Skip to main content

DNS Awesome

推荐 DNS 配置
  • 选择支持分流的 DNS 服务、支持 DoH/DoT 解析的服务
    • AdGuard、PiHole
  • 默认走国内 DNS
    • 因为国内很多服务 CDN 依赖 DNS 解析,使用国外 DNS 可能导致 CDN 出问题,访问非常慢或打不开
    • 国内 DNS 更快
  • 选择会被污染的域名走 DoH/DoT 解析
    • DoH 和 DoT 不会被污染
    • 即便是用国外的 DNS over TCP/UDP 也是会被污染的,协议层不安全

DNS Provider

ProviderPrimarySecondaryDoHDoTDoQECSECS-Override
Google8.8.8.88.8.4.4dns.googledns.google
Cloudflare1.1.1.11.0.0.1cloudflare-dns.com
https://one.one.one.one
1dot1dot1dot1.cloudflare-dns.com
Quad99.9.9.9149.112.112.112dns.quad9.netdns.quad9.net
Cisco OpenDNS208.67.222.222208.67.220.220doh.opendns.comdns.opendns.com
国内
Aliyun223.5.5.5223.6.6.6dns.alidns.comdns.alidns.com
腾讯 DNSPod119.29.29.29182.254.116.116doh.pubdot.pub
protocolurl
UDP1.1.1.1:53
TCP1.1.1.1:53
DoTtls://1.1.1.1:853
DoHhttps://dns.wener.me/dns-query?name=wener.me&type=A
abbr.stand fornotes
DoHDNS over HTTPS通过HTTPS协议加密DNS查询
ODoHOblivious DNS over HTTPSRFC 9230, 隐私增强, Proxy 无法感知内容
HPKEHybrid Public Key EncryptionODoH实现中使用的加密标准
DNSSECDomain Name System Security Extensions验证DNS响应以防止欺骗
DNSKEYDNS Public KeyDNSSEC中使用的公钥记录
DoQDNS over QUIC通过QUIC协议的DNS查询,提供更好的性能
ECSEDNS Client Subnet允许DNS解析器指定客户端子网以优化CDN响应的扩展
- name: google
url: https://developers.google.com/speed/public-dns
services:
- hosts:
- 8.8.8.8
- 8.8.4.4
- 2001:4860:4860::8844
- 2001:4860:4860::8888
- host: dns.google
- host: dns.google.com
notes: since 2020-06-23 -> dns.google
- hosts:
- 2001:4860:4860::6464
- 2001:4860:4860::64
notes: DNS64
notes: DoH 支持 `GET /resolve?` 的 JSON-API

- name: cloudflare
url: https://developers.cloudflare.com/1.1.1.1/
services:
- hosts:
- 1.1.1.1
- 1.1.0.0
- 2606:4700:4700::1111
- 2606:4700:4700::1001
- one.one.one.one
- cloudflare-dns.com
- title: Block malware
hosts:
- 1.1.1.2
- 1.0.0.2
- 2606:4700:4700::1112
- 2606:4700:4700::1002
- security.cloudflare-dns.com
- title: Block malware and adult content
hosts:
- 1.1.1.3
- 1.0.0.3
- 2606:4700:4700::1113
- 2606:4700:4700::1003
- family.cloudflare-dns.com
- title: Oblivious DNS over HTTPS
hosts:
- odoh.cloudflare-dns.com
- hosts:
- http://cloudflare-ech.com/

- name: quad9
url: https://quad9.net/service/service-addresses-and-features
services:
- hosts:
- 9.9.9.9
- 149.112.112.112
- 2620:fe::fe
- 2620:fe::9
- dns.quad9.net
features: [Malware Blocking, DNSSEC Validation]

- name: aliyun
url: https://alidns.com
services:
- hosts:
- 223.5.5.5
- 223.6.6.6
- 2400:3200::1
- 2400:3200:baba::1
- dns.alidns.com
curl 'https://dns.google/resolve?name=wener.me&type=A'

Server

Block

curl https://raw.githubusercontent.com/jdlingyu/ad-wars/master/hosts -so ad-wars.txt
# 拆分为 1000 列表方便 cloudflare 导入
grep '127.0.0.1' ad-wars.txt | grep -v '#' | awk '{print $2}' | sort -u | split -l 1000 -d --additional-suffix '.csv' - ad-wars-

mDNS

  • hashicorp/mdns
    • MIT, Golang
    • Simple mDNS client/server library
  • pion/mdns
    • MIT, Go
    • Pure Go implementation of Multicast DNS

Forwarder/Proxy

Misc

GFW

Well Known Domains

domainfor
https://pki.googGoogle Trust Services

污染封禁域名列表

不要走国内解析

# for dnsmasq
curl -L https://raw.githubusercontent.com/wenerme/wener/master/notes/service/dns/gfwlist.txt \
| sed -E 's#.+#address=/&/172.32.1.1#'

#
curl -L https://raw.githubusercontent.com/gfwlist/gfwlist/master/gfwlist.txt | base64 -d > gfwlist.txt

# address=/docker.io/$SNI
curl -sfL 'https://github.com/wenerme/wener/raw/master/notes/service/dns/gfwlist.dev.txt' | sed -e 's#.*#address=/\0/$SNI#'

grep -E '^([|]{2}|[.])' gfwlist.txt | grep -v '/' | grep -v '[*]' | wc -l | sed 's/^[|.]*//' | sort -u

Bypass

netflix.com
netflix.net
chat.openai.com
bard.google.com

CDN

  • ghcr.io -> pkg-containers.githubusercontent.com

reverse

  • 112.46.2.37
    • pcs.baidu.com
    • 百度网盘
  • public-dns-a.baidu.com