我正在尝试设置基于 Debian 12 的 HTTPS 上的 DNS。我希望同一 LAN 上的多台 PC 能够使用 DNS Over https
我的 Apache 非常简单:
Protocols h2 http/1.1
proxypass / http://127.0.2.1:53
proxypassReverse / http://127.0.2.1:53
SSLCertificateFile /etc/ssl/ssl2024/example_net.crt
SSLCertificateKeyFile /etc/ssl/ssl2024/foo_private.key
SSLCACertificateFile /etc/ssl/ssl2024/xxxValidationSecureServerCA.crt
SSLEngine on
和我的DNScrypt代理
cat /etc/dnscrypt-proxy/dnscrypt-proxy.toml
listen_addresses = []
server_names = ['google']
doh_servers = true
max_clients = 250 ipv4_servers = true dnscrypt_servers = true
#keepalive = 30 #ignore_system_dns = true
[doh_client_x509_auth]
creds = [ { server_name='example.com', client_cert='/etc/ssl/example_com.crt', clientkey='/etc/ssl/exampleprivate.key' } ]
#dnssec = true [query_log] file = '/var/log/dnscrypt-proxy/query.log'
[nx_log] file = '/var/log/dnscrypt-proxy/nx.log'
[sources]
[sources.'public-resolvers'] url = 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md' cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md' minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' refresh_delay = 72 prefix = ''
[static]
[static.'plan9dns-nj-doh']
stamp = 'sdns://AgcAAAAAAAAADTIwNy4yNDYuODcuOTYgmjo09yfeubylEAPZzpw5-PJ92cUkKQHCurGkTmNaAhkUa3Jvbm9zLnBsYW45LWRucy5jb20KL2Rucy1xdWVyeQ'
[static.'scaleway-ams']
stamp = 'sdns://AQcAAAAAAAAADTUxLjE1LjEyMi4yNTAg6Q3ZfapcbHgiHKLF7QFoli0Ty1Vsz3RXs1RUbxUrwZAcMi5kbnNjcnlwdC1jZXJ0LnNjYWxld2F5LWFtcw'
如果我进行测试并写入'curl -v --doh-urlhttps://example.com/dns-queryhttps://www.hotmail.com'
看起来还可以
SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
ALPN: server accepted h2
Server certificate:
subject: CN=example.com
start date: Dec 20 00:00:00 2023 GMT
expire date: Jan 15 23:59:59 2025 GMT
subjectAltName: host "example.com" matched cert's "example.com"
issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
SSL certificate verify ok.
using HTTP/2
[HTTP/2] [1] OPENED stream for https://example.com/dns-query
[HTTP/2] [1] [:method: POST]
[HTTP/2] [1] [:scheme: https]
[HTTP/2] [1] [:authority: example.com]
[HTTP/2] [1] [:path: /dns-query]
[HTTP/2] [1] [accept: /]
[HTTP/2] [1] [content-type: application/dns-message]
[HTTP/2] [1] [content-length: 27]
POST /dns-query HTTP/2 Host: example.com
Accept: / Content-Type: application/dns-message Content-Length: 27 ..... ( No error message )
挖@127.0.0.1 hotmail.com
dig @127.0.0.1 hotmail.com ;; 与 204.79.197.212#53 通信错误:连接被拒绝 ;; 与 204.79.197.212#53 通信错误:连接被拒绝 ;; 与 204.79.197.212#53 通信错误:连接被拒绝
挖掘 +https @127.0.0.1 hotmail.com
; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> +https @127.0.0.1 hotmail.com ; (1 server found)
;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47464
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: beb1bfe6ee58993a01000000658ac298da5e778ac1e11be6 (good)
;; QUESTION SECTION: ;hotmail.com. IN A
;; ANSWER SECTION: hotmail.com. 3600 IN A 204.79.197.212
;; Query time: 124 msec
;; SERVER: 127.0.0.1#443(127.0.0.1) (HTTPS)
;; WHEN: Tue Dec 26 13:10:00 CET 2023 ;; MSG SIZE rcvd: 84
从全球来看,这听起来还不错
Bind9.18“选项”是
tls local-tls {
key-file "/etc/bind/example.key";
cert-file "/etc/bind/ST_example_net.crt";
dhparam-file "/etc/bind/dhparam.pem";
};
http local {
# multiple paths can be specified
endpoints { "/dns-query"; };
};
options {
directory "/var/cache/bind";
//listen-on port 53 {any;};
//listen-on-v6 port 53 {any;};
allow-recursion {any;};
# default ports for HTTP and HTTPS
http-port 80;
https-port 443;
dnssec-validation auto;
};
但如果我使用 Internet Explorer,请选择我自己的 DoH:https://example.com/dns-query然后似乎无法处理错误消息,即使是著名的域名,查找此域名也可能存在安全风险....我需要使用 DOH
有什么想法吗?我还应该做哪些其他测试?谢谢你的帮助
我尝试了在互联网上找到的所有组合......都没有成功......问题是如何将 https 的帧发送到 dnscrypt-proxy?
我还应该做哪些其他测试?我应该朝哪个方向寻找?
事实上,我用 wireshark 看了一下。这似乎在“https”端被正确加密了。关键是服务器在 LAN 上,我需要在另一端加密。通过 DNSCrypt-proxy 转发到 Cloudflare 或 NextDNS 的任何请求似乎都没有加密,令人惊讶的是,我可以在端口 53 UDP 上看到该请求。但我没有在转发 IP 地址上使用 bind9 配置任何东西。我不知道端口 53 上的这些 UDP 来自哪里 :-( 从我的服务器到 google 或 nextDNS 感谢您的帮助
换句话说,我要寻找的是:来自我们的 LAN 的任何请求(通过 https 上的绑定..)都应该仅通过 DNS Over Https 发出到 WAN..'我应该在 Wireshark 上只看到 TCP、TLS 帧..不是吗?