傳統 DNS 使用 udp 53 端口,也可以使用 tcp ,明文傳輸,安全性和保護用戶隱私都做的不好,雖然有一些技術方案如 :DNSCrypt 。
現在 dns over https DoH 技術成熟起來了,在新版的 Firefox 可以直接啟用,chrome 還在實現階段。
常規-》網絡設置-》啟用基於 HTTPS 的 DNS: 提供商選 cloudflare 即可。
chrome 打開方法 chrome://flags/#dns-httpssvc
使用 curl 進行測試下
curl "https://1.0.0.1/dns-query?ct=application/dns-json&name=baidu.com&type=A" -v * Trying 1.0.0.1... * TCP_NODELAY set * Connected to 1.0.0.1 (1.0.0.1) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/cert.pem CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305 * ALPN, server accepted to use h2 * Server certificate: * subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=cloudflare-dns.com * start date: Jan 11 00:00:00 2021 GMT * expire date: Jan 18 23:59:59 2022 GMT * subjectAltName: host "1.0.0.1" matched cert's IP address! * issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1 * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x7f8922810e00) > GET /dns-query?ct=application/dns-json&name=baidu.com&type=A HTTP/2 > Host: 1.0.0.1 > User-Agent: curl/7.64.1 > Accept: */* > * Connection state changed (MAX_CONCURRENT_STREAMS == 256)! < HTTP/2 200 < date: Sun, 06 Jun 2021 02:13:50 GMT < content-type: application/dns-json < content-length: 243 < access-control-allow-origin: * < cf-request-id: 0a80b223110000e7f1b8877000000001 < expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" < server: cloudflare < cf-ray: 65ae1fb1bb01e7f1-LAX < * Connection #0 to host 1.0.0.1 left intact {"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"baidu.com","type":1}],"Answer":[{"name":"baidu.com","type":1,"TTL":65,"data":"39.156.69.79"},{"name":"baidu.com","type":1,"TTL":65,"data":"220.181.38.148"}]}* Closing connection 0
aliyun 也有提供這個服務 http://dns.alidns.com/resolve?name=www.taobao.com.&type=1
經過測試 aliyun 的 DoH 服務也存在DNS 污染問題。
curl "https://1.0.0.1/dns-query?ct=application/dns-json&name=www.google.com&type=A" {"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"www.google.com","type":1}],"Answer":[{"name":"www.google.com","type":1,"TTL":39,"data":"172.217.14.100"}]} curl "http://dns.alidns.com/resolve?name=www.google.com.&type=1" {"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":{"name":"www.google.com.","type":1},"Answer":[{"name":"www.google.com.","TTL":15,"type":1,"data":"162.125.32.6"}]}
在啟用以后 yahoo jp 搜索功能正常了,可能是僅執行了 dns 污染,沒有加入什么 SNI 、IP之類的,可能是用日語搜索的的人太少。
思考:DoH 雖然解決了 DNS 污染的問題,但是可用的節點就那么固定幾個,除非自建,win10 好像有計划支持 DoH,但是 在不支持的系統上面如 win7 xp ,實際用處比較少,現在絕大多數工作使用瀏覽器就能搞定,無非就是裝個新版瀏覽器的問題。
非要讓整個系統都用上 DoH 而系統又不支持的情況下,只能自行實現一個 本地 DNS server ,上行用 DoH ,下行用傳統的 UDP ,確實用處極少,暫無開發計划。
2021-06-16 20:33 更新,這個方法也不好用了,還是 TCP RST 阻斷 DoH ,被逼退回普通 DNS 。
client hello
SNI : mozilla.cloudflare-dns.com
RST 阻斷
而上圖的 ip 根本就是錯的,哪里也不對,給丟到黑洞里面了。
對於 yahoo jp 來說,由於阻的不是那么厲害,可以通過 修改 hosts 也可以先用着,或者修改 上面為 https://1.0.0.1/dns-query
哇,原來,到更新到 12話了。 驚く