dandri/dns-over-https
1
0
Fork 0
mirror of https://github.com/m13253/dns-over-https.git synced 2026-03-30 18:35:38 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
Files
58e4018ab2610e8fe4c6a56cd92e993f835fcff7
dns-over-https/Readme.md
Star Brilliant 1819deb6c0 Update Readme
2018-03-26 00:48:10 +08:00

128 lines
4.6 KiB
Markdown
Raw Blame History

DNS-over-HTTPS
==============
Client and server software to query DNS over HTTPS, using [Google DNS-over-HTTPS protocol](https://developers.google.com/speed/public-dns/docs/dns-over-https)
and [draft-ietf-doh-dns-over-https](https://github.com/dohwg/draft-ietf-doh-dns-over-https).
## Easy start
Install [Go](https://golang.org), at least version 1.9.
First create an empty directory, used for `$GOPATH`:
mkdir ~/gopath
export GOPATH=~/gopath
To build the program, type:
make
To install DNS-over-HTTPS as Systemd services, type:
sudo make install
By default, [Google DNS over HTTPS](https://dns.google.com) is used. It should
work for most users (except for People's Republic of China). If you need to
modify the default settings, type:
sudoedit /etc/dns-over-https/doh-client.conf
To automatically start DNS-over-HTTPS client as a system service, type:
sudo systemctl start doh-client.service
sudo systemctl enable doh-client.service
Then, modify your DNS settings (usually with NetworkManager) to 127.0.0.1.
To test your configuration, type:
dig www.google.com
If it is OK, you will wee:
;; SERVER: 127.0.0.1#53(127.0.0.1)
### Uninstalling
To uninstall, type:
sudo make uninstall
The configuration files are kept at `/etc/dns-over-https`. Remove them manually if you want.
## Server Configuration
The following is a typical DNS-over-HTTPS architecture:
+--------------+ +------------------------+
| Application | | Recursive DNS Server |
+-------+------+ +-----------+------------+
| |
+-------+------+ +-----------+------------+
| Client side | | doh-server |
| cache (nscd) | +-----------+------------+
+-------+------+ |
| +--------------------------+ +-----------+------------+
+-------+------+ | HTTP cache server / | | HTTP service muxer |
| doh-client +--+ Content Delivery Network +--+ (Apache, Nginx, Caddy) |
+--------------+ +--------------------------+ +------------------------+
Although DNS-over-HTTPS can work alone, a HTTP service muxer would be useful as
you can host DNS-over-HTTPS along with other HTTPS services.
## DNSSEC
DNS-over-HTTPS is compatible with DNSSEC, and requests DNSSEC signatures by
default. However signature validation is not built-in. It is highly recommended
that you install `unbound` or `bind` and pass results for them to validate DNS
records.
## EDNS0-Client-Subnet (GeoDNS)
DNS-over-HTTPS supports EDNS0-Client-Subnet protocol, which submits part of the
client's IP address (/24 for IPv4, /48 for IPv6 by default) to the upstream
server. This is useful for GeoDNS and CDNs to work, and is exactly the same
configuration as most public DNS servers.
Keep in mind that /24 is not enough to track a single user, although it is
precise enough to know the city where the user is located. If you think
EDNS0-Client-Subnet is affecting your privacy, you can set `no_ecs = true` in
`/etc/dns-over-https/doh-client.conf`, with the cost of slower video streaming
or software downloading speed.
If your server is backed by `unbound` or `bind`, you probably want to enable
the EDNS0-Client-Subnet feature in their configuration files as well.
## Protocol compatibility
### Google DNS-over-HTTPS Protocol
DNS-over-HTTPS uses a protocol compatible to [Google DNS-over-HTTPS](https://developers.google.com/speed/public-dns/docs/dns-over-https),
except for absolute expire time is preferred to relative TTL value. Refer to
[json-dns/response.go](json-dns/response.go) for a complete description of the
API.
### IETF DNS-over-HTTPS Protocol (Draft)
DNS-over-HTTPS uses a protocol compatible to [draft-ietf-doh-dns-over-https](https://github.com/dohwg/draft-ietf-doh-dns-over-https).
This protocol is in draft stage. Any incompatibility may be introduced before
it is finished.
### Supported features
Currently supported features are:
- [X] IPv4 / IPv6
- [X] EDNS0 large UDP packet (4 KiB by default)
- [X] EDNS0-Client-Subnet (/24 for IPv4, /48 for IPv6 by default)
## License
DNS-over-HTTPS is licensed under the [MIT License](LICENSE). You are encouraged
to embed DNS-over-HTTPS into your other projects, as long as the license
permits.
You are also encouraged to disclose your improvements to the public, so that
others may benefit from your modification, in the same way you receive benefits
from this project.
Reference in New Issue View Git Blame Copy Permalink