dns over https DoH 簡介

傳統 DNS 使用 udp 53 端口，也可以使用 tcp ，明文傳輸，安全性和保護用戶隱私都做的不好，雖然有一些技術方案如 ：DNSCrypt 。

現在 dns over https DoH 技術成熟起來了，在新版的 Firefox 可以直接啓用，chrome 還在實現階段。

常規-》網絡設置-》啓用基於 HTTPS 的 DNS: 提供商選 cloudflare 即可。

使用 curl 進行測試下

curl "https://1.0.0.1/dns-query?ct=application/dns-json&name=baidu.com&type=A" -v
*   Trying 1.0.0.1...
* TCP_NODELAY set
* Connected to 1.0.0.1 (1.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=cloudflare-dns.com
*  start date: Jan 11 00:00:00 2021 GMT
*  expire date: Jan 18 23:59:59 2022 GMT
*  subjectAltName: host "1.0.0.1" matched cert's IP address!
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f8922810e00)
> GET /dns-query?ct=application/dns-json&name=baidu.com&type=A HTTP/2
> Host: 1.0.0.1
> User-Agent: curl/7.64.1
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200 
< date: Sun, 06 Jun 2021 02:13:50 GMT
< content-type: application/dns-json
< content-length: 243
< access-control-allow-origin: *
< cf-request-id: 0a80b223110000e7f1b8877000000001
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< server: cloudflare
< cf-ray: 65ae1fb1bb01e7f1-LAX
< 
* Connection #0 to host 1.0.0.1 left intact
{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"baidu.com","type":1}],"Answer":[{"name":"baidu.com","type":1,"TTL":65,"data":"39.156.69.79"},{"name":"baidu.com","type":1,"TTL":65,"data":"220.181.38.148"}]}* Closing connection 0

aliyun 也有提供這個服務 http://dns.alidns.com/resolve?name=www.taobao.com.&type=1

經過測試 aliyun 的 DoH 服務也存在DNS 污染問題。

curl "https://1.0.0.1/dns-query?ct=application/dns-json&name=www.google.com&type=A"
{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"www.google.com","type":1}],"Answer":[{"name":"www.google.com","type":1,"TTL":39,"data":"172.217.14.100"}]}

curl "http://dns.alidns.com/resolve?name=www.google.com.&type=1"
{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":{"name":"www.google.com.","type":1},"Answer":[{"name":"www.google.com.","TTL":15,"type":1,"data":"162.125.32.6"}]}

 

思考：DoH 雖然解決了 DNS 污染的問題，但是可用的節點就那麼固定幾個，除非自建，win10 好像有計劃支持 DoH，但是 在不支持的系統上面如 win7 xp ，實際用處比較少，現在絕大多數工作使用瀏覽器就能搞定，無非就是裝個新版瀏覽器的問題。

非要讓整個系統都用上 DoH 而系統又不支持的情況下，只能自行實現一個 本地 DNS server ，上行用  DoH ，下行用傳統的 UDP ，確實用處極少，暫無開發計劃。