DNS over HTTPS .. 问题... 并没有真正“隐藏”

tag-icon tag-icon domain-name-system https
DNS over HTTPS .. 问题... 并没有真正“隐藏”

我正在尝试设置基于 Debian 12 的 HTTPS 上的 DNS。我希望同一 LAN 上的多台 PC 能够使用 DNS Over https

我的 Apache 非常简单:

Protocols h2 http/1.1 
proxypass / http://127.0.2.1:53 
proxypassReverse / http://127.0.2.1:53 
SSLCertificateFile /etc/ssl/ssl2024/example_net.crt 
SSLCertificateKeyFile /etc/ssl/ssl2024/foo_private.key 
SSLCACertificateFile /etc/ssl/ssl2024/xxxValidationSecureServerCA.crt 
SSLEngine on

和我的DNScrypt代理

cat /etc/dnscrypt-proxy/dnscrypt-proxy.toml

listen_addresses = [] 
server_names = ['google'] 
doh_servers = true 
max_clients = 250 ipv4_servers = true dnscrypt_servers = true
#keepalive = 30 #ignore_system_dns = true
[doh_client_x509_auth]
    creds = [ { server_name='example.com', client_cert='/etc/ssl/example_com.crt', clientkey='/etc/ssl/exampleprivate.key' } ]
#dnssec = true [query_log] file = '/var/log/dnscrypt-proxy/query.log'
[nx_log] file = '/var/log/dnscrypt-proxy/nx.log'
[sources] 
    [sources.'public-resolvers'] url = 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md' cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md' minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' refresh_delay = 72 prefix = ''

[static]

    [static.'plan9dns-nj-doh']
    stamp = 'sdns://AgcAAAAAAAAADTIwNy4yNDYuODcuOTYgmjo09yfeubylEAPZzpw5-PJ92cUkKQHCurGkTmNaAhkUa3Jvbm9zLnBsYW45LWRucy5jb20KL2Rucy1xdWVyeQ'

    [static.'scaleway-ams']
    stamp = 'sdns://AQcAAAAAAAAADTUxLjE1LjEyMi4yNTAg6Q3ZfapcbHgiHKLF7QFoli0Ty1Vsz3RXs1RUbxUrwZAcMi5kbnNjcnlwdC1jZXJ0LnNjYWxld2F5LWFtcw'

如果我进行测试并写入'curl -v --doh-urlhttps://example.com/dns-queryhttps://www.hotmail.com'

看起来还可以

SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384   
ALPN: server accepted h2
Server certificate:
subject: CN=example.com
start date: Dec 20 00:00:00 2023 GMT
expire date: Jan 15 23:59:59 2025 GMT
subjectAltName: host "example.com" matched cert's "example.com"
issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
SSL certificate verify ok.
using HTTP/2
[HTTP/2] [1] OPENED stream for https://example.com/dns-query
[HTTP/2] [1] [:method: POST]
[HTTP/2] [1] [:scheme: https]
[HTTP/2] [1] [:authority: example.com]
[HTTP/2] [1] [:path: /dns-query]
[HTTP/2] [1] [accept: /]
[HTTP/2] [1] [content-type: application/dns-message]
[HTTP/2] [1] [content-length: 27]
POST /dns-query HTTP/2 Host: example.com 
Accept: / Content-Type: application/dns-message Content-Length: 27 ..... ( No error message )

挖@127.0.0.1 hotmail.com

dig @127.0.0.1 hotmail.com ;; 与 204.79.197.212#53 通信错误:连接被拒绝 ;; 与 204.79.197.212#53 通信错误:连接被拒绝 ;; 与 204.79.197.212#53 通信错误:连接被拒绝

挖掘 +https @127.0.0.1 hotmail.com

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> +https @127.0.0.1 hotmail.com ; (1 server found) 
;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47464 
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: beb1bfe6ee58993a01000000658ac298da5e778ac1e11be6 (good) 
;; QUESTION SECTION: ;hotmail.com.          IN  A
;; ANSWER SECTION: hotmail.com.     3600    IN  A   204.79.197.212
;; Query time: 124 msec 
;; SERVER: 127.0.0.1#443(127.0.0.1) (HTTPS) 
;; WHEN: Tue Dec 26 13:10:00 CET 2023 ;; MSG SIZE  rcvd: 84

从全球来看,这听起来还不错

Bind9.18“选项”是

    tls local-tls {
        key-file "/etc/bind/example.key";
        cert-file "/etc/bind/ST_example_net.crt";
        dhparam-file "/etc/bind/dhparam.pem";
};
http local {
    # multiple paths can be specified
    endpoints { "/dns-query";  };
};
options {
    directory "/var/cache/bind";
//listen-on port 53 {any;};
//listen-on-v6 port 53 {any;};
    allow-recursion {any;};
    # default ports for HTTP and HTTPS
    http-port 80;
    https-port 443;
    dnssec-validation auto;

};

但如果我使用 Internet Explorer,请选择我自己的 DoH:https://example.com/dns-query然后似乎无法处理错误消息,即使是著名的域名,查找此域名也可能存在安全风险....我需要使用 DOH

有什么想法吗?我还应该做哪些其他测试?谢谢你的帮助

我尝试了在互联网上找到的所有组合......都没有成功......问题是如何将 https 的帧发送到 dnscrypt-proxy?

我还应该做哪些其他测试?我应该朝哪个方向寻找?

事实上,我用 wireshark 看了一下。这似乎在“https”端被正确加密了。关键是服务器在 LAN 上,我需要在另一端加密。通过 DNSCrypt-proxy 转发到 Cloudflare 或 NextDNS 的任何请求似乎都没有加密,令人惊讶的是,我可以在端口 53 UDP 上看到该请求。但我没有在转发 IP 地址上使用 bind9 配置任何东西。我不知道端口 53 上的这些 UDP 来自哪里 :-( 从我的服务器到 google 或 nextDNS 感谢您的帮助

换句话说,我要寻找的是:来自我们的 LAN 的任何请求(通过 https 上的绑定..)都应该仅通过 DNS Over Https 发出到 WAN..'我应该在 Wireshark 上只看到 TCP、TLS 帧..不是吗?

相关内容