Android で DNS-over-HTTPS が簡単に出来るようになりました.
Linuxだどうなんだろうと以下の`dns-over-https` を試してみました.ここでは Debian sid amd64 で試していますが,公式の手順には Ubuntu 18.04 LTS, macOS の手順が載っています.
導入例
$ sudo apt install git golang $ git clone https://github.com/m13253/dns-over-https.git $ cd dns-over-https $ make $ sudo checkinstall
$ sudo edit /etc/dns-over-https/doh-client.conf
CleanBrowsingのセキュリティフィルターを利用する場合の設定例
diff --git a/dns-over-https/doh-client.conf b/dns-over-https/doh-client.conf
index 3b5de14..1791397 100644
--- a/dns-over-https/doh-client.conf
+++ b/dns-over-https/doh-client.conf
@@ -11,7 +11,7 @@ listen = [
upstream_google = [
# Google's productive resolver, good ECS, bad DNSSEC
- "https://dns.google.com/resolve",
+ #"https://dns.google.com/resolve",
# CloudFlare's resolver, bad ECS, good DNSSEC
#"https://cloudflare-dns.com/dns-query",
@@ -39,6 +39,9 @@ upstream_ietf = [
# Blog: https://blog.cloudflare.com/welcome-hidden-resolver/
#"https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/dns-query",
+ # CleanBrowsing https://cleanbrowsing.org/dnsoverhttps
+ "https://doh.cleanbrowsing.org/doh/security-filter/"
+
]
# Bootstrap DNS server to resolve the address of the upstream resolver起動
$ sudo systemctl restart doh-client
名前が引けるのを確認
$ dig @127.0.0.1 | grep SERVER ;; SERVER: 127.0.0.1#53(127.0.0.1)
trace
$ dig +trace matoken.org @127.0.0.1 ; <<>> DiG 9.11.4-P2-3-Debian <<>> +trace matoken.org @127.0.0.1 ;; global options: +cmd . 24820 IN NS m.root-servers.net. . 24820 IN NS b.root-servers.net. . 24820 IN NS c.root-servers.net. . 24820 IN NS d.root-servers.net. . 24820 IN NS e.root-servers.net. . 24820 IN NS f.root-servers.net. . 24820 IN NS g.root-servers.net. . 24820 IN NS h.root-servers.net. . 24820 IN NS i.root-servers.net. . 24820 IN NS j.root-servers.net. . 24820 IN NS a.root-servers.net. . 24820 IN NS k.root-servers.net. . 24820 IN NS l.root-servers.net. ;; Received 239 bytes from 127.0.0.1#53(127.0.0.1) in 1334 ms org. 172800 IN NS a0.org.afilias-nst.info. org. 172800 IN NS a2.org.afilias-nst.info. org. 172800 IN NS b0.org.afilias-nst.org. org. 172800 IN NS b2.org.afilias-nst.org. org. 172800 IN NS c0.org.afilias-nst.info. org. 172800 IN NS d0.org.afilias-nst.org. org. 86400 IN DS 9795 7 1 364DFAB3DAF254CAB477B5675B10766DDAA24982 org. 86400 IN DS 9795 7 2 3922B31B6F3A4EA92B19EB7B52120F031FD8E05FF0B03BAFCF9F891B FE7FF8E5 org. 86400 IN RRSIG DS 8 1 86400 20181018050000 20181005040000 2134 . bYogBWKVV1SnjoHjS5LnLBE1mWC6UwkYT6muOjcHnuMNzJM1DY3YhSCT d9QOYlvvprUyD37xYIQ10BUZQ8hcNpnQ2TPUTNzd621lsqth6QK8zDN6 eP5AvZXlPy+9wni71rJIHy1wzepn9yrh3jp70zZhnEVxxgItWaYzsayY Jf+UfFQPmOKX0gn0GqcQ09CSZHdZhwbUT2AT1Rs0atkj6VaOy2TT1aQ1 gAtGF+5uA4uqLJegiEe/zneTeyuNE5QDQWKUNaeWEDE9kxylhv6m/3vE tQ8EHFpzOL9x+ed25LNcnRXH8K/xCW43R1FyaVNaA6xcsvGHCysqLneI v/RYMQ== ;; Received 813 bytes from 193.0.14.129#53(k.root-servers.net) in 210 ms matoken.org. 86400 IN NS ns-cloud-d2.googledomains.com. matoken.org. 86400 IN NS ns-cloud-d4.googledomains.com. matoken.org. 86400 IN NS ns-cloud-d1.googledomains.com. matoken.org. 86400 IN NS ns-cloud-d3.googledomains.com. h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 86400 IN NSEC3 1 1 1 D399EAAB H9PARR669T6U8O1GSG9E1LMITK4DEM0T NS SOA RRSIG DNSKEY NSEC3PARAM h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 86400 IN RRSIG NSEC3 7 2 86400 20181026101800 20181005091800 1862 org. edCrqcIYiHlMMzuacuX0DlobcQkymqClpK5C4QLzsNWtvp942bFRjbb2 WDX/6TsHO0noBNoKH2i+TU70WqpW7sVsXbjV9nkeLMZjxz/VLyAJOXWk 2ITvZwhjbe96lCSAIafm824pBx94ruieKZ2Yj8pYTBIrhDBoffjPhuem 44k= a85qqkk8n39d1c6m55g8ucjhm6u3jjcs.org. 86400 IN NSEC3 1 1 1 D399EAAB A86TS1MQ34BR2A3D3CT8D5SCHKAPPBPJ NS DS RRSIG a85qqkk8n39d1c6m55g8ucjhm6u3jjcs.org. 86400 IN RRSIG NSEC3 7 2 86400 20181022152743 20181001142743 1862 org. G15dhaW+53QBX9nTtsIUCnSRrMO0FCkQJE3jydb6hmRQEA328trp9OqK 6fuvl+RZBhBFeMeJV1Tz0Uezp9YvymfRWwdHiiFFLy3KBt5cTZJUXxTZ jXnMT9PoHZcIVJzN65vqQHDI2MzWYoQYr1WoKmJxOC5FQzFctZElyzEq fNQ= ;; Received 654 bytes from 199.19.56.1#53(a0.org.afilias-nst.info) in 217 ms matoken.org. 120 IN A 153.121.44.87 ;; Received 56 bytes from 216.239.38.109#53(ns-cloud-d4.googledomains.com) in 388 ms
パケットキャプチャしてみる
通常のDNS
dig 2quepghecPeuj.matoken.org$ sudo tcpdump -n -nn -t -l -A -s0 2>/dev/null | grep 2quepghecPeuj.matoken.org IP 192.168.2.203.49026 > 192.168.2.211.53: 49901+ [1au] A? 2quepghecPeuj.matoken.org. (66) E..^.,..@.0t...........5.J..... .........2quepghecPeuj.matoken.org.......)......... E...z.@.@.8f.........5...w............. .2quepghecPeuj.matoken.org..............x...y,W........2....ns-cloud-d2.googledomains.com.........2....ns-cloud-d4.S........2....ns-cloud-d1.S........2....ns-cloud-d3.S.........d.... m.G.......+...."m.........D....$m.r......#P....&m............ .H`H..2.......m.G......+W.. .H`H..4.......m............ .H`H..6.......m.r......Ov.. .H`H..8.......m..)........ ^C
DNS over HTTPS
名前は見当たらない
dig 2quepghecPeuj.matoken.org @127.0.0.1$ sudo tcpdump -n -nn -t -l -A -s0 2>/dev/null | grep 2quepghecPeuj.matoken.org ^C
loopback 部分はHTTPSになる前の部分は見える
dig 2quepghecPeuj.matoken.org @127.0.0.1$ sudo tcpdump -i lo -n -nn -t -l -A -s0 2>/dev/null | grep 2quepghecPeuj.matoken.org IP 127.0.0.1.52265 > 127.0.0.1.53: 25766+ [1au] A? 2quepghecPeuj.matoken.org. (66) E..^C...@.8..........).5.J.]d.. .........2quepghecPeuj.matoken.org.......)......... E..bD(@.@..`.........5.).N.ad............2quepghecPeuj.matoken.org..............w...y,W..)........ ^C
永続化
$ sudo systemctl enable doh-client
後は /etc/network/interfaces や NetworkManager で DNS server に 127.0.0.1 を指定する.
環境
$ dpkg-query -W git golang dnsutils dnsutils 1:9.11.4.P2+dfsg-3 git 1:2.19.0-1 golang 2:1.10~5 $ lsb_release -d Description: Debian GNU/Linux unstable (sid) $ uname -m x86_64
One thought to “Linux で DNS-over-HTTPS を利用する”