Linux上使用DNS over HTTPS

发表于 更新于 分类于

DNS over HTTPS(DoH)是一种安全的域名系统(DNS)协议,旨在通过加密HTTP连接来保护用户的DNS查询隐私和安全性。传统的DNS查询通常是通过明文的UDP或TCP连接发送到DNS服务器的,这样就存在被监听或篡改的风险。而使用DoH,DNS查询被嵌入到HTTPS协议中,通过加密的方式传输,从而提供更高的隐私保护和安全性。

以下是DNS over HTTPS的一些关键特性和优势:

  1. 隐私保护: DoH使用HTTPS加密传输DNS查询和响应,使得第三方无法轻易截取或查看用户的DNS查询流量,保护用户的隐私。

  2. 防止劫持和篡改: 使用HTTPS协议可以防止中间人攻击和DNS劫持,确保DNS查询结果的完整性和真实性。

  3. 绕过网络过滤: 一些网络可能对DNS查询进行过滤或劫持,使用DoH可以绕过这些限制,访问被封锁的网站。

  4. 性能优化: 由于DoH使用HTTP/2协议,可以有效利用连接复用和多路复用等特性,提高DNS查询的性能和响应速度。

  5. 统一管理: 使用DoH可以将DNS查询与其他Web流量整合到同一个加密通道中,简化网络管理和安全策略。

尽管DoH提供了诸多优势,但也存在一些争议,主要包括以下方面:

  1. 网络管理挑战: 使用DoH可能会增加网络管理的复杂性,使网络管理员无法监控和过滤DNS流量,从而影响网络安全和性能管理。

  2. 合规性问题: 一些组织或国家可能要求对DNS流量进行监控和过滤,使用DoH可能会违反当地的法律法规或政策要求。

  3. DNS缓存和性能: DoH可能会导致DNS缓存失效,增加DNS查询的延迟和负载,尤其是在移动网络或高延迟网络环境下。

总的来说,DNS over HTTPS提供了更安全和隐私保护的DNS查询方式,但也需要权衡其带来的管理和合规性挑战。

Linux上使用DNS over HTTPS

适用场景:Aliyun Debian使用CloudFlare DNS over HTTPS
在国内有台linux服务器,解析不想被污染,可以采用此方法。

官网下载Cloudflared二进制程序

下载链接

wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.deb
dpkg -i cloudflared-stable-linux-amd64.deb
/usr/local/bin/cloudflared --version

设置本机DNS over HTTPS环境

# /usr/local/bin/cloudflared proxy-dns

INFO[0000] Adding DNS upstream       url="https://1.1.1.1/dns-query"
INFO[0000] Adding DNS upstream       url="https://1.0.0.1/dns-query"
INFO[0000] Starting metrics server   addr="127.0.0.1:49312"
INFO[0000] Starting DNS over HTTPS proxy server  addr="dns://localhost:53"

验证DNS

新开一个窗口进行解析测试

dig bug.com @127.0.0.1

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> bug.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52367
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
; PAD: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ("........................................................................")
;; QUESTION SECTION:
;bug.com  IN  A

;; ANSWER SECTION:
bug.com 3600  IN  A 198.74.11.40

;; Query time: 825 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Feb 10 23:03:50 CST 2020
;; MSG SIZE  rcvd: 135

设置DNS over HTTPS环境为默认DNS环境

mkdir -p /usr/local/etc/cloudflared

cat << EOF > /etc/cloudflared/config.yml
  proxy-dns: true
  proxy-dns-upstream:
  - https://1.1.1.1/dns-query
  - https://1.0.0.1/dns-query
EOF

将DNS over HTTPS安装为自启动服务

cloudflared service install
报错:
INFO[0000] Failed to copy user configuration. Before running the service, ensure that /etc/cloudflared contains two files, cert.pem and config.yml  error="open /usr/local/etc/cloudflared/cert.pem: no such file or directory"
解决方法:
cp /etc/cloudflared/cert.pem /usr/local/etc/cloudflared/

再次执行

#loudflared service install

INFO[0000] Copied /usr/local/etc/cloudflared/config.yml to /etc/cloudflared/config.yml 
INFO[0000] Using Systemd                                
INFO[0000] systemctl: Created symlink from /etc/systemd/system/multi-user.target.wants/cloudflared.service to /etc/systemd/system/cloudflared.service.
INFO[0000] systemctl daemon-reload

服务检查及启动

systemctl enable cloudflared
systemctl start cloudflared
systemctl status cloudflared

最后修改/etc/resolv.conf

echo "nameserver 127.0.0.1" >>/etc/resolv.conf

最后测试

[root@cloudflared]# dig nobug.com

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> nobug.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22326
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
; PAD: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ("......................................................................")
;; QUESTION SECTION:
;nobug.com  IN  A

;; ANSWER SECTION:
nobug.com 3600  IN  A 162.241.176.252

;; Query time: 201 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Feb 10 23:08:20 CST 2020
;; MSG SIZE  rcvd: 137