From fc6042cefd4e827f0854d6aa11e3ac6382e5b61b Mon Sep 17 00:00:00 2001 From: Minoplhy Date: Mon, 11 Jan 2021 19:58:55 +0700 Subject: [PATCH 1/5] Create encrypted-dns.toml --- configuration/encrypted-dns.toml | 256 +++++++++++++++++++++++++++++++ 1 file changed, 256 insertions(+) create mode 100644 configuration/encrypted-dns.toml diff --git a/configuration/encrypted-dns.toml b/configuration/encrypted-dns.toml new file mode 100644 index 0000000..c670d3c --- /dev/null +++ b/configuration/encrypted-dns.toml @@ -0,0 +1,256 @@ +#################################################### +# # +# Encrypted DNS Server configuration # +# # +#################################################### + + + +################################## +# Global settings # +################################## + + +## IP addresses and ports to listen to, as well as their external IP +## If there is no NAT involved, `local` and `external` can be the same. +## As many addresses as needed can be configured here, IPv4 and/or IPv6. +## You should at least change the `external` IP address. + +### Example with both IPv4 and IPv6 addresses: +# listen_addrs = [ +# { local = "0.0.0.0:443", external = "198.51.100.1:443" }, +# { local = "[::]:443", external = "[2001:db8::1]:443" } +# ] + +listen_addrs = [ + { local = "0.0.0.0:8443", external = "**YourIP**:8443" }, + { local = "[::]:8443", external = "[**YourIP**]:8443" } +] + + +## Upstream DNS server and port + +upstream_addr = "127.0.0.1:5353" + + +## File name to save the state to + +state_file = "encrypted-dns.state" + + +## UDP timeout in seconds + +udp_timeout = 10 + + +## TCP timeout in seconds + +tcp_timeout = 10 + + +## Maximum active UDP sockets + +udp_max_active_connections = 1000 + + +## Maximum active TCP connections + +tcp_max_active_connections = 100 + + +## Optional IP address to connect to upstream servers from. +## Leave commented/undefined to automatically select it. + +# external_addr = "0.0.0.0" + + +## Built-in DNS cache capacity + +cache_capacity = 100000 + + +## DNS cache: minimum TTL + +cache_ttl_min = 3600 + + +## DNS cache: max TTL + +cache_ttl_max = 86400 + + +## DNS cache: error TTL + +cache_ttl_error = 600 + + +## DNS cache: to avoid bursts of traffic for popular queries when an +## RRSET expires, hold a TTL received from an upstream server for +## `client_ttl_holdon` seconds before decreasing it in client responses. + +client_ttl_holdon = 60 + + +## Run as a background process + +daemonize = false + + +## Log file + +# log_file = "/tmp/encrypted-dns.log" + + +## PID file + +pid_file = "/tmp/encrypted-dns.pid" + + +## User name to drop privileges to, when started as root. + +user = "DNSCrypt" + + +## Group name to drop privileges to, when started as root. + +group = "DNSCrypt" + + +## Path to chroot() to, when started as root. +## The path to the state file is relative to the chroot base. + +# chroot = "/var/empty" + + +## Queries sent to that name will return the client IP address. +## This can be very useful for debugging, or to check that relaying works. + +my_ip = "my.ip" + + +#################################### +# DNSCrypt settings # +#################################### + +[dnscrypt] + +## Provider name (with or without the `2.dnscrypt-cert.` prefix) + +provider_name = "**Your Preferred Name**" + + +## Does the server support DNSSEC? + +dnssec = true + + +## Does the server always returns correct answers (no filtering, including ad blocking)? + +no_filters = false + + +## Set to `true` if the server doesn't keep any information that can be used to identify users + +no_logs = true + + +## Key cache capacity, per certificate + +key_cache_capacity = 10000 + + + +############################### +# TLS settings # +############################### + +[tls] + +## Where to proxy TLS connections to (e.g. DoH server) + +# upstream_addr = "127.0.0.1:4343" + + + +####################################### +# Server-side filtering # +####################################### + +[filtering] + +## List of domains to block, one per line + +# domain_blacklist = "/etc/domain_blacklist.txt" + + +## List of undelegated TLDs +## This is the list of nonexistent TLDs that queries are frequently observed for, +## but will never resolve to anything. The server will immediately return a +## synthesized NXDOMAIN response instead of hitting root servers. + +# undelegated_list = "/etc/undelegated.txt" + + +## Ignore A and AAAA queries for unqualified host names. + +# ignore_unqualified_hostnames = true + + + +######################### +# Metrics # +######################### + +# [metrics] + +# type = "prometheus" +# listen_addr = "0.0.0.0:9100" +# path = "/metrics" + + + +################################ +# Anonymized DNS # +################################ + +[anonymized_dns] + +# Enable relaying support for Anonymized DNS + +enabled = false + + +# Allowed upstream ports +# This is a list of commonly used ports for encrypted DNS services + +allowed_ports = [ 443, 553, 853, 1443, 2053, 4343, 4434, 4443, 5353, 5443, 8443, 15353 ] + + +# Allow all ports >= 1024 in addition to the list above + +allow_non_reserved_ports = false + + +# Blacklisted upstream IP addresses + +blacklisted_ips = [ "93.184.216.34" ] + + + + +################################ +# Access control # +################################ + +[access_control] + +# Enable access control + +enabled = false + +# Only allow access to client queries including one of these random tokens +# Tokens can be configured in the `query_meta` section of `dnscrypt-proxy` as +# `query_meta = ["token:..."]` -- Replace ... with the token to use by the client. +# Example: `query_meta = ["token:Y2oHkDJNHz"]` + +tokens = ["Y2oHkDJNHz", "G5zY3J5cHQtY", "C5zZWN1cmUuZG5z"] From 272069875630b6036af27591d949829b06676e5c Mon Sep 17 00:00:00 2001 From: Minoplhy Date: Mon, 11 Jan 2021 20:00:52 +0700 Subject: [PATCH 2/5] KeePass are blocked back again --- filters/allowlist.rpz | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/filters/allowlist.rpz b/filters/allowlist.rpz index 9931d7c..353a92c 100644 --- a/filters/allowlist.rpz +++ b/filters/allowlist.rpz @@ -1,4 +1,6 @@ *.gvt1.com CNAME rpz-passthru. *.play.googleapis.com CNAME rpz-passthru. exappupgrade.vivoglobal.com CNAME rpz-passthru. -sysupgrade-api.vivoglobal.com CNAME rps-passthru. +sysupgrade-api.vivoglobal.com CNAME rpz-passthru. +keepass.info CNAME rpz-passthru. +keepassdx.com CNAME rpz-passthru. From 2aeab8bf557d536c47349e527002b896c5a0b250 Mon Sep 17 00:00:00 2001 From: Minoplhy Date: Mon, 11 Jan 2021 20:04:32 +0700 Subject: [PATCH 3/5] Create dnscrypt-proxy.toml --- client-conf/dnscrypt-proxy.toml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 client-conf/dnscrypt-proxy.toml diff --git a/client-conf/dnscrypt-proxy.toml b/client-conf/dnscrypt-proxy.toml new file mode 100644 index 0000000..688907e --- /dev/null +++ b/client-conf/dnscrypt-proxy.toml @@ -0,0 +1,27 @@ +# This Client Configuration are made for dnscrypt-proxy and Thanks ookangzheng for sample configuration files +# Based on https://github.com/ookangzheng/blahdns/blob/master/client-conf/dnscrypt/dnscrypt-proxy.toml +server_names = ['ProviderName', 'ProviderNamev6-Ifexisted'] +listen_addresses = ['127.0.0.1:53', '[::1]:53'] +max_clients = 250 +force_tcp = false +timeout = 2000 +keepalive = 30 + +# Load-balancing strategy: 'p2' (default), 'ph', 'fastest' or 'random' +lb_strategy = 'fastest' +fallback_resolver = '94.140.14.14:53' +ignore_system_dns = false +netprobe_timeout = 30 +cache = false +cache_size = 512 +cache_min_ttl = 90 +cache_max_ttl = 1800 +cache_neg_min_ttl = 2 +cache_neg_max_ttl = 6 + +[static] +## Publickey: YOURPUBKEY +[static.'ProviderName'] +stamp = 'sdns://YOUR-DNS-STAMPS' +[static.'ProviderNamev6-Ifexisted'] +stamp = 'sdns://YOUR-DNS-STAMPS' From 4be91d5b932ba178d0148f5bee469858b2ae9420 Mon Sep 17 00:00:00 2001 From: Minoplhy Date: Mon, 11 Jan 2021 20:15:52 +0700 Subject: [PATCH 4/5] Server Structure are useless and somethings useful - Server Structure + Recommendation Number 3 added + Less Crap + Recommendation Number 4 added --- README.md | 26 +++++++++----------------- 1 file changed, 9 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index b08f81b..fdae3d8 100644 --- a/README.md +++ b/README.md @@ -1,32 +1,24 @@ # DOT DOH with haproxy -**[Mozilla ssl-config](https://ssl-config.mozilla.org/)** - **!!! denylist.rpz and allowlist.rpz are made for my _private_ use and will _cause_ problem with _some_ domain !!!** ``` Query Dns-over-TLS - ---------------------> Haproxy(Frontend) -----------------------------> Knot-resolver - Cluster Listen(TCP/443/853) Listen(Local/dns) - ---------------------> (HTTP/443) -------> m13253/DOH -------> - Dns-over-HTTPS Listen(Local/http) -``` -# Server structure -``` - Server(or instances) - | - |----> Frontend-DOH (Haproxy 443 http TLS 1.3 strict-sni hdr/host/ ssl) - | |----> DOH (m13253/dns-over-https local) - | |---------------------------------------------------------------| - |----> Frontend-DOT (Haproxy 443 853 tcp TLS 1.3 strict-sni ssl_fc_sni ssl) v - |--------------------------------------------------------------> Dns Resolver (Knot-resolver dns local) - + ---------------------> Haproxy(Frontend) -----------------------------> +Cluster Listen(TCP/443/853) + ---------------------> (HTTP/443) -------> m13253/DOH -------> Knot-resolver + Dns-over-HTTPS Listen(Local/http)Listen(Local/dns) + DNSCrypt v2 + ---------------------> jedisct1/Encrypted DNS Server -------------------> + Listen(TCP/UDP/8443) ``` # Recommendation 1. [knot-resolver](https://knot-resolver.cz) **Recommend** using upstream repository on debian 2. Download.sh **Recommend** if you want to download all the default filters used in kresd.conf(knot-resolver configuration) +3. [jedisct1/Encrypted-dns-server](https://github.com/jedisct1/encrypted-dns-server) is recommended if you are looking for an easy way to start a DNSCrypt server +4. [Mozilla ssl-config](https://ssl-config.mozilla.org/) is recommended if you are looking for a sample TLS/SSL configuration for your Server Software # Mirror / Fork [notabug.org](https://notabug.org/lottanorta/doh-dot-haproxy) From 30eab72591b17a6041c34f67f2fc447f91f99608 Mon Sep 17 00:00:00 2001 From: Minoplhy Date: Mon, 11 Jan 2021 20:17:04 +0700 Subject: [PATCH 5/5] Rename client-conf/dnscrypt-proxy.toml to configuration/client/dnscrypt-proxy.toml --- {client-conf => configuration/client}/dnscrypt-proxy.toml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {client-conf => configuration/client}/dnscrypt-proxy.toml (100%) diff --git a/client-conf/dnscrypt-proxy.toml b/configuration/client/dnscrypt-proxy.toml similarity index 100% rename from client-conf/dnscrypt-proxy.toml rename to configuration/client/dnscrypt-proxy.toml