1.1.1:53",
# "1.0.0.1:53",
# "8.8.8.8:53",
# "8.8.4.4:53",
"dns-proxy:53"
]
dnscrypt-proxy 配置:
listen_addresses = ['0.0.0.0:53']
構建&測試
- 構建
docker-compose up -d- 測試
查詢參數的意思參考 https://developers.google.com/speed/public-dns/docs/dns-over-https
http 實際上也是可以訪問的,只是及時必須使用https
請求log
說明
dns over https 是很不錯的東西,從安全以及靈活性,都是比較方便的,更多的使用還有待仔細研究
參考資料
https://github.com/jedisct1/dnscrypt-proxy/releases
https://www.aaflalo.me/2018/10/tutorial-setup-dns-over-https-server/
https://github.com/rongfengliang/dns-proxy-demo
https://github.com/m13253/dns-over-https
https://developers.google.com/speed/public-dns/docs/dns-over-https