Merge pull request #1 from minoplhy/beta-expos

build !

README.md

@@ -1,4 +1,9 @@
 # DOT DOH with haproxy
+
+**[Mozilla ssl-config](https://ssl-config.mozilla.org/)**
+
+**!!! denylist.rpz and allowlist.rpz are made for my _private_ use and will _cause_ problem with _some_ domain !!!**
+
 ```
 Query
            Dns-over-TLS
@@ -18,3 +23,6 @@ Query
                       |--------------------------------------------------------------> Dns Resolver (Knot-resolver dns local)
                       
 ```
+
+# Recommendation
+1. [knot-resolver](https://knot-resolver.cz) **Recommend** using upstream repository on debian

addition/check.http

@@ -0,0 +1,5 @@
+HTTP/1.0 200 Found
+Cache-Control: no-cache
+Connection: close
+Content-Type: text/plain
+Access-Control-Allow-Origin: https://domain.tld

bright.md

@@ -0,0 +1,13 @@
+# bright!!
+***SERVER SIDE***
+1. haproxy.cfg
+     - haproxy
+2. kresd.conf
+     - knot-resolver
+3. doh-server.conf
+     - m13253/dns-over-https **doh-server**
+
+***ADDITIONAL***
+
+1. *.rpz
+     - response policy zone [Wikipedia](https://en.wikipedia.org/wiki/Response_policy_zone) [knot-resolver](https://knot-resolver.readthedocs.io/en/stable/modules-policy.html#response-policy-zones)

configuration/doh-server.conf

@@ -0,0 +1,36 @@
+# Original author : aaflalo.me https://www.aaflalo.me/2018/10/tutorial-setup-dns-over-https-server/#Configuration
+# HTTP listen port
+listen = [
+    "127.0.0.1:8053",
+    "[::1]:8053",
+]
+
+# TLS certification file
+# If left empty, plain-text HTTP will be used.
+# You are recommended to leave empty and to use a server load balancer (e.g.
+# Caddy, Nginx) and set up TLS there, because this program does not do OCSP
+# Stapling, which is necessary for client bootstrapping in a network
+# environment with completely no traditional DNS service.
+cert = ""
+
+# TLS private key file
+key = ""
+
+# HTTP path for resolve application
+path = "/dns-query"
+
+# Upstream DNS resolver
+# If multiple servers are specified, a random one will be chosen each time.
+upstream = [
+    "tcp:127.0.0.1:5353",
+    "udp:127.0.0.1:5353",
+]
+
+# Upstream timeout
+timeout = 60
+
+# Number of tries if upstream DNS fails
+tries = 10
+
+# Enable logging
+verbose = false

configuration/haproxy.cfg

@@ -0,0 +1,87 @@
+
+global
+        log /dev/log    local0
+        log /dev/log    local1 notice
+        chroot /var/lib/haproxy
+        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
+        stats timeout 30s
+        user haproxy
+        group haproxy
+        daemon
+
+        # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.8.0&openssl=1.1.0i&hsts=yes&profile=modern
+        # If you are using different version (check with `openssl version` and `haproxy -v`, go get new ciphers&options)
+        # set default parameters to the intermediate configuration
+        ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+        ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+        ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+        ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+
+# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
+        ssl-dh-param-file /path/to/dhparam
+
+defaults
+#       enables tcplog so disabled
+#       log     global
+        mode    http
+#       option  httplog
+        option  dontlognull
+        timeout connect 5000
+        timeout client  50000
+        timeout server  50000
+        errorfile 400 /etc/haproxy/errors/400.http
+        errorfile 403 /etc/haproxy/errors/403.http
+        errorfile 408 /etc/haproxy/errors/408.http
+        errorfile 500 /etc/haproxy/errors/500.http
+        errorfile 502 /etc/haproxy/errors/502.http
+        errorfile 503 /etc/haproxy/errors/503.http
+        errorfile 504 /etc/haproxy/errors/504.http
+
+
+# TCP LB (443)
+frontend 443-in
+          bind 104.244.78.187:443 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem
+          bind [::]:443 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem
+          mode tcp
+
+        # DoT
+        use_backend dns-dot if { ssl_fc_sni dot.domain.pem }
+
+# TCP LB (853)
+frontend 853-in
+	bind 0.0.0.0:853 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem
+	bind [::]:853 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem
+	mode tcp
+
+	# DoT
+	use_backend dns-dot if { ssl_fc_sni dot.domain }
+
+backend dns-dot
+	mode tcp
+	server dot 127.0.0.1:5353 check
+
+# TCP LB (443)
+frontend 443-in-doh
+	bind 0.0.0.0:443 strict-sni tfo ssl crt /etc/haproxy/certs/doh.ludns.nakadlto.cz.pem
+        bind [::]:443 strict-sni tfo ssl crt /etc/haproxy/certs/doh.ludns.nakadlto.cz.pem
+
+        mode http
+
+        http-response set-header Strict-Transport-Security max-age=63072000
+	http-response set-header X-Frontend lv1
+
+	use_backend check if { path /check }
+
+	use_backend dns-doh if { hdr(host) -i doh.domain }
+
+#	default_backend nginx
+
+backend dns-doh
+mode http
+server dns-doh 127.0.0.1:8053 check
+
+http-response set-header Strict-Transport-Security max-age=63072000
+
+backend check
+        mode http
+        errorfile 503 /root/dns/check.http

configuration/kresd.conf

@@ -0,0 +1,26 @@
+-- SPDX-License-Identifier: CC0-1.0
+-- vim:syntax=lua:set ts=4 sw=4:
+-- Refer to manual: https://knot-resolver.readthedocs.org/en/stable/
+
+verbose(true)
+-- Network interface configuration
+net.listen('127.0.0.1', 5353, { kind = 'dns' })
+net.listen('::1', 5353, { kind = 'dns', freebind = true })
+
+-- Load useful modules
+modules = {
+	'hints > iterate',  -- Load /etc/hosts and allow custom root hints
+	'stats',            -- Track internal statistics
+	'predict',          -- Prefetch expiring/frequent records
+}
+
+-- Cache size
+cache.size = 100 * MB
+
+-- policy help : https://knot-resolver.readthedocs.io/en/stable/modules-policy.html
+-- This is Just a Blocklist
+policy.add(policy.rpz(policy.DENY, '/etc/knot-resolver/list/energized-ultimate.rpz',true))
+policy.add(policy.rpz(policy.DENY, '/etc/knot-resolver/list/denylist.rpz',true))
+policy.add(policy.rpz(policy.DENY, '/etc/knot-resolver/list/oisd.rpz',true))
+policy.add(policy.rpz(policy.PASS, '/etc/knot-resolver/list/allowlist.rpz',true))
+policy.add(policy.all(policy.QTRACE))

filters/allowlist.rpz

@@ -0,0 +1,2 @@
+*.gvt1.com CNAME rpz-passthru.
+*.play.googleapis.com CNAME rpz-passthru.

filters/denylist.rpz

@@ -0,0 +1,19 @@
+in-os-config-appstore.vivoglobal.com CNAME .
+asia-vcode-od.vivoglobal.com CNAME .
+excfgfile-vivofs-asia.vivo.com.cn CNAME .
+tencent.com CNAME .
+tencent.cn CNAME .
+footprints-pa.googleapis.com CNAME .
+people-pa.googleapis.com CNAME .
+lamssettings-pa.googleapis.com CNAME .
+cdn.syndication.twimg.com CNAME .
+fonts.gstatic.com CNAME .
+fonts.googleapis.com CNAME .
+platform.twitter.com CNAME .
+asia-analyzer-appstore.vivoglobal.com CNAME .
+platform.instagram.com CNAME .
+alb.reddit.com CNAME .
+s.reddit.com CNAME .
+tiktok.com CNAME .
+qq.com CNAME .
+mail.ru CNAME .

filters/lists.txt

@@ -0,0 +1,3 @@
+# List of third party filters besides my personal list
+https://block.energized.pro/ultimate/formats/rpz.txt
+https://rpz.oisd.nl/