From f973f37a3ae0b297967ab018831b6b27d7cc791d Mon Sep 17 00:00:00 2001 From: synto Date: Thu, 27 May 2021 07:14:18 +0700 Subject: [PATCH] updates with current configuration --- configuration/client/dnscrypt-proxy.toml | 16 ++++-- configuration/doh-server.conf | 26 +++++++++- configuration/haproxy.cfg | 66 ++++++++++++++---------- configuration/kresd.conf | 19 ++++--- download-filters.sh | 16 +++--- 5 files changed, 98 insertions(+), 45 deletions(-) diff --git a/configuration/client/dnscrypt-proxy.toml b/configuration/client/dnscrypt-proxy.toml index 688907e..d8a66d2 100644 --- a/configuration/client/dnscrypt-proxy.toml +++ b/configuration/client/dnscrypt-proxy.toml @@ -1,5 +1,3 @@ -# This Client Configuration are made for dnscrypt-proxy and Thanks ookangzheng for sample configuration files -# Based on https://github.com/ookangzheng/blahdns/blob/master/client-conf/dnscrypt/dnscrypt-proxy.toml server_names = ['ProviderName', 'ProviderNamev6-Ifexisted'] listen_addresses = ['127.0.0.1:53', '[::1]:53'] max_clients = 250 @@ -10,7 +8,7 @@ keepalive = 30 # Load-balancing strategy: 'p2' (default), 'ph', 'fastest' or 'random' lb_strategy = 'fastest' fallback_resolver = '94.140.14.14:53' -ignore_system_dns = false +ignore_system_dns = true netprobe_timeout = 30 cache = false cache_size = 512 @@ -19,6 +17,18 @@ cache_max_ttl = 1800 cache_neg_min_ttl = 2 cache_neg_max_ttl = 6 +# Use servers reachable over IPv4 +ipv4_servers = true + +# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity +ipv6_servers = true + +# Use servers implementing the DNSCrypt protocol +dnscrypt_servers = true + +# Use servers implementing the DNS-over-HTTPS protocol +doh_servers = false + [static] ## Publickey: YOURPUBKEY [static.'ProviderName'] diff --git a/configuration/doh-server.conf b/configuration/doh-server.conf index abfc004..9081fb7 100644 --- a/configuration/doh-server.conf +++ b/configuration/doh-server.conf @@ -1,4 +1,3 @@ -# Original author : aaflalo.me https://www.aaflalo.me/2018/10/tutorial-setup-dns-over-https-server/#Configuration # HTTP listen port listen = [ "127.0.0.1:8053", @@ -24,6 +23,8 @@ path = "/dns-query" upstream = [ "tcp:127.0.0.1:5353", "udp:127.0.0.1:5353", + "tcp:[::1]:5353", + "udp:[::1]:5353" ] # Upstream timeout @@ -34,3 +35,26 @@ tries = 10 # Enable logging verbose = false + +# Enable log IP from HTTPS-reverse proxy header: X-Forwarded-For or X-Real-IP +# Note: http uri/useragent log cannot be controlled by this config +log_guessed_client_ip = false + +# By default, non global IP addresses are never forwarded to upstream servers. +# This is to prevent two things from happening: +# 1. the upstream server knowing your private LAN addresses; +# 2. the upstream server unable to provide geographically near results, +# or even fail to provide any result. +# However, if you are deploying a split tunnel corporation network +# environment, or for any other reason you want to inhibit this +# behavior and allow local (eg RFC1918) address to be forwarded, +# change the following option to "true". +ecs_allow_non_global_ip = false + +# If ECS is added to the request, let the full IP address or +# cap it to 24 or 128 mask. This option is to be used only on private +# networks where knwoledge of the terminal endpoint may be required for +# security purposes (eg. DNS Firewalling). Not a good option on the +# internet where IP address may be used to identify the user and +# not only the approximate location. +ecs_use_precise_ip = false diff --git a/configuration/haproxy.cfg b/configuration/haproxy.cfg index 9017c10..f39ecef 100644 --- a/configuration/haproxy.cfg +++ b/configuration/haproxy.cfg @@ -11,13 +11,18 @@ global # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.8.0&openssl=1.1.0i&hsts=yes&profile=modern # If you are using different version (check with `openssl version` and `haproxy -v`, go get new ciphers&options) # set default parameters to the intermediate configuration - ssl-default-bind-ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 - ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets - ssl-default-server-ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 - ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets -# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam - ssl-dh-param-file /path/to/dhparam + tune.ssl.default-dh-param 4096 + ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + + ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + + ssl-dh-param-file /path/to/dhparam + defaults # enables tcplog so disabled @@ -39,47 +44,52 @@ defaults # TCP LB (443) frontend 443-in - bind 104.244.78.187:443 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem - bind [::]:443 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem + bind 104.244.78.187:443 tfo ssl strict-sni crt /etc/haproxy/certs/dot.DOMAIN.pem + bind [::]:443 tfo ssl strict-sni crt /etc/haproxy/certs/dot.DOMAIN.pem mode tcp # DoT - use_backend dns-dot if { ssl_fc_sni dot.domain.pem } + use_backend dns-dot if { ssl_fc_sni dot.DOMAIN } # TCP LB (853) frontend 853-in - bind 0.0.0.0:853 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem - bind [::]:853 tfo ssl strict-sni crt /etc/haproxy/certs/dot.domain.pem - mode tcp + bind 0.0.0.0:853 tfo ssl strict-sni crt /etc/haproxy/certs/dot.DOMAIN.pem + bind [::]:853 tfo ssl strict-sni crt /etc/haproxy/certs/dot.DOMAIN.pem + mode tcp - # DoT - use_backend dns-dot if { ssl_fc_sni dot.domain } + # DoT + use_backend dns-dot if { ssl_fc_sni dot.DOMAIN } + +backend dns-dot + mode tcp + server dot 127.0.0.1:5353 check # TCP LB (443) frontend 443-in-doh - bind 0.0.0.0:443 strict-sni tfo ssl crt /etc/haproxy/certs/doh.domain.pem alpn h2,http/2 - bind [::]:443 strict-sni tfo ssl crt /etc/haproxy/certs/doh.domain.pem alpn h2,http/2 + bind :80 + bind 104.244.78.187:443 strict-sni tfo ssl crt /etc/haproxy/certs alpn h2,http/2 + bind [::]:443 strict-sni tfo ssl crt /etc/haproxy/certs alpn h2,http/2 mode http + http-request redirect scheme https unless { ssl_fc } + rspidel (Server|x-powered-by|x-frontend) http-response set-header Strict-Transport-Security max-age=63072000 - http-response set-header X-Frontend lv1 + http-response set-header X-Frontend lv1 - use_backend check if { path /check } + use_backend check if { path /check } - use_backend dns-doh if { hdr(host) -i doh.domain } + acl doh-frontend1 hdr(host) -i doh.lDOMAIN - -backend dns-dot - mode tcp - server dot 127.0.0.1:5353 check + use_backend http_nginx if dotweb-frontend1 +# default_backend nginx backend dns-doh - mode http - server dns-doh 127.0.0.1:8053 check +mode http +server dns-doh 127.0.0.1:8053 check + +http-response set-header Strict-Transport-Security max-age=63072000 backend check mode http - errorfile 503 /root/dns/check.http - -http-response set-header Strict-Transport-Security max-age=63072000 + errorfile 503 /root/dns/check.http \ No newline at end of file diff --git a/configuration/kresd.conf b/configuration/kresd.conf index 114ca00..0057022 100644 --- a/configuration/kresd.conf +++ b/configuration/kresd.conf @@ -10,25 +10,30 @@ net.listen('::1', 5353, { kind = 'dns', freebind = true }) -- Load useful modules modules = { - 'hints > iterate', -- Load /etc/hosts and allow custom root hints - 'stats', -- Track internal statistics - 'predict', -- Prefetch expiring/frequent records + 'hints > iterate', -- Load /etc/hosts and allow custom root hints + 'stats', -- Track internal statistics + 'predict', -- Prefetch expiring/frequent records } --- Cache size https://knot-resolver.readthedocs.io/en/stable/daemon-bindings-cache.html#sizing +--- Cache size https://knot-resolver.readthedocs.io/en/stable/daemon-bindings-cache.html#sizing -- "For personal and small office use-cases cache size around 100 MB is more than enough." -cz.nic -cache.size = 100 * MB +cache.size = 50 * MB -- policy help : https://knot-resolver.readthedocs.io/en/stable/modules-policy.html -- This is Just a Blocklist policy.add(policy.rpz(policy.PASS, '/etc/knot-resolver/list/minopallow.rpz',true)) +policy.add(policy.rpz(policy.PASS, '/etc/knot-resolver/list/adguard-exceptions.rpz',true)) +policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/adguard-dns.rpz',true)) policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/minopdeny.rpz',true)) policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/energized-ultimate.rpz',true)) policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/pgl-adserver.rpz',true)) policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/energized-social.rpz',true)) -policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/energized-regional.rpz',true)) +policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/energized-regional.rpz',true)) policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/urlhaus-abuse_ch.rpz',true)) policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/energized-xtreme.rpz',true)) -policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/blahdns.rpz',true)) +policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/1host-domains-pro.rpz',true)) +policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/1host-wildcards-pro.rpz',true)) policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/minop-cname-cloaking.rpz',true)) policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/ad-cname-tracker.rpz',true)) +policy.add(policy.rpz(policy.REFUSE, '/etc/knot-resolver/list/rpz-oisd.rpz',true)) + diff --git a/download-filters.sh b/download-filters.sh index 5fb1f7f..fb785a7 100644 --- a/download-filters.sh +++ b/download-filters.sh @@ -1,13 +1,17 @@ #!/bin/sh -wget -O /etc/knot-resolver/list/minopallow.rpz https://github.com/minoplhy/dnsBlocklist/raw/main/rpz/allowlist.rpz -wget -O /etc/knot-resolver/list/minopdeny.rpz https://github.com/minoplhy/dnsBlocklist/raw/main/rpz/denylist.rpz -wget -O /etc/knot-resolver/list/energized-ultimate.rpz https://block.energized.pro/ultimate/formats/rpz.txt +wget -O /etc/knot-resolver/list/minopallow.rpz https://git.kylz.nl/GitHub/DNSBlocklist/raw/branch/main/rpz/allowlist.rpz +wget -O /etc/knot-resolver/list/adguard-exceptions.rpz https://sos-ch-dk-2.exo.io/noblt/adguard/exceptions_rpz.txt +wget -O /etc/knot-resolver/list/adguard-dns.rpz https://sos-ch-dk-2.exo.io/noblt/adguard/dns_rpz.txt +wget -O /etc/knot-resolver/list/minopdeny.rpz https://git.kylz.nl/GitHub/DNSBlocklist/raw/branch/main/rpz/denylist.rpz +wget -O /etc/knot-resolver/list/energized-ultimate.rpz https://block.energized.pro/ultimate/formats/rpz.txt wget -O /etc/knot-resolver/list/pgl-adserver.rpz https://pgl.yoyo.org/adservers/serverlist.php?hostformat=rpz&showintro=1&mimetype=plaintext wget -O /etc/knot-resolver/list/energized-social.rpz https://block.energized.pro/extensions/social/formats/rpz.txt wget -O /etc/knot-resolver/list/energized-regional.rpz https://block.energized.pro/extensions/regional/formats/rpz.txt wget -O /etc/knot-resolver/list/energized-xtreme.rpz https://block.energized.pro/extensions/xtreme/formats/rpz.txt -wget -O /etc/knot-resolver/list/blahdns.rpz https://oooo.b-cdn.net/blahdns/blahdns_rpz.txt +wget -O /etc/knot-resolver/list/1host-domains-pro.rpz https://sos-ch-dk-2.exo.io/noblt/1host/domains-pro_rpz.txt +wget -O /etc/knot-resolver/list/1host-wildcards-pro.rpz https://sos-ch-dk-2.exo.io/noblt/1host/wildcards-pro_rpz.txt wget -O /etc/knot-resolver/list/urlhaus-abuse_ch.rpz https://urlhaus.abuse.ch/downloads/rpz -wget -O /etc/knot-resolver/list/minop-cname-cloaking.rpz https://noblt.sos-ch-dk-2.exoscale-cdn.com/adguard/cname-original.rpz -wget -O /etc/knot-resolver/list/ad-cname-tracker.rpz https://noblt.sos-ch-dk-2.exoscale-cdn.com/adguard/cname-tracker.rpz +wget -O /etc/knot-resolver/list/minop-cname-cloaking.rpz https://sos-ch-dk-2.exo.io/noblt/adguard/cname-original_rpz.txt +wget -O /etc/knot-resolver/list/ad-cname-tracker.rpz https://sos-ch-dk-2.exo.io/noblt/adguard/cname-tracker_rpz.txt +wget -O /etc/knot-resolver/list/rpz-oisd.rpz https://rpz.oisd.nl/ exit