dns over https 已经成为了标准了,给予我们的dns 解析添加了安全的支持
测试项目使用docker && docker-compose 运行
一张参考图
环境准备
- dnscrypt-proxy (dns 代理的)
直接下载了linux 版本,并安装依赖
https://github.com/jedisct1/dnscrypt-proxy/releases- doh server
使用源码编译安装,使用docker 的multi stage 构建- nginx
使用openrestydocker-compose
- 文件
version: "3"
services:
nginx:
image: openresty/openresty:alpine
ports:
- "443:443"
- "8080:80"
volumes:
- "./nginx/nginx.conf:/usr/local/openresty/nginx/conf/nginx.conf"
- "./nginx/cert/apicaddy.com/cert1.pem:/usr/local/openresty/nginx/conf/cert1.pem"
- "./nginx/cert/apicaddy.com/privkey1.pem:/usr/local/openresty/nginx/conf/privkey1.pem"
dns-server:
image: dalongrong/doh-server
volumes:
- "./dns-server/doh-server.conf:/app/doh-server.conf"
build:
context: ./dns-server
dockerfile: Dockerfile
dns-proxy:
image: dalongrong/dnscrypt-proxy
build:
context: ./dns-proxy
dockerfile: Dockerfile- nginx 配置
worker_processes auto;
events {
worker_connections 65535;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
gzip on;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
server {
listen 80;
server_name localhost;
charset utf-8;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
client_body_buffer_size 10M;
client_max_body_size 10G;
proxy_buffers 1024 4k;
proxy_pass http://dns-server:8053;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
}
location /dns-query {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_redirect off;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 86400;
proxy_pass http://dns-server:8053/dns-query ;
}
}
server {
listen 443 ssl http2;
server_name app.apicaddy.com;
ssl_certificate cert1.pem;
ssl_certificate_key privkey1.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
client_body_buffer_size 10M;
client_max_body_size 10G;
proxy_buffers 1024 4k;
proxy_pass http://dns-server:8053;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
}
location /dns-query {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_redirect off;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 86400;
proxy_pass http://dns-server:8053/dns-query ;
}
}
}
- 修改配置文件
因为运行的时候没有启动ipv6 ,同时默认大部分软件绑定的端口是127.0.0.1
doh-server 配置修改
listen = [
"0.0.0.0:8053",
]
。。。。
upstream = [
# "1.1.1.1:53",
# "1.0.0.1:53",
# "8.8.8.8:53",
# "8.8.4.4:53",
"dns-proxy:53"
]
dnscrypt-proxy 配置:
listen_addresses = ['0.0.0.0:53']
构建&测试
- 构建
docker-compose up -d- 测试
查询参数的意思参考 https://developers.google.com/speed/public-dns/docs/dns-over-https
http 实际上也是可以访问的,只是及时必须使用https
请求log
说明
dns over https 是很不错的东西,从安全以及灵活性,都是比较方便的,更多的使用还有待仔细研究
参考资料
https://github.com/jedisct1/dnscrypt-proxy/releases
https://www.aaflalo.me/2018/10/tutorial-setup-dns-over-https-server/
https://github.com/rongfengliang/dns-proxy-demo
https://github.com/m13253/dns-over-https
https://developers.google.com/speed/public-dns/docs/dns-over-https