2018On November 2nd update,One day after switching to DoT,All stubby built-in server running unusually slow,Until daily use is immune to give up ......。
2018On November 1st update,used 5 After days DoH,Since the server is currently offering this service only 1.1.1.1,I was here at this address operators blocked。
1 2 3 4 5 6 |
PING 1.1.1.1 (1.1.1.1): 56 data bytes Request timeout for icmp_seq 0 Request timeout for icmp_seq 1 ^C --- 1.1.1.1 ping statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss |
three years ago,I wrote an article "Avoid DNS leaks on OS X"Talk about how to protect your privacy,And to avoid DNS Give way,At that time the technology is mainly used dnscrypt- in fact, then I gave up this program,The reason is severely disturbed public server,Configure complex high latency。Now three years later,Let's look at the latest DoT and DoH,Actually DNS over TLS and DNS over HTTPS
Those DNS encryption scheme
In fact, we've already talked about,DNS is expressly transmission of all content,Beginning of the design there is no such thing as safety considerations,Even answer the,You ask A www.logcg.com Which IP address,A not had time to reply, B Responder say 127.0.0.1 ! then,You believed。
It is now a common means of gfw wall websites,DNS is the principle of pollution。In short,dnscrypt Appeared,But it uses a custom protocol,And configure key exchange is needed each other,This leads to a lot of trouble。now,There are two new DNS encryption (apparently also the anti-pollution),This time we will talk about,They in the end where different。
DNS over TLS
TLS encryption fact that we used the Internet encrypted HTTPS,Security has been good protection - if this thing fails,It is estimated that ruined the entire Internet。
DoT use 853 port,Uses TCP for transport - basically it can be understood as the encrypted version of the ordinary DNS。
nowadays,DoT has been quite mature clients,use brew install stubby To install,reuse sudo brew services start stubby You will be able to start the,stubby recommended to use the default configuration,It has integrated multiple trusted server DoT。I am here to test query speed of the slowest 1 Yes seconds ......,You still need a pre-DNS cache service,For example dnsmasq,Here I will act as the direct use of Surge。
Some future doubts
DoT looks wonderful,Almost everything is done to our fantasy encryption of DNS,But one thing still to be noted,In a country like China,Once popular DoT,However, then it can no longer be contaminated,But it could easily be banned - because it has a separate fixed port,Although people do not know what site you visit,But you can know with DoT ,You simply direct interference TCP packet is not on the list?
(of course,DoT may also take up special 443 Port wants)
DNS over HTTPS
In short,Confusion is king,Although this will make network management headache,But in areas of severe review,Still worth a try。While it is people's attitude was wholly unknown to the DoH controversial,But there are still many Internet organizations support it - directly HTTP/2 or HTTPS Protocol request,This time it is hard to put a special DNS traffic separation singled out the interference。
Especially for self-built DNS servers,You can even hide behind the site!
To use the DoH,use brew install cloudflare/cloudflare/cloudflared To install,Run command sudo cloudflared proxy-dns Start it comes to test,You can see that it uses two upstream server:
1 2 |
INFO[0000] Adding DNS upstream url="https://1.1.1.1/dns-query" INFO[0000] Adding DNS upstream url="https://1.0.0.1/dns-query" |
Service can be started after the attempt to query,The first test when I met a lot of obvious error:
1 2 3 |
ERRO[0051] failed to connect to an HTTPS backend "https://1.1.1.1/dns-query" error="failed to perform an HTTPS request: Post https://1.1.1.1/dns-query: net/http: request canceled (Client.Timeout exceeded while awaiting headers)" ERRO[0051] failed to connect to an HTTPS backend "https://1.1.1.1/dns-query" error="failed to perform an HTTPS request: Post https://1.1.1.1/dns-query: net/http: request canceled (Client.Timeout exceeded while awaiting headers)" ERRO[0090] failed to connect to an HTTPS backend "https://1.1.1.1/dns-query" error="failed to perform an HTTPS request: Post https://1.1.1.1/dns-query: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)" |
But the result was a return to normal,The first query time to stabilize within 300ms,Service comes with its own cache function,The second query like the nature is 0ms。
After a successful test,You need to be configured to cloudflared,So that it can automatically start as a service:
1 2 3 4 5 6 7 |
mkdir -p /usr/local/etc/cloudflared cat << EOF > /usr/local/etc/cloudflared/config.yml proxy-dns: true proxy-dns-upstream: - https://1.1.1.1/dns-query - https://1.0.0.1/dns-query EOF |
you can see,exist /usr/local/etc/cloudflared/config.YML File We gave both the default upstream server,You can also add more here。
In short,After creating the configuration file,Let us execute the command to install the service into the system:
1 2 3 4 |
sudo cloudflared service install INFO[0000] Applied configuration from /usr/local/etc/cloudflared/config.yml INFO[0000] Installing Argo Tunnel as an user launch agent INFO[0000] Outputs are logged in /tmp/com.cloudflare.cloudflared.out.log and /tmp/com.cloudflare.cloudflared.err.log |
Now,You can press ctrl + c temporarily stopped using the service just tested,Then use the command to start system services: sudo launchctl start with.cloudflare.cloudflared
System Configuration
Now,Whether or DoH DoT,We have already started (note,Both at the same time you can only start a,Because the dns will be occupied by local 53 Port) you only need to configure the system to resolve dns 127.0.0.1 .。
Additional content
If you're like me using the Surge,Then you may find that after turning on the Enhance Mode loop appears to be a DNS problem,Lead to an empty result set ...... it seems to be the DNS service and Surge answer in each other。Here we configure Surge does not use a custom DNS,Switching to the system settings DNS:
in conclusion
For now,DoT to use relatively stable in China,But a little slow,Use DoH faster speed but serious interference - this may also be a public server and DoH is not a lot about (after all, it is easy to give you kill the IP),In short,Both methods are self-built server excellent choice,Simple、Shortcut,Very easy。
Rush wording,I am now in use argo tunnel ,That is the cloudflared,Own DNS cache,In a timely manner without the use of pre-DNS cache can be well run,Over time I will come to re-edit the article along with the effect of experience。(Hopefully not as frequently accessed 1.1.1.1 The banned off)
References:
- https://github.com/getdnsapi/stubby
- https://developers.cloudflare.com/argo-tunnel/reference/service/
Original article written by LogStudio:R0uter's Blog » DoT DoH addition DNSCrypt,You can also learn more about the DNS encryption scheme
Reproduced Please keep the source and description link:https://www.logcg.com/archives/3127.html
Can the dots built by bloggers be used directly by filling in the domain name in the private DNS of the Android phone? My self-built Adguard_Home,dot port 853,Phone says can't connect。
Can you try telnet to the corresponding port?,It is very likely that the port is interfered with。 Or is the Android default port doesn't match this? The actual need is doh, 443?
DNSCrypt、Can DoH and DoT be used independently?
DNSCrypt must be used with DoH and DoT,Thank you
something like dns,No problem with chained requests,You can also set one layer,But that does n’t make much sense,All three are dns encryption solutions,You only need to use one of them,Three sets are used together,Also ok,It ’s just encryption redundancy.,Same request,Three requests,Encrypt three times,Are you slow。
Many bloggers article dry ah
I am here to test 4 1 is blocked,1.0.0.1 Use it looks like you can also use
Yes indeed,1.0.0.1 Barely usable。
Really high efficiency 🤣,Surge has it cached DNS
Based on my experience to use,There is a DNS cache。
Why not the browser or the system it 🤔️,ps I can not receive your e-mail reply message
System or browser has a DNS cache,Only a relatively short time on the cache fills。
You will be able to use a domestic mail message is received correctly。(probably
My letter service is actually foxmail aka qq