From 1f77f0e470e07c45b7abc2fdd4bacfdb5cd1fc60 Mon Sep 17 00:00:00 2001 From: Minoplhy Date: Fri, 1 Jan 2021 19:11:38 +0700 Subject: [PATCH 01/12] Create haproxy.cfg --- configuration/haproxy.cfg | 87 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 configuration/haproxy.cfg diff --git a/configuration/haproxy.cfg b/configuration/haproxy.cfg new file mode 100644 index 0000000..2e70352 --- /dev/null +++ b/configuration/haproxy.cfg @@ -0,0 +1,87 @@ + +global + log /dev/log local0 + log /dev/log local1 notice + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners + stats timeout 30s + user haproxy + group haproxy + daemon + + # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.8.0&openssl=1.1.0i&hsts=yes&profile=modern + # If you are using different version (check with `openssl version` and `haproxy -v`, go get new ciphers&options) + # set default parameters to the intermediate configuration + ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 + ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 + ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + +# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam + ssl-dh-param-file /path/to/dhparam + +defaults +# enables tcplog so disabled +# log global + mode http +# option httplog + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + errorfile 400 /etc/haproxy/errors/400.http + errorfile 403 /etc/haproxy/errors/403.http + errorfile 408 /etc/haproxy/errors/408.http + errorfile 500 /etc/haproxy/errors/500.http + errorfile 502 /etc/haproxy/errors/502.http + errorfile 503 /etc/haproxy/errors/503.http + errorfile 504 /etc/haproxy/errors/504.http + + +# TCP LB (443) +frontend 443-in + bind 104.244.78.187:443 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem + bind [::]:443 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem + mode tcp + + # DoT + use_backend dns-dot if { ssl_fc_sni dot.domain.pem } + +# TCP LB (853) +frontend 853-in + bind 0.0.0.0:853 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem + bind [::]:853 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem + mode tcp + + # DoT + use_backend dns-dot if { ssl_fc_sni dot.domain } + +backend dns-dot + mode tcp + server dot 127.0.0.1:5353 check + +# TCP LB (443) +frontend 443-in-doh + bind 0.0.0.0:443 strict-sni tfo ssl crt /etc/haproxy/certs/doh.ludns.nakadlto.cz.pem + bind [::]:443 strict-sni tfo ssl crt /etc/haproxy/certs/doh.ludns.nakadlto.cz.pem + + mode http + + http-response set-header Strict-Transport-Security max-age=63072000 + http-response set-header X-Frontend lv1 + + use_backend check if { path /check } + + use_backend dns-doh if { hdr(host) -i doh.domain } + +# default_backend nginx + +backend dns-doh +mode http +server dns-doh 127.0.0.1:8053 check + +http-response set-header Strict-Transport-Security max-age=63072000 + +backend check + mode http + errorfile 503 /root/dns/check.http From 1d9db708dd07e2ec4aa18d893aaed300dac47092 Mon Sep 17 00:00:00 2001 From: Minoplhy Date: Fri, 1 Jan 2021 19:12:39 +0700 Subject: [PATCH 02/12] Update README.md --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index ff86671..4211562 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,7 @@ # DOT DOH with haproxy + +[Mozilla ssl-config](https://ssl-config.mozilla.org/) + ``` Query Dns-over-TLS From fd00dc985ab32f6aa5398dcd91e0c986c0d1a840 Mon Sep 17 00:00:00 2001 From: Minoplhy Date: Fri, 1 Jan 2021 19:14:50 +0700 Subject: [PATCH 03/12] Create kresd.conf --- configuration/kresd.conf | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 configuration/kresd.conf diff --git a/configuration/kresd.conf b/configuration/kresd.conf new file mode 100644 index 0000000..341d390 --- /dev/null +++ b/configuration/kresd.conf @@ -0,0 +1,25 @@ +-- SPDX-License-Identifier: CC0-1.0 +-- vim:syntax=lua:set ts=4 sw=4: +-- Refer to manual: https://knot-resolver.readthedocs.org/en/stable/ + +verbose(true) +-- Network interface configuration +net.listen('127.0.0.1', 5353, { kind = 'dns' }) +net.listen('::1', 5353, { kind = 'dns', freebind = true }) + +-- Load useful modules +modules = { + 'hints > iterate', -- Load /etc/hosts and allow custom root hints + 'stats', -- Track internal statistics + 'predict', -- Prefetch expiring/frequent records +} + +-- Cache size +cache.size = 100 * MB + +-- policy help : https://knot-resolver.readthedocs.io/en/stable/modules-policy.html +-- This is Just a Blocklist +policy.add(policy.rpz(policy.DENY, '/etc/knot-resolver/list/energized-ultimate.rpz',true)) +policy.add(policy.rpz(policy.DENY, '/etc/knot-resolver/list/denylist.rpz',true)) +policy.add(policy.rpz(policy.PASS, '/etc/knot-resolver/list/allowlist.rpz',true)) +policy.add(policy.all(policy.QTRACE)) From ae791654fafe8c3191662dc3c81c9b665937310c Mon Sep 17 00:00:00 2001 From: Minoplhy Date: Fri, 1 Jan 2021 19:15:41 +0700 Subject: [PATCH 04/12] Create allowlist.rpz --- filters/allowlist.rpz | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 filters/allowlist.rpz diff --git a/filters/allowlist.rpz b/filters/allowlist.rpz new file mode 100644 index 0000000..df0d30d --- /dev/null +++ b/filters/allowlist.rpz @@ -0,0 +1,2 @@ +*.gvt1.com CNAME rpz-passthru. +*.play.googleapis.com CNAME rpz-passthru. From 91200d7c3283769a317fa30d3d5d0844befd2a25 Mon Sep 17 00:00:00 2001 From: Minoplhy Date: Fri, 1 Jan 2021 19:16:17 +0700 Subject: [PATCH 05/12] Create denylist.rpz --- filters/denylist.rpz | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 filters/denylist.rpz diff --git a/filters/denylist.rpz b/filters/denylist.rpz new file mode 100644 index 0000000..eff5c14 --- /dev/null +++ b/filters/denylist.rpz @@ -0,0 +1,19 @@ +in-os-config-appstore.vivoglobal.com CNAME . +asia-vcode-od.vivoglobal.com CNAME . +excfgfile-vivofs-asia.vivo.com.cn CNAME . +tencent.com CNAME . +tencent.cn CNAME . +footprints-pa.googleapis.com CNAME . +people-pa.googleapis.com CNAME . +lamssettings-pa.googleapis.com CNAME . +cdn.syndication.twimg.com CNAME . +fonts.gstatic.com CNAME . +fonts.googleapis.com CNAME . +platform.twitter.com CNAME . +asia-analyzer-appstore.vivoglobal.com CNAME . +platform.instagram.com CNAME . +alb.reddit.com CNAME . +s.reddit.com CNAME . +tiktok.com CNAME . +qq.com CNAME . +mail.ru CNAME . From 3470f36d09175951badf0d4e9d76305ddf01e311 Mon Sep 17 00:00:00 2001 From: Minoplhy Date: Fri, 1 Jan 2021 19:20:16 +0700 Subject: [PATCH 06/12] Update README.md --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 4211562..7d11c08 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,8 @@ [Mozilla ssl-config](https://ssl-config.mozilla.org/) +**!!! denylist.rpz and allowlist.rpz are made for my _private_ use and will _cause_ problem with _some_ domain !!!** + ``` Query Dns-over-TLS From a235621f09c1a4c392e32abbb1da49e48211a624 Mon Sep 17 00:00:00 2001 From: Minoplhy Date: Fri, 1 Jan 2021 19:24:38 +0700 Subject: [PATCH 07/12] Create doh-server.conf --- configuration/doh-server.conf | 36 +++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 configuration/doh-server.conf diff --git a/configuration/doh-server.conf b/configuration/doh-server.conf new file mode 100644 index 0000000..abfc004 --- /dev/null +++ b/configuration/doh-server.conf @@ -0,0 +1,36 @@ +# Original author : aaflalo.me https://www.aaflalo.me/2018/10/tutorial-setup-dns-over-https-server/#Configuration +# HTTP listen port +listen = [ + "127.0.0.1:8053", + "[::1]:8053", +] + +# TLS certification file +# If left empty, plain-text HTTP will be used. +# You are recommended to leave empty and to use a server load balancer (e.g. +# Caddy, Nginx) and set up TLS there, because this program does not do OCSP +# Stapling, which is necessary for client bootstrapping in a network +# environment with completely no traditional DNS service. +cert = "" + +# TLS private key file +key = "" + +# HTTP path for resolve application +path = "/dns-query" + +# Upstream DNS resolver +# If multiple servers are specified, a random one will be chosen each time. +upstream = [ + "tcp:127.0.0.1:5353", + "udp:127.0.0.1:5353", +] + +# Upstream timeout +timeout = 60 + +# Number of tries if upstream DNS fails +tries = 10 + +# Enable logging +verbose = false From f21b598dc3af0038d423874792138ac9d9758579 Mon Sep 17 00:00:00 2001 From: Minoplhy Date: Fri, 1 Jan 2021 19:29:28 +0700 Subject: [PATCH 08/12] Update README.md --- README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 7d11c08..9acd5a4 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # DOT DOH with haproxy -[Mozilla ssl-config](https://ssl-config.mozilla.org/) +**[Mozilla ssl-config](https://ssl-config.mozilla.org/)** **!!! denylist.rpz and allowlist.rpz are made for my _private_ use and will _cause_ problem with _some_ domain !!!** @@ -23,3 +23,6 @@ Query |--------------------------------------------------------------> Dns Resolver (Knot-resolver dns local) ``` + +# Recommendation +1. [knot-resolver](https://knot-resolver.cz) **Recommend** using upstream repository on debian From d612efceec4eaa43b37d5a6e19b1a44bcb646b94 Mon Sep 17 00:00:00 2001 From: Minoplhy Date: Fri, 1 Jan 2021 19:42:07 +0700 Subject: [PATCH 09/12] check.http --- addition/check.http | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 addition/check.http diff --git a/addition/check.http b/addition/check.http new file mode 100644 index 0000000..7777c22 --- /dev/null +++ b/addition/check.http @@ -0,0 +1,5 @@ +HTTP/1.0 200 Found +Cache-Control: no-cache +Connection: close +Content-Type: text/plain +Access-Control-Allow-Origin: https://domain.tld From ab557532b8da502257a4395b9dccf4965d7c29fa Mon Sep 17 00:00:00 2001 From: Minoplhy Date: Fri, 1 Jan 2021 19:54:33 +0700 Subject: [PATCH 10/12] Update kresd.conf --- configuration/kresd.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/configuration/kresd.conf b/configuration/kresd.conf index 341d390..2e40630 100644 --- a/configuration/kresd.conf +++ b/configuration/kresd.conf @@ -21,5 +21,6 @@ cache.size = 100 * MB -- This is Just a Blocklist policy.add(policy.rpz(policy.DENY, '/etc/knot-resolver/list/energized-ultimate.rpz',true)) policy.add(policy.rpz(policy.DENY, '/etc/knot-resolver/list/denylist.rpz',true)) +policy.add(policy.rpz(policy.DENY, '/etc/knot-resolver/list/oisd.rpz',true)) policy.add(policy.rpz(policy.PASS, '/etc/knot-resolver/list/allowlist.rpz',true)) policy.add(policy.all(policy.QTRACE)) From e3cc35af3ea8756fbbdbac6857c4df9f6ccc7e55 Mon Sep 17 00:00:00 2001 From: Minoplhy Date: Fri, 1 Jan 2021 19:57:14 +0700 Subject: [PATCH 11/12] Create lists.txt --- filters/lists.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 filters/lists.txt diff --git a/filters/lists.txt b/filters/lists.txt new file mode 100644 index 0000000..427335e --- /dev/null +++ b/filters/lists.txt @@ -0,0 +1,3 @@ +# List of third party filters besides my personal list +https://block.energized.pro/ultimate/formats/rpz.txt +https://rpz.oisd.nl/ From d78c9a2b817791af75d19b9e5fe7cc44d19dbdba Mon Sep 17 00:00:00 2001 From: Minoplhy Date: Fri, 1 Jan 2021 20:25:06 +0700 Subject: [PATCH 12/12] Create bright.md --- bright.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 bright.md diff --git a/bright.md b/bright.md new file mode 100644 index 0000000..b0679fd --- /dev/null +++ b/bright.md @@ -0,0 +1,13 @@ +# bright!! +***SERVER SIDE*** +1. haproxy.cfg + - haproxy +2. kresd.conf + - knot-resolver +3. doh-server.conf + - m13253/dns-over-https **doh-server** + +***ADDITIONAL*** + +1. *.rpz + - response policy zone [Wikipedia](https://en.wikipedia.org/wiki/Response_policy_zone) [knot-resolver](https://knot-resolver.readthedocs.io/en/stable/modules-policy.html#response-policy-zones)