DNS Awesome
推荐 DNS 配置
- 选择支持分流的 DNS 服务、支持 DoH/DoT 解析的服务
- AdGuard、PiHole
- 默认走国内 DNS
- 因为国内很多服务 CDN 依赖 DNS 解析,使用国外 DNS 可能导致 CDN 出问题,访问非常慢或打不开
- 国内 DNS 更快
- 选择会被污染的域名走 DoH/DoT 解析
- DoH 和 DoT 不会被污染
- 即便是用国外的 DNS over TCP/UDP 也是会被污染的,协议层不安全
DNS Provider
| Provider | Primary | Secondary | DoH | DoT | DoQ | ECS | ECS-Override |
|---|---|---|---|---|---|---|---|
| 8.8.8.8 | 8.8.4.4 | dns.google | dns.google | ✓ | ✓ | ✓ | |
| Cloudflare | 1.1.1.1 | 1.0.0.1 | cloudflare-dns.com https://one.one.one.one | 1dot1dot1dot1.cloudflare-dns.com | ✓ | ✗ | ✗ |
| Quad9 | 9.9.9.9 | 149.112.112.112 | dns.quad9.net | dns.quad9.net | ✓ | ✓ | ✗ |
| Cisco OpenDNS | 208.67.222.222 | 208.67.220.220 | doh.opendns.com | dns.opendns.com | ✗ | ✓ | ✗ |
| 国内 | |||||||
| Aliyun | 223.5.5.5 | 223.6.6.6 | dns.alidns.com | dns.alidns.com | ✗ | ✓ | ✗ |
| 腾讯 DNSPod | 119.29.29.29 | 182.254.116.116 | doh.pub | dot.pub | ✗ | ✓ | ✗ |
| protocol | url |
|---|---|
| UDP | 1.1.1.1:53 |
| TCP | 1.1.1.1:53 |
| DoT | tls://1.1.1.1:853 |
| DoH | https://dns.wener.me/dns-query?name=wener.me&type=A |
| abbr. | stand for | notes |
|---|---|---|
| DoH | DNS over HTTPS | 通过HTTPS协议加密DNS查询 |
| ODoH | Oblivious DNS over HTTPS | RFC 9230, 隐私增强, Proxy 无法感知内容 |
| HPKE | Hybrid Public Key Encryption | ODoH实现中使用的加密标准 |
| DNSSEC | Domain Name System Security Extensions | 验证DNS响应以防止欺骗 |
| DNSKEY | DNS Public Key | DNSSEC中使用的公钥记录 |
| DoQ | DNS over QUIC | 通过QUIC协议的DNS查询,提供更好的性能 |
| ECS | EDNS Client Subnet | 允许DNS解析器指定客户端子网以优化CDN响应的扩展 |
- DNS64 返回 AAAA, IPv4 合成的 IPv6 地址
- DoH
GET/POST /dns-query- RFC 8484
- 域名.信息
- alidns
- 工具
- DoT 853 被 GFW 拦截
- Lookup Client
- nslookup
- host
- dig - bind-tools
- kdig - knot-dnsutils
- NLnetLabs/ldns
- BSD-3, C
- DNS library
- drill
- 输入输出接近 dig
- ameshkov/dnslookup
- MIT, Go
- natesales/q
- GPLv3, Go
ogham/dog- EUPL1.2, Rust
- Resolver/Proxy/Cache
- Blocklist/AD List
- TLD
- names
- https://dnschecker.org/public-dns/cn
- https://public-dns.info/
- https://developers.google.com/speed/public-dns
- name: google
url: https://developers.google.com/speed/public-dns
services:
- hosts:
- 8.8.8.8
- 8.8.4.4
- 2001:4860:4860::8844
- 2001:4860:4860::8888
- host: dns.google
- host: dns.google.com
notes: since 2020-06-23 -> dns.google
- hosts:
- 2001:4860:4860::6464
- 2001:4860:4860::64
notes: DNS64
notes: DoH 支持 `GET /resolve?` 的 JSON-API
- name: cloudflare
url: https://developers.cloudflare.com/1.1.1.1/
services:
- hosts:
- 1.1.1.1
- 1.1.0.0
- 2606:4700:4700::1111
- 2606:4700:4700::1001
- one.one.one.one
- cloudflare-dns.com
- title: Block malware
hosts:
- 1.1.1.2
- 1.0.0.2
- 2606:4700:4700::1112
- 2606:4700:4700::1002
- security.cloudflare-dns.com
- title: Block malware and adult content
hosts:
- 1.1.1.3
- 1.0.0.3
- 2606:4700:4700::1113
- 2606:4700:4700::1003
- family.cloudflare-dns.com
- title: Oblivious DNS over HTTPS
hosts:
- odoh.cloudflare-dns.com
- hosts:
- http://cloudflare-ech.com/
- name: quad9
url: https://quad9.net/service/service-addresses-and-features
services:
- hosts:
- 9.9.9.9
- 149.112.112.112
- 2620:fe::fe
- 2620:fe::9
- dns.quad9.net
features: [Malware Blocking, DNSSEC Validation]
- name: aliyun
url: https://alidns.com
services:
- hosts:
- 223.5.5.5
- 223.6.6.6
- 2400:3200::1
- 2400:3200:baba::1
- dns.alidns.com
curl 'https://dns.google/resolve?name=wener.me&type=A'
Server
- knot dns
- AS DNS Server
- https://www.knot-dns.cz/
- knot resolver
- Minimalistic, caching, DNSSEC-validating DNS resolver
- https://www.knot-resolver.cz
- unbound
- bind
- coredns
- nsd
- dnsdist
- dnscrypt
- pdns recursor
- pdns
- kea
- 提供 perfdhcp 压测工具
- serverless-dns/serverless-dns
- adguardhome
Block
- https://gist.github.com/michaelx/316dc4882f125a8325150e4e2fa9edd6
- https://firebog.net/
- privacy-protection-tools/anti-AD
- Mosney/anti-anti-AD
- neoFelhz/neohosts
- vokins/yhosts
- blocklistproject/Lists
- https://github.com/nextdns/metadata/tree/master/privacy
- blocklisk 拦截列表
- native 系统级跟踪列表
- jdlingyu/ad-wars
- https://github.com/badmojr/1Hosts
- AdguardTeam/AdguardFilters
- AdguardTeam/AdGuardSDNSFilter
curl https://raw.githubusercontent.com/jdlingyu/ad-wars/master/hosts -so ad-wars.txt
# 拆分为 1000 列表方便 cloudflare 导入
grep '127.0.0.1' ad-wars.txt | grep -v '#' | awk '{print $2}' | sort -u | split -l 1000 -d --additional-suffix '.csv' - ad-wars-
mDNS
- hashicorp/mdns
- MIT, Golang
- Simple mDNS client/server library
- pion/mdns
- MIT, Go
- Pure Go implementation of Multicast DNS
Forwarder/Proxy
- IrineSistiana/mosdns
- GPLv3, Golang
- DNS Forwarder
- AdguardTeam/dnsproxy
- looterz/grimd
- MIT, Golang
Misc
GFW
Well Known Domains
| domain | for |
|---|---|
| https://pki.goog | Google Trust Services |
污染封禁域名列表
不要走国内解析
# for dnsmasq
curl -L https://raw.githubusercontent.com/wenerme/wener/master/notes/service/dns/gfwlist.txt \
| sed -E 's#.+#address=/&/172.32.1.1#'
#
curl -L https://raw.githubusercontent.com/gfwlist/gfwlist/master/gfwlist.txt | base64 -d > gfwlist.txt
# address=/docker.io/$SNI
curl -sfL 'https://github.com/wenerme/wener/raw/master/notes/service/dns/gfwlist.dev.txt' | sed -e 's#.*#address=/\0/$SNI#'
grep -E '^([|]{2}|[.])' gfwlist.txt | grep -v '/' | grep -v '[*]' | wc -l | sed 's/^[|.]*//' | sort -u
Bypass
netflix.com
netflix.net
chat.openai.com
bard.google.com
- https://github.com/v2fly/domain-list-community/blob/master/data/netflix
- https://www.netify.ai/resources/applications/netflix
- https://github.com/gfwlist/gfwlist
- 中华人民共和国被封锁网站列表
- https://github.com/paulmillr/encrypted-dns
CDN
- ghcr.io -> pkg-containers.githubusercontent.com
reverse
- 112.46.2.37
- pcs.baidu.com
- 百度网盘
- public-dns-a.baidu.com