From c1be2ddd18eff3ba6a91c605f80a6038762723ff Mon Sep 17 00:00:00 2001 From: Star Brilliant Date: Mon, 26 Mar 2018 00:44:28 +0800 Subject: [PATCH] Update Readme --- Readme.md | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/Readme.md b/Readme.md index fa59006..33e7f32 100644 --- a/Readme.md +++ b/Readme.md @@ -72,11 +72,26 @@ you can host DNS-over-HTTPS along with other HTTPS services. ## DNSSEC -DNSSEC validation is not built-in. It is highly recommended that you install -`unbound` or `bind` and pass results for them to validate DNS records. +DNS-over-HTTPS is compatible with DNSSEC, and requests DNSSEC signatures by +default. However signature validation is not built-in. It is highly recommended +that you install `unbound` or `bind` and pass results for them to validate DNS +records. -If you are running a server without anycast, you probably want to enable EDNS0 -Client Subnet during your configuring `unbound` or `bind`. +## EDNS0-Client-Subnet (GeoDNS) + +DNS-over-HTTPS supports EDNS0-Client-Subnet protocol, which submits part of the +client's IP address (/24 for IPv4, /48 for IPv6 by default) to the upstream +server. This is useful for GeoDNS and CDNs to work, and is exactly the same +configuration as most public DNS servers. + +Keep in mind that /24 is not enough to track a single user, although it is +precise enough to know the city where the user is from. If you think +EDNS0-Client-Subnet is affecting your privacy, you can set `no_ecs` to true in +`/etc/dns-over-https/doh-client.conf`, with the cost of slower video streaming +or software downloading speed. + +If your server is backed by `unbound` or `bind`, you probably want to enable +the EDNS0-Client-Subnet feature in their configuration files as well. ## Protocol compatibility @@ -99,7 +114,7 @@ Currently supported features are: - [X] IPv4 / IPv6 - [X] EDNS0 large UDP packet (4 KiB by default) -- [X] EDNS0 Client Subnet (/24 for IPv4, /48 for IPv6 by default) +- [X] EDNS0-Client-Subnet (/24 for IPv4, /48 for IPv6 by default) ## License