diff --git a/README.md b/README.md index ff86671..9acd5a4 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,9 @@ # DOT DOH with haproxy + +**[Mozilla ssl-config](https://ssl-config.mozilla.org/)** + +**!!! denylist.rpz and allowlist.rpz are made for my _private_ use and will _cause_ problem with _some_ domain !!!** + ``` Query Dns-over-TLS @@ -18,3 +23,6 @@ Query |--------------------------------------------------------------> Dns Resolver (Knot-resolver dns local) ``` + +# Recommendation +1. [knot-resolver](https://knot-resolver.cz) **Recommend** using upstream repository on debian diff --git a/addition/check.http b/addition/check.http new file mode 100644 index 0000000..7777c22 --- /dev/null +++ b/addition/check.http @@ -0,0 +1,5 @@ +HTTP/1.0 200 Found +Cache-Control: no-cache +Connection: close +Content-Type: text/plain +Access-Control-Allow-Origin: https://domain.tld diff --git a/bright.md b/bright.md new file mode 100644 index 0000000..b0679fd --- /dev/null +++ b/bright.md @@ -0,0 +1,13 @@ +# bright!! +***SERVER SIDE*** +1. haproxy.cfg + - haproxy +2. kresd.conf + - knot-resolver +3. doh-server.conf + - m13253/dns-over-https **doh-server** + +***ADDITIONAL*** + +1. *.rpz + - response policy zone [Wikipedia](https://en.wikipedia.org/wiki/Response_policy_zone) [knot-resolver](https://knot-resolver.readthedocs.io/en/stable/modules-policy.html#response-policy-zones) diff --git a/configuration/doh-server.conf b/configuration/doh-server.conf new file mode 100644 index 0000000..abfc004 --- /dev/null +++ b/configuration/doh-server.conf @@ -0,0 +1,36 @@ +# Original author : aaflalo.me https://www.aaflalo.me/2018/10/tutorial-setup-dns-over-https-server/#Configuration +# HTTP listen port +listen = [ + "127.0.0.1:8053", + "[::1]:8053", +] + +# TLS certification file +# If left empty, plain-text HTTP will be used. +# You are recommended to leave empty and to use a server load balancer (e.g. +# Caddy, Nginx) and set up TLS there, because this program does not do OCSP +# Stapling, which is necessary for client bootstrapping in a network +# environment with completely no traditional DNS service. +cert = "" + +# TLS private key file +key = "" + +# HTTP path for resolve application +path = "/dns-query" + +# Upstream DNS resolver +# If multiple servers are specified, a random one will be chosen each time. +upstream = [ + "tcp:127.0.0.1:5353", + "udp:127.0.0.1:5353", +] + +# Upstream timeout +timeout = 60 + +# Number of tries if upstream DNS fails +tries = 10 + +# Enable logging +verbose = false diff --git a/configuration/haproxy.cfg b/configuration/haproxy.cfg new file mode 100644 index 0000000..2e70352 --- /dev/null +++ b/configuration/haproxy.cfg @@ -0,0 +1,87 @@ + +global + log /dev/log local0 + log /dev/log local1 notice + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners + stats timeout 30s + user haproxy + group haproxy + daemon + + # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.8.0&openssl=1.1.0i&hsts=yes&profile=modern + # If you are using different version (check with `openssl version` and `haproxy -v`, go get new ciphers&options) + # set default parameters to the intermediate configuration + ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 + ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 + ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + +# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam + ssl-dh-param-file /path/to/dhparam + +defaults +# enables tcplog so disabled +# log global + mode http +# option httplog + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + + +# TCP LB (443) +frontend 443-in + bind 104.244.78.187:443 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem + bind [::]:443 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem + mode tcp + + # DoT + use_backend dns-dot if { ssl_fc_sni dot.domain.pem } + +# TCP LB (853) +frontend 853-in + bind 0.0.0.0:853 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem + bind [::]:853 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem + mode tcp + + # DoT + use_backend dns-dot if { ssl_fc_sni dot.domain } + +backend dns-dot + mode tcp + server dot 127.0.0.1:5353 check + +# TCP LB (443) +frontend 443-in-doh + bind 0.0.0.0:443 strict-sni tfo ssl crt /etc/haproxy/certs/doh.ludns.nakadlto.cz.pem + bind [::]:443 strict-sni tfo ssl crt /etc/haproxy/certs/doh.ludns.nakadlto.cz.pem + + mode http + + http-response set-header Strict-Transport-Security max-age=63072000 + http-response set-header X-Frontend lv1 + + use_backend check if { path /check } + + use_backend dns-doh if { hdr(host) -i doh.domain } + +# default_backend nginx + +backend dns-doh +mode http +server dns-doh 127.0.0.1:8053 check + +http-response set-header Strict-Transport-Security max-age=63072000 + +backend check + mode http + errorfile 503 /root/dns/check.http diff --git a/configuration/kresd.conf b/configuration/kresd.conf new file mode 100644 index 0000000..2e40630 --- /dev/null +++ b/configuration/kresd.conf @@ -0,0 +1,26 @@ +-- SPDX-License-Identifier: CC0-1.0 +-- vim:syntax=lua:set ts=4 sw=4: +-- Refer to manual: https://knot-resolver.readthedocs.org/en/stable/ + +verbose(true) +-- Network interface configuration +net.listen('127.0.0.1', 5353, { kind = 'dns' }) +net.listen('::1', 5353, { kind = 'dns', freebind = true }) + +-- Load useful modules +modules = { + 'hints > iterate', -- Load /etc/hosts and allow custom root hints + 'stats', -- Track internal statistics + 'predict', -- Prefetch expiring/frequent records +} + +-- Cache size +cache.size = 100 * MB + +-- policy help : https://knot-resolver.readthedocs.io/en/stable/modules-policy.html +-- This is Just a Blocklist +policy.add(policy.rpz(policy.DENY, '/etc/knot-resolver/list/energized-ultimate.rpz',true)) +policy.add(policy.rpz(policy.DENY, '/etc/knot-resolver/list/denylist.rpz',true)) +policy.add(policy.rpz(policy.DENY, '/etc/knot-resolver/list/oisd.rpz',true)) +policy.add(policy.rpz(policy.PASS, '/etc/knot-resolver/list/allowlist.rpz',true)) +policy.add(policy.all(policy.QTRACE)) diff --git a/filters/allowlist.rpz b/filters/allowlist.rpz new file mode 100644 index 0000000..df0d30d --- /dev/null +++ b/filters/allowlist.rpz @@ -0,0 +1,2 @@ +*.gvt1.com CNAME rpz-passthru. +*.play.googleapis.com CNAME rpz-passthru. diff --git a/filters/denylist.rpz b/filters/denylist.rpz new file mode 100644 index 0000000..eff5c14 --- /dev/null +++ b/filters/denylist.rpz @@ -0,0 +1,19 @@ +in-os-config-appstore.vivoglobal.com CNAME . +asia-vcode-od.vivoglobal.com CNAME . +excfgfile-vivofs-asia.vivo.com.cn CNAME . +tencent.com CNAME . +tencent.cn CNAME . +footprints-pa.googleapis.com CNAME . +people-pa.googleapis.com CNAME . +lamssettings-pa.googleapis.com CNAME . +cdn.syndication.twimg.com CNAME . +fonts.gstatic.com CNAME . +fonts.googleapis.com CNAME . +platform.twitter.com CNAME . +asia-analyzer-appstore.vivoglobal.com CNAME . +platform.instagram.com CNAME . +alb.reddit.com CNAME . +s.reddit.com CNAME . +tiktok.com CNAME . +qq.com CNAME . +mail.ru CNAME . diff --git a/filters/lists.txt b/filters/lists.txt new file mode 100644 index 0000000..427335e --- /dev/null +++ b/filters/lists.txt @@ -0,0 +1,3 @@ +# List of third party filters besides my personal list +https://block.energized.pro/ultimate/formats/rpz.txt +https://rpz.oisd.nl/