ageng/blahdns
1
0
Fork 0
mirror of https://github.com/ookangzheng/blahdns.git synced 2025-12-15 13:45:37 +07:00
Code Issues Projects Releases Wiki Activity

Re init git

Browse Source
This commit is contained in:
ookangzheng
2019-08-04 00:29:21 +08:00
parent a9fadc5d00
commit a0eb2841aa
24 changed files with 118 additions and 1989 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
Archived/unbound/opennic.hints
View File

@@ -1,29 +0,0 @@
. 86400 IN NS ns9.opennic.glue.
. 86400 IN NS ns10.opennic.glue.
. 86400 IN NS ns12.opennic.glue.
. 86400 IN NS ns2.opennic.glue.
. 86400 IN NS ns5.opennic.glue.
. 86400 IN NS ns3.opennic.glue.
. 86400 IN NS ns11.opennic.glue.
. 86400 IN NS ns4.opennic.glue.
. 86400 IN NS ns6.opennic.glue.
. 86400 IN NS ns8.opennic.glue.
ns2.opennic.glue. 7200 IN A 161.97.219.84
ns2.opennic.glue. 7200 IN AAAA 2001:470:4212:10:0:100:53:10
ns3.opennic.glue. 7200 IN A 104.168.144.17
ns3.opennic.glue. 7200 IN AAAA 2001:470:8269::53
ns4.opennic.glue. 7200 IN A 163.172.168.171
ns5.opennic.glue. 7200 IN A 94.103.153.176
ns5.opennic.glue. 7200 IN AAAA 2a02:990:219:1:ba:1337:cafe:3
ns6.opennic.glue. 7200 IN A 207.192.71.13
ns8.opennic.glue. 7200 IN A 178.63.116.152
ns8.opennic.glue. 7200 IN AAAA 2a01:4f8:141:4281::999
ns9.opennic.glue. 7200 IN A 174.138.48.29
ns9.opennic.glue. 7200 IN AAAA 2604:a880:800:a1::2a:2001
ns10.opennic.glue. 7200 IN A 188.226.146.136
ns10.opennic.glue. 7200 IN AAAA 2001:470:1f04:ebf::2
ns11.opennic.glue. 7200 IN A 45.55.97.204
ns11.opennic.glue. 7200 IN AAAA 2604:a880:800:a1::14c1:1
ns12.opennic.glue. 7200 IN A 79.124.7.81
ns12.opennic.glue. 7200 IN AAAA 2a01:8740:1:ff13::ae67

83
Archived/unbound/root.hints
View File

@@ -1,83 +0,0 @@
. 86400 NS ns2.opennic.glue.
ns2.opennic.glue. 7200 A 161.97.219.84
ns2.opennic.glue. 7200 AAAA 2001:470:4212:10:0:100:53:10
. 86400 NS ns3.opennic.glue.
ns3.opennic.glue. 7200 A 104.168.144.17
ns3.opennic.glue. 7200 AAAA 2001:470:8269::53
. 3600000 NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30
;
; FORMERLY NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 199.9.14.201
B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:200::b
;
; FORMERLY C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c
;
; FORMERLY TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d
;
; FORMERLY NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
E.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:a8::e
;
; FORMERLY NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f
;
; FORMERLY NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
G.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:12::d0d
;
; FORMERLY AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53
;
; FORMERLY NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53
;
; OPERATED BY VERISIGN, INC.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30
;
; OPERATED BY RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1
;
; OPERATED BY ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:9f::42
;
; OPERATED BY WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35

60
Archived/unbound/unbound.conf
View File

@@ -1,60 +0,0 @@
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include: "/etc/unbound/unbound.conf.d/*.conf"
server:
directory: "/etc/unbound"
username: unbound
chroot: "/etc/unbound"
pidfile: "/etc/unbound/unbound.pid"
interface: 0.0.0.0@55
interface: ::0@55
access-control: 0.0.0.0/0 allow
access-control: ::/64 allow
logfile: "unbound.log"
statistics-interval: 0
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
prefetch: yes
qname-minimisation: yes
rrset-roundrobin: yes
use-caps-for-id: yes
verbosity: 0
#auto-trust-anchor-file: "root.key"
hide-identity: yes
hide-version: yes
minimal-responses: yes
harden-short-bufsize: yes
harden-large-queries: yes
harden-glue: yes
harden-dnssec-stripped: yes
harden-below-nxdomain: yes
harden-referral-path: no
do-not-query-localhost: no
root-hints: "root.hints"
# forward-zone:
# name: "."
# forward-addr: 185.228.168.9@853
# forward-ssl-upstream: yes
# forward-first: yes

531
Archived/unbound/unbound.conf.d/opennic.root.conf
View File

@@ -1,531 +0,0 @@
server:
domain-insecure: "opennic.glue"
auth-zone:
name: "opennic.glue"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/opennic.glue"
master: 161.97.219.84
server:
domain-insecure: "dns.opennic.glue"
auth-zone:
name: "dns.opennic.glue"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/dns.opennic.glue"
master: 161.97.219.84
server:
domain-insecure: "micro"
auth-zone:
name: "micro"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/micro"
master: 161.97.219.84
server:
domain-insecure: "ing"
auth-zone:
name: "ing"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/ing"
master: 161.97.219.84
server:
domain-insecure: "glue"
auth-zone:
name: "glue"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/glue"
master: 161.97.219.84
server:
domain-insecure: "bbs"
auth-zone:
name: "bbs"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/bbs"
master: 161.97.219.84
server:
domain-insecure: "bit"
auth-zone:
name: "bit"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/bit"
master: 161.97.219.84
server:
domain-insecure: "chan"
auth-zone:
name: "chan"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/chan"
master: 161.97.219.84
server:
domain-insecure: "dyn"
auth-zone:
name: "dyn"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/dyn"
master: 161.97.219.84
server:
domain-insecure: "free"
auth-zone:
name: "free"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/free"
master: 161.97.219.84
server:
domain-insecure: "fur"
auth-zone:
name: "fur"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/fur"
master: 161.97.219.84
server:
domain-insecure: "geek"
auth-zone:
name: "geek"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/geek"
master: 161.97.219.84
server:
domain-insecure: "gopher"
auth-zone:
name: "gopher"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/gopher"
master: 161.97.219.84
server:
domain-insecure: "indy"
auth-zone:
name: "indy"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/indy"
master: 161.97.219.84
server:
domain-insecure: "libre"
auth-zone:
name: "libre"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/libre"
master: 161.97.219.84
server:
domain-insecure: "neo"
auth-zone:
name: "neo"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/neo"
master: 161.97.219.84
server:
domain-insecure: "null"
auth-zone:
name: "null"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/null"
master: 161.97.219.84
server:
domain-insecure: "oss"
auth-zone:
name: "oss"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/oss"
master: 161.97.219.84
server:
domain-insecure: "oz"
auth-zone:
name: "oz"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/oz"
master: 161.97.219.84
server:
domain-insecure: "parody"
auth-zone:
name: "parody"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/parody"
master: 161.97.219.84
server:
domain-insecure: "pirate"
auth-zone:
name: "pirate"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/pirate"
master: 161.97.219.84
server:
domain-insecure: "o"
auth-zone:
name: "o"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/o"
master: 161.97.219.84
server:
domain-insecure: "lib"
auth-zone:
name: "lib"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/lib"
master: 161.97.219.84
server:
domain-insecure: "coin"
auth-zone:
name: "coin"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/coin"
master: 161.97.219.84
server:
domain-insecure: "emc"
auth-zone:
name: "emc"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/emc"
master: 161.97.219.84
server:
domain-insecure: "bazar"
auth-zone:
name: "bazar"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/bazar"
master: 161.97.219.84
server:
domain-insecure: "cyb"
auth-zone:
name: "cyb"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/cyb"
master: 161.97.219.84
server:
domain-insecure: "ku"
auth-zone:
name: "ku"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/ku"
master: 161.97.219.84
server:
domain-insecure: "te"
auth-zone:
name: "te"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/te"
master: 161.97.219.84
server:
domain-insecure: "uu"
auth-zone:
name: "uu"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/uu"
master: 161.97.219.84
server:
domain-insecure: "ti"
auth-zone:
name: "ti"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/ti"
master: 161.97.219.84

9
Archived/unbound/unbound.conf.d/qname-minimisation.conf
View File

@@ -1,9 +0,0 @@
server:
# Send minimum amount of information to upstream servers to enhance
# privacy. Only sends minimum required labels of the QNAME and sets
# QTYPE to NS when possible.
# See RFC 7816 "DNS Query Name Minimisation to Improve Privacy" for
# details.
qname-minimisation: yes

16
Archived/unbound/unbound.conf.d/root.zone.conf
View File

@@ -1,16 +0,0 @@
auth-zone:
name: "."
for-downstream: no
for-upstream: yes
fallback-enabled: yes
zonefile: "tld.zone"
master: 199.9.14.201
master: 192.36.148.17
master: 192.203.230
master: 199.7.91.13
master: 2001:503:ba3e::2:30
master: 2001:500:84::b
master: 2001:500:2f::f
master: 2001:7fd::1
master: 2620:0:2830:202::132
master: 2620:0:2d0:202::132

25
FAQ.md
View File

@@ -24,24 +24,29 @@ curl -H 'content-type: application/dns-message' -vL -v 'https://doh-de.blahdns.c
curl -H 'content-type: application/dns-message' -vL -v 'https://doh-ch.blahdns.com/dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | hexdump -C curl -H 'content-type: application/dns-message' -vL -v 'https://doh-ch.blahdns.com/dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | hexdump -C
// Kdig TLS with port 853, port 443 force include SNI (updated on July 19, 2019) // Kdig on Ubuntu, Debian
apt install knot-dnsutils
kdig example.com @108.61.201.119 +tls // Kdig TLS with port 853, port 443 force include SNI (updated on August 1, 2019)
kdig example.com @2001:19f0:7001:1ded:5400:1ff:fe90:945b +tls
kdig example.com @159.69.198.101 +tls
kdig example.com @2a01:4f8:1c1c:6b4b::1 +tls
kdig example.com @2a0a:e5c0:2:2:0:c8ff:fe68:bf48 +tls
kdig example.com @108.61.201.119 +tls -p 443 +tls-sni=dot-jp.blahdns.com kdig @108.61.201.119 +tls example.com
kdig example.com @159.69.198.101 +tls -p 443 +tls-sni=dot-de.blahdns.com kdig @2001:19f0:7001:1ded:5400:1ff:fe90:945b +tls example.com
kdig example.com @2a0a:e5c0:2:2:0:c8ff:fe68:bf48 +tls +tls-sni=dot-ch.blahdns.com kdig @159.69.198.101 +tls example.com
kdig @2a01:4f8:1c1c:6b4b::1 +tls example.com
kdig @2a0a:e5c0:2:2:0:c8ff:fe68:bf48 +tls example.com
kdig @108.61.201.119 +tls -p 443 +tls-sni=dot-jp.blahdns.com example.com
kdig @159.69.198.101 +tls -p 443 +tls-sni=dot-de.blahdns.com example.com
kdig @2a01:4f8:1c1c:6b4b::1 +tls -p 443 +tls-sni=dot-de.blahdns.com example.com
kdig @2a0a:e5c0:2:2:0:c8ff:fe68:bf48 +tls +tls-sni=dot-ch.blahdns.com example.com
// TLS certificate validation // TLS certificate validation
kdig -d @2a0a:e5c0:2:2:0:c8ff:fe68:bf48 +tls-sni=dot-ch.blahdns.com +tls-ca +tls-host=dot-ch.blahdns.com example.com kdig -d @2a0a:e5c0:2:2:0:c8ff:fe68:bf48 +tls-sni=dot-ch.blahdns.com +tls-ca +tls-host=dot-ch.blahdns.com example.com
kdig -d @108.61.201.119 -p 443 +tls-sni=dot-jp.blahdns.com +tls-ca +tls-host=dot-jp.blahdns.com example.com kdig -d @108.61.201.119 -p 443 +tls-sni=dot-jp.blahdns.com +tls-ca +tls-host=dot-jp.blahdns.com example.com
kdig -d @2001:19f0:7001:1ded:5400:1ff:fe90:945b -p 443 +tls-sni=dot-jp.blahdns.com +tls-ca +tls-host=dot-jp.blahdns.com example.com kdig -d @2001:19f0:7001:1ded:5400:1ff:fe90:945b -p 443 +tls-sni=dot-jp.blahdns.com +tls-ca +tls-host=dot-jp.blahdns.com example.com
kdig -d @159.69.198.101 -p 443 +tls-sni=dot-de.blahdns.com +tls-ca +tls-host=dot-de.blahdns.com example.com kdig -d @159.69.198.101 -p 443 +tls-sni=dot-de.blahdns.com +tls-ca +tls-host=dot-de.blahdns.com example.com
kdig -d @159.69.198.101 -p 443 +tls-sni=dot-de.blahdns.com +tls-ca +tls-host=dot-de.blahdns.com example.com kdig -d @2a0a:e5c0:2:2:0:c8ff:fe68:bf48 -p 443 +tls-sni=dot-de.blahdns.com +tls-ca +tls-host=dot-de.blahdns.com example.com
``` ```
## Mac OSX Mojave use Openssl TLS 1.3 ## Mac OSX Mojave use Openssl TLS 1.3

21
LICENSE
View File

@@ -1,21 +0,0 @@
MIT License
Copyright (c) 2018 Oo Kang Zheng
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

28
README.md
View File

@@ -1,9 +1,13 @@
* If you are developer using those services, both are blocked by default. * If you are developer using those services, both are blocked by default.
`data.mob.com, google-analytics, googleadservices, amazon-adsystem, crashlytics.com analytics.yahoo, doubleclick.net, hm.baidu.com, etc.. ` `data.mob.com, google-analytics, googleadservices, amazon-adsystem, crashlytics.com analytics.yahoo, doubleclick.net, hm.baidu.com, etc.. `
* Switzerland server is online, DoT added Port 853 (July 19, 2019) 🥂 * Japan server has been reinstall and updated to Vultr High frequency VPS for faster speed at August 2, 2019 🥳
* Germany and Japan server certs both renewed at June 25, 2019 🥳 * Germany server has been reinstall at August 2, 2019 🥳
* Switzerland server is online, DoT added Port 443, 853 (July 19, 2019) 🥂
* Germany and Japan server certs both renewed at August 2, 2019 🥳
* For more old announcements, go [here](https://github.com/ookangzheng/blahdns/issues/36) * For more old announcements, go [here](https://github.com/ookangzheng/blahdns/issues/36)
@@ -14,35 +18,26 @@
* No ECS, DNSSEC ready, No logs, OpenNIC * No ECS, DNSSEC ready, No logs, OpenNIC
## Server status ## Server status
* Server status [UPTimeRobot](https://stats.blahdns.com) | [Dnsprivacy.org](https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/) * Server status [UpTimeRobot](https://stats.blahdns.com) | [Dnsprivacy.org](https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/)
## Server architecture ## Server architecture
```bash ```bash
Server (August 2, 2019 -- Germany, Japan) Server (August 2, 2019 -- Germany, Japan)
|-- Let's Encrypt SSL |-- Let's Encrypt SSL
<<<<<<< HEAD
|-- Knot-resolver (Rpz, OpenNIC, Icann)
=======
|-- Knot-resolver (OpenNIC, ICANN) |-- Knot-resolver (OpenNIC, ICANN)
>>>>>>> a1b78f4... Update README.md
| |-- DNSCryptv2 (dnsdist, port 8443) | |-- DNSCryptv2 (dnsdist, port 8443)
| |-- doh-server (DoH, GET, POST -- m13253) | |-- doh-server (DoH, GET, POST -- m13253)
| |-- |-- DoH (HAProxy, port 443, TLS 1.3, require SNI) | |-- |-- DoH (HAProxy, port 443, TLS 1.3, require SNI)
|-- DoT (HAProxy, port 853, 443, TLS 1.3, require SNI) |-- DoT (HAProxy, port 853, 443, TLS 1.3, require SNI)
<<<<<<< HEAD
Server (July 29, 2019 -- Switzerland)
|-- Let's Encrypt SSL
|-- Knot-resolver (Rpz, OpenNIC, Icann)
=======
Server (August 2, 2019 -- Switzerland) Server (August 2, 2019 -- Switzerland)
|-- Let's Encrypt SSL |-- Let's Encrypt SSL
|-- Knot-resolver (OpenNIC, ICANN, forward-upstream to quad9) |-- Knot-resolver (OpenNIC, ICANN, forward-upstream to quad9)
>>>>>>> a1b78f4... Update README.md
| |-- DNSCryptv2 (dnsdist, port 8443) | |-- DNSCryptv2 (dnsdist, port 8443)
| |-- DoT (dnsdist, port 853, TLS 1.3) | |-- doh-server (DoH, GET, POST -- m13253)
| |-- DoH (dnsdist, port 443, TLS 1.3) | |-- |-- DoH (HAProxy, port 443, TLS 1.3, require SNI)
|-- DoT (HAProxy, port 853, 443, TLS 1.3, require SNI)
``` ```
## Config file / Client ## Config file / Client
@@ -57,8 +52,7 @@ Server (August 2, 2019 -- Switzerland)
* DNS-over-HTTPS: * DNS-over-HTTPS:
* https://doh-ch.blahdns.com/dns-query * https://doh-ch.blahdns.com/dns-query
* IPv6: sdns://AgMAAAAAAAAAIFsyYTBhOmU1YzA6MjoyOjA6YzhmZjpmZTY4OmJmNDhdABJkb2gtY2guYmxhaGRucy5jb20KL2Rucy1xdWVyeQ * IPv6: sdns://AgMAAAAAAAAAIFsyYTBhOmU1YzA6MjoyOjA6YzhmZjpmZTY4OmJmNDhdABJkb2gtY2guYmxhaGRucy5jb20KL2Rucy1xdWVyeQ
* DNS-over-TLS: dot-ch.blahdns.com, ports 853, 443
* DNS-over-TLS: dot-ch.blahdns.com, ports 853
* DNSCrypt v2, port 8443: * DNSCrypt v2, port 8443:
* IPv6: sdns://AQMAAAAAAAAAJVsyYTBhOmU1YzA6MjoyOjA6YzhmZjpmZTY4OmJmNDhdOjg0NDMgyJjbSS4IgTY_2KH3NVGG0DNIgBPzLEqf8r00nAbcUxQbMi5kbnNjcnlwdC1jZXJ0LmJsYWhkbnMuY29t * IPv6: sdns://AQMAAAAAAAAAJVsyYTBhOmU1YzA6MjoyOjA6YzhmZjpmZTY4OmJmNDhdOjg0NDMgyJjbSS4IgTY_2KH3NVGG0DNIgBPzLEqf8r00nAbcUxQbMi5kbnNjcnlwdC1jZXJ0LmJsYWhkbnMuY29t

BIN
client-conf/img-source/._nebulo-doh.jpg
View File

Binary file not shown.

BIN
client-conf/img-source/._nebulo-dot.jpg
View File

Binary file not shown.

114
client-conf/stubby/stubby.yml
View File

@@ -1,5 +1,4 @@
## TLS_pubkey_pinset updated on July 19, 2019 ## TLS_pubkey_pinset updated on August 1, 2019
## expires `2019-09-23 07:04:40 UTC'
resolution_type: GETDNS_RESOLUTION_STUB resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list: dns_transport_list:
@@ -18,66 +17,73 @@ listen_addresses:
- 0::1@54 - 0::1@54
upstream_recursive_servers: upstream_recursive_servers:
- address_data: 108.61.201.119
tls_port: 443
tls_auth_name: "dot-jp.blahdns.com"
tls_pubkey_pinset:
- digest: "sha256"
value: psuldEImRyeSkU88b2ORtiNQ2uBdo+RCwAw6SxaJWQ4=
- address_data: 108.61.201.119
tls_port: 853
tls_auth_name: "dot-jp.blahdns.com"
tls_pubkey_pinset:
- digest: "sha256"
value: psuldEImRyeSkU88b2ORtiNQ2uBdo+RCwAw6SxaJWQ4=
- address_data: 159.69.198.101
tls_port: 443
tls_auth_name: "dot-de.blahdns.com"
tls_pubkey_pinset:
- digest: "sha256"
value: sYrnkH4aRY6M9eP1Uut38GNTXK0xg7wD+Euy/xdW9xc=
- address_data: 159.69.198.101
tls_port: 853
tls_auth_name: "dot-de.blahdns.com"
tls_pubkey_pinset:
- digest: "sha256"
value: sYrnkH4aRY6M9eP1Uut38GNTXK0xg7wD+Euy/xdW9xc=
- address_data: 2001:19f0:7001:1ded:5400:01ff:fe90:945b
tls_port: 443
tls_auth_name: "dot-jp.blahdns.com"
tls_pubkey_pinset:
- digest: "sha256"
value: psuldEImRyeSkU88b2ORtiNQ2uBdo+RCwAw6SxaJWQ4=
- address_data: 2001:19f0:7001:1ded:5400:01ff:fe90:945b
tls_port: 853
tls_auth_name: "dot-jp.blahdns.com"
tls_pubkey_pinset:
- digest: "sha256"
value: psuldEImRyeSkU88b2ORtiNQ2uBdo+RCwAw6SxaJWQ4=
- address_data: 2a01:4f8:1c1c:6b4b::1
tls_port: 443
tls_auth_name: "dot-de.blahdns.com"
tls_pubkey_pinset:
- digest: "sha256"
value: sYrnkH4aRY6M9eP1Uut38GNTXK0xg7wD+Euy/xdW9xc=
- address_data: 2a01:4f8:1c1c:6b4b::1
tls_port: 853
tls_auth_name: "dot-de.blahdns.com"
tls_pubkey_pinset:
- digest: "sha256"
value: sYrnkH4aRY6M9eP1Uut38GNTXK0xg7wD+Euy/xdW9xc=
- address_data: 2a0a:e5c0:2:2:0:c8ff:fe68:bf48 - address_data: 2a0a:e5c0:2:2:0:c8ff:fe68:bf48
tls_port: 853 tls_port: 853
tls_auth_name: "dot-ch.blahdns.com" tls_auth_name: "dot-ch.blahdns.com"
tls_pubkey_pinset: tls_pubkey_pinset:
- digest: "sha256" - digest: "sha256"
value: i1jLFbRK0/Aj/eQO4qxG6SqlJOCf70zwJb3z7JDFyPs= value: i1jLFbRK0/Aj/eQO4qxG6SqlJOCf70zwJb3z7JDFyPs=
- address_data: 108.61.201.119
tls_port: 443
tls_auth_name: "dot-jp.blahdns.com"
tls_pubkey_pinset:
- digest: "sha256"
value: psuldEImRyeSkU88b2ORtiNQ2uBdo+RCwAw6SxaJWQ4=
- address_data: 108.61.201.119 - address_data: 2a0a:e5c0:2:2:0:c8ff:fe68:bf48
tls_port: 853
tls_auth_name: "dot-jp.blahdns.com"
tls_pubkey_pinset:
- digest: "sha256"
value: psuldEImRyeSkU88b2ORtiNQ2uBdo+RCwAw6SxaJWQ4=
- address_data: 159.69.198.101
tls_port: 443 tls_port: 443
tls_auth_name: "dot-de.blahdns.com" tls_auth_name: "dot-ch.blahdns.com"
tls_pubkey_pinset: tls_pubkey_pinset:
- digest: "sha256" - digest: "sha256"
value: RzMGlPVE8DlsiA9DQRuW9CoVkwFBjS8j+we5PZ3eE0c= value: i1jLFbRK0/Aj/eQO4qxG6SqlJOCf70zwJb3z7JDFyPs=
- address_data: 159.69.198.101
tls_port: 853
tls_auth_name: "dot-de.blahdns.com"
tls_pubkey_pinset:
- digest: "sha256"
value: RzMGlPVE8DlsiA9DQRuW9CoVkwFBjS8j+we5PZ3eE0c=
- address_data: 2001:19f0:7001:1ded:5400:01ff:fe90:945b
tls_port: 443
tls_auth_name: "dot-jp.blahdns.com"
tls_pubkey_pinset:
- digest: "sha256"
value: psuldEImRyeSkU88b2ORtiNQ2uBdo+RCwAw6SxaJWQ4=
- address_data: 2001:19f0:7001:1ded:5400:01ff:fe90:945b
tls_port: 853
tls_auth_name: "dot-jp.blahdns.com"
tls_pubkey_pinset:
- digest: "sha256"
value: psuldEImRyeSkU88b2ORtiNQ2uBdo+RCwAw6SxaJWQ4=
- address_data: 2a01:4f8:1c1c:6b4b::1
tls_port: 443
tls_auth_name: "dot-de.blahdns.com"
tls_pubkey_pinset:
- digest: "sha256"
value: RzMGlPVE8DlsiA9DQRuW9CoVkwFBjS8j+we5PZ3eE0c=
- address_data: 2a01:4f8:1c1c:6b4b::1
tls_port: 853
tls_auth_name: "dot-de.blahdns.com"
tls_pubkey_pinset:
- digest: "sha256"
value: RzMGlPVE8DlsiA9DQRuW9CoVkwFBjS8j+we5PZ3eE0c=

52
server-conf/dnsdist.conf
View File

@@ -1,52 +0,0 @@
-- When an IPv6 IP:PORT combination is needed, the bracketed syntax from RFC 3986 should be used. e.g. “[2001:DB8:14::C0FF:FEE]:5300”
-- https://dnsdist.org/reference/config.html?highlight=servfail
--addTLSLocal('0.0.0.0', '/etc/letsencrypt/live/dns.jp.blahdns.com/fullchain.pem', '/etc/letsencrypt/live/dns.jp.blahdns.com/privkey.pem', { doTCP=true, reusePort=true })
--addTLSLocal("[::]", '/etc/letsencrypt/live/dns.jp.blahdns.com/fullchain.pem', '/etc/letsencrypt/live/dns.jp.blahdns.com/privkey.pem', { doTCP=true, reusePort=true})
addDNSCryptBind("0.0.0.0:8443", "2.dnscrypt-cert.blahdns.com", "/etc/dnsdist/ssl.cert", "/etc/dnsdist/ssl.key")
addDNSCryptBind("[::]:8443", "2.dnscrypt-cert.blahdns.com", "/etc/dnsdist/ssl.cert", "/etc/dnsdist/ssl.key")
addLocal('0.0.0.0:53', { doTCP=true, reusePort=true})
addLocal('[::]:53', { doTCP=true, reusePort=true})
addAction(MaxQPSIPRule(10, 32, 48), DropAction())
addAction(QTypeRule(dnsdist.ANY) ,DropAction())
addAction(QTypeRule(dnsdist.PTR) ,DropAction())
-- Force TCP
addAction(AndRule({NotRule(OrRule({QTypeRule(dnsdist.TXT), QTypeRule(dnsdist.A), QTypeRule(dnsdist.AAAA)})),TCPRule(false)}), TCAction())
setACL({'0.0.0.0/0', '::/0' })
-- https://dnsdist.org/reference/constants.html#dnsaction
-- https://dnsdist.org/rules-actions.html#addLuaAction
-- https://stackoverflow.com/questions/11271547/does-lua-have-or-comparisons
local dbr = dynBlockRulesGroup()
dbr:setQTypeRate(dnsdist.PTR, 5, 10, "Exceeded PTR rate", 60)
dbr:setQTypeRate(dnsdist.TXT, 5, 10, "Exceeded TXT rate", 60)
dbr:setQTypeRate(dnsdist.SOA, 5, 10, "Exceeded SOA rate", 60)
dbr:setQTypeRate(dnsdist.MX, 3, 10, "Exceeded MX rate", 60)
dbr:setQTypeRate(dnsdist.SRV, 3, 10, "Exceeded SRV rate", 60)
dbr:setQTypeRate(dnsdist.NS, 3, 10, "Exceeded PTR rate", 60)
dbr:setQTypeRate(dnsdist.SIG, 3, 10, "Exceeded PTR rate", 60)
function maintenance()
dbr:apply()
end
newServer({address="127.0.0.1:50", checkType="A", checkType=DNSClass.CHAOS, checkName="google.com", mustResolve=false})
newServer({address="[::1]:50", checkType="AAAA", checkType=DNSClass.CHAOS, checkName="google.com", mustResolve=false})
newServer({address="[::1]:51", checkType="AAAA", checkType=DNSClass.CHAOS, checkName="google.com", mustResolve=false})
-- function luarule(dq)
-- if(dq.qtype==dnsdist.ANY)
-- then
-- return DNSAction.ServFail
-- else
-- return DNSAction.None
-- end
-- end
-- addLuaAction(AllRule(), luarule)

181
server-conf/fail2ban.sh
View File

@@ -1,181 +0,0 @@
#!/bin/bash
CHECK_OS(){
if [[ -f /etc/redhat-release ]];then
release="centos"
elif cat /etc/issue | grep -q -E -i "debian";then
release="debian"
elif cat /etc/issue | grep -q -E -i "ubuntu";then
release="ubuntu"
elif cat /etc/issue | grep -q -E -i "centos|red hat|redhat";then
release="centos"
elif cat /proc/version | grep -q -E -i "debian";then
release="debian"
elif cat /proc/version | grep -q -E -i "ubuntu";then
release="ubuntu"
elif cat /proc/version | grep -q -E -i "centos|red hat|redhat";then
release="centos"
fi
}
GET_SETTING_FAIL2BAN_INFO(){
read -p "允许SSH登陆失败次数,默认10:" BLOCKING_THRESHOLD
if [[ ${BLOCKING_THRESHOLD} = "" ]];then
BLOCKING_THRESHOLD='10'
fi
read -p "SSH登陆失败次数超过${BLOCKING_THRESHOLD}次时,封禁时长(h),默认8760:" BLOCKING_TIME_H
if [[ ${BLOCKING_TIME_H} = "" ]];then
BLOCKING_TIME_H='8760'
fi
BLOCKING_TIME_S=$(expr ${BLOCKING_TIME_H} \* 3600)
}
INSTALL_FAIL2BAN(){
if [ ! -e /etc/fail2ban/jail.local ];then
CHECK_OS
case "${release}" in
centos)
GET_SETTING_FAIL2BAN_INFO
yum -y install epel-release
yum -y install fail2ban;;
debian|ubuntu)
GET_SETTING_FAIL2BAN_INFO
apt-get -y install fail2ban;;
*)
echo "请使用CentOS,Debian,Ubuntu系统.";;
esac
else
echo "fail2ban已经安装了.";exit
fi
}
REMOVE_FAIL2BAN(){
if [ -e /etc/fail2ban/jail.local ];then
CHECK_OS
case "${release}" in
centos)
service fail2ban stop
yum -y remove fail2ban
rm -rf /etc/fail2ban/jail.local;;
debian|ubuntu)
service fail2ban stop
apt-get -y remove fail2ban
rm -rf /etc/fail2ban/jail.local;;
esac
else
echo "fail2ban尚未安装.";exit
fi
}
SETTING_FAIL2BAN(){
CHECK_OS
case "${release}" in
centos)
echo "[DEFAULT]
ignoreip = 127.0.0.1
bantime = 86400
maxretry = 3
findtime = 1800
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/secure
maxretry = ${BLOCKING_THRESHOLD}
findtime = 3600
bantime = ${BLOCKING_TIME_S}" > /etc/fail2ban/jail.local
if [ -e /usr/bin/systemctl ];then
systemctl restart fail2ban
systemctl enable fail2ban
systemctl restart sshd
else
service fail2ban restart
chkconfig fail2ban on
service ssh restart
fi;;
debian|ubuntu)
echo "[DEFAULT]
ignoreip = 127.0.0.1
bantime = 86400
maxretry = ${BLOCKING_THRESHOLD}
findtime = 1800
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/auth.log
maxretry = ${BLOCKING_THRESHOLD}
findtime = 3600
bantime = ${BLOCKING_TIME_S}" > /etc/fail2ban/jail.local
service fail2ban restart
service ssh restart;;
esac
}
VIEW_RUN_LOG(){
CHECK_OS
case "${release}" in
centos)
tail -f /var/log/secure;;
debian|ubuntu)
tail -f /var/log/auth.log;;
esac
}
case "${1}" in
install)
INSTALL_FAIL2BAN
SETTING_FAIL2BAN;;
uninstall)
REMOVE_FAIL2BAN;;
status)
echo -e "\033[41;37m【进程】\033[0m";ps aux | grep fail2ban
echo;echo -e "\033[41;37m【状态】\033[0m";fail2ban-client ping
echo;echo -e "\033[41;37m【Service】\033[0m";service fail2ban status;;
blocklist|bl)
if [ -e /etc/fail2ban/jail.local ];then
fail2ban-client status ssh-iptables
else
echo "fail2ban尚未安装.";exit
fi;;
unlock|ul)
if [ -e /etc/fail2ban/jail.local ];then
if [[ "${2}" = "" ]];then
read -p "请输入需要解封的IP:" UNLOCK_IP
if [[ ${UNLOCK_IP} = "" ]];then
echo "不允许空值,请重试.";exit
else
fail2ban-client set ssh-iptables unbanip ${UNLOCK_IP}
fi
else
fail2ban-client set ssh-iptables unbanip ${2}
fi
else
echo "fail2ban尚未安装.";exit
fi;;
more)
echo "【参考文章】
https://www.fail2ban.org
https://linux.cn/article-5067-1.html
【更多命令】
fail2ban-client -h";;
runlog)
VIEW_RUN_LOG;;
start)
service fail2ban start;;
stop)
service fail2ban stop;;
restart)
service fail2ban restart;;
*)
echo "bash fail2ban.sh {install|uninstall|runlog|more}"
echo "bash fail2ban.sh {start|stop|restart|status}"
echo "bash fail2ban.sh {blocklist|unlock}";;
esac
#END

151
server-conf/haproxy.cfg
View File

@@ -1,151 +0,0 @@
## NEW HTTP2 CONFIG ###
## Thanks to DNSWARDEN.com author: @bhanupratapys
global
no log
chroot /var/lib/haproxy
user haproxy
group haproxy
pidfile /var/run/haproxy.pid
tune.ssl.default-dh-param 2048
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
ssl-dh-param-file /etc/haproxy/dhparam.pem
ssl-default-bind-ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
defaults
option dontlognull
retries 1
timeout connect 5s
timeout check 5s
timeout queue 10s
timeout client 60s
timeout client-fin 1s
timeout server-fin 1s
timeout server 30s
timeout tunnel 10m
timeout http-request 10s
#bind :::443 v4v6 ssl crt /etc/haproxy/dot-jp.blahdns.pem alpn h2,http/1.1
#bind :::443 v4v6 tfo ssl crt /etc/haproxy/dot-jp.blahdns.pem
frontend front_end_dot_853
mode tcp
bind 0.0.0.0:853
bind :::853
acl tls req.ssl_hello_type 1
tcp-request inspect-delay 2s
tcp-request content accept if tls
use_backend dot-uncensor if { req_ssl_sni -i dot-jp.blahdns.com }
default_backend dot-uncensor
frontend front_end_doh_dot_443
mode tcp
bind 0.0.0.0:443
bind :::443
acl tls req.ssl_hello_type 1
tcp-request inspect-delay 2s
tcp-request content accept if tls
use_backend doh-front if { req_ssl_sni -i doh-jp.blahdns.com }
use_backend dot-uncensor if { req_ssl_sni -i dot-jp.blahdns.com }
default_backend dot-uncensor
frontend dot-in-uncensor
mode tcp
bind 127.150.150.150:15000 ssl crt /etc/haproxy/dot-jp.blahdns.pem
default_backend dot-servers-uncensor
frontend doh-in
mode http
bind 127.250.250.250:25000 ssl crt /etc/haproxy/dot-jp.blahdns.pem alpn h2
acl adblock_url path_beg -i /dns-query
use_backend doh-servers-uncensor if adblock_url
backend dot-uncensor
mode tcp
#balance source
server dot-uncensor-haproxy-ssl 127.150.150.150:15000 check
backend doh-front
mode tcp
#balance source
server doh-haproxy-ssl 127.250.250.250:25000 check
backend dot-servers-uncensor
mode tcp
server dns-uncensor 127.0.0.1:50
backend doh-servers-uncensor
mode http
http-response del-header server
http-response del-header x-powered-by
http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
server doh-proxy-uncensor 127.0.0.1:3000
### End ####
### Start old config as backup, igonre it ###
global
#log /dev/log local0
no log
chroot /var/lib/haproxy
user haproxy
group haproxy
maxconn 3000
pidfile /var/run/haproxy.pid
tune.ssl.default-dh-param 2048
#ssl-default-bind-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20
ssl-default-bind-ciphers TLS13-CHACHA20-POLY1305-SHA256:EECDH+CHACHA20:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:EECDH+AESGCM:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256
ssl-default-bind-options no-tls-tickets no-sslv3 no-tlsv10 no-tlsv11
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
defaults
option dontlognull
option http-server-close
retries 1
option http-use-htx
maxconn 3000
timeout check 5s
timeout queue 10s
timeout client 30s
timeout client-fin 3s
timeout server-fin 3s
timeout server 30s
timeout tunnel 5m
timeout http-request 10s
option http-keep-alive
frontend doh-in
#mode tcp
no log
#bind *:443 ssl crt /etc/haproxy/dot-jp.blahdns.pem alpn h2
bind :::443 v4v6 tfo ssl crt /etc/haproxy/dot-jp.blahdns.pem
http-response set-header Strict-Transport-Security "max-age=31536000"
tcp-request inspect-delay 2s
tcp-request content accept if HTTP
tcp-request content accept if { req.ssl_hello_type 1 }
use_backend dot-server if { req.ssl_hello_type 1 }
acl dns_url path_beg -i /dns-query
use_backend doh-server if dns_url
#use_backend doh-server if HTTP
default_backend dot-server
#listen http-in
backend dot-server
mode tcp
server dns 127.0.0.1:50 maxconn 20
backend doh-server
#http-response set-header Strict-Transport-Security "max-age=31536000"
option forwardfor
server doh-proxy 127.0.0.1:3000 maxconn 20

19
server-conf/knot-tls.service
View File

@@ -1,19 +0,0 @@
[Unit]
Description=Knot-tls
After=syslog.target
After=network.target
[Service]
Type=simple
User=root
Group=root
WorkingDirectory=/etc/knot-resolver/
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
ExecStartPre=/root/clean.sh
ExecStartPost=/bin/sleep 0.1
ExecStart=kresd -c /etc/knot-resolver/kresd-tls.conf -f 1
Restart=always
[Install]
WantedBy=multi-user.target

72
server-conf/kresd.conf
View File

@@ -1,72 +0,0 @@
modules = {
'policy',
'hints > iterate',
'serve_stale < cache',
'workarounds < iterate',
'predict'
}
--modules.unload('cache')
--modules.unload('hints')
--modules.unload('priming')
--modules.unload('ta_sentinel')
--modules.unload('ta_signal_query')
--modules.unload('detect_time_jump')
--modules.unload('detect_time_skew')
net.listen({'::1', '127.0.0.1'}, 55)
hints.add_hosts('/etc/knot-resolver/hints.list')
-- Disallow ANY & PTR queries
policy.add(function (req, query)
if query.stype == kres.type.ANY then
return policy.DROP
elseif query.stype == kres.type.PTR then
return policy.DROP
end
end)
--policy.add(function (req, query)
-- if query.stype == kres.type.TXT or query.stype == kres.type.SRV or query.stype == kres.type.NS or query.stype == kres.type.MX or query.stype == kres.type.SOA or query.stype == kres.type.PTR then
-- return policy.TC
-- end
--end)
-- qname minimalization true
--option('NO_MINIMIZE', false)
-- Cache size
cache.size = 150 * MB
--cache.min_ttl(300)
-- Force cache timeout every 5 sec
--cache.max_ttl(5)
policy.add(policy.rpz(policy.DENY, '/etc/knot-resolver/rpz.blacklist'))
-- OpenNIC
opennicTrees = policy.todnames({'uu','ti','te','ku','lib','emc','coin','baza','glue','parody','pirate','oss','oz','bit','dns.opennic.glue','bbs','chan','cyb','dyn','fur','gopher','geek','opennic.glue','o','neo','indy','libre', 'null'})
-- Beware: the rule order is important, as STUB is not a chain action.
policy.add(policy.suffix(policy.FLAGS({'NO_CACHE'}), opennicTrees))
policy.add(policy.suffix(policy.STUB({'::1@52'}), opennicTrees))
-- Disable cache
view:addr('0.0.0.0/0', policy.all(policy.FLAGS({'NO_CACHE'})))
view:addr('::/0', policy.all(policy.FLAGS({'NO_CACHE'})))
--view:addr('198.252.153.0/24', function (req, qry) return policy.PASS end)
--view:addr('204.13.164.0/24', function (req, qry) return policy.PASS end)
--view:addr('199.254.238.0/24', function (req, qry) return policy.PASS end)
--view:addr('199.58.80.128/25', function (req, qry) return policy.PASS end)
--view:addr('199.58.81.137/25', function (req, qry) return policy.PASS end)
--view:addr('10.0.1.0/24', function (req, qry) return policy.PASS end)
--view:addr('10.0.2.0/24', function (req, qry) return policy.PASS end)
--view:addr('127.0.0.1', function (req, qry) return policy.PASS end)
--- Drop everything that hasn't matched
-- view:addr('0.0.0.0/0', function (req, qry) return policy.DROP end)
-- policy.add(policy.all(policy.FORWARD('::1@51')))
-- Disable dnssec, if need so
-- trust_anchors.negative = { '.' }

34
server-conf/monitor-kresd.sh
View File

@@ -1,34 +0,0 @@
#if lsof -Pi :50 -sUDP:LISTEN -t >/dev/null ; then
# echo "running"
#else
# echo "not running"
#fi
#netstat -ln | grep ":50 " 2>&1 > /dev/null
#if [ $? -eq 1 ]; then
# echo Starting Meteor;
#fi
!/bin/bash
# Check if gedit is running
# -x flag only match processes whose name (or command line if -f is
# specified) exactly match the pattern.
if ps -e | grep dnscrypt-wrap
then
echo "Dnscrypt wrapper is running"
else
/root/dns/dnscrypt-start.sh
echo "Dnscrypt is Stopped"
fi
if pgrep -x "kresd"
then
echo "kresd is Running"
else
echo "kresd is Stopped and restart service "
/root/kresd.sh
#service knot-tls stop
#service knot-tls start
fi

14
server-conf/restart.sh
View File

@@ -1,14 +0,0 @@
## Cronjob every 6 hours clear logs and restart services
cd /var/log
rm -rf haproxy.log*
rm -rf daemon.log*
rm -rf messages*
rm -rf syslog*
rm -rf user*
rm -rf kern*
rm -rf debug*
service haproxy restart
service doh-server restart

5
server-conf/unbound/bind.keys
View File

@@ -1,5 +0,0 @@
trusted-keys {
. 257 3 8 "AwEAAaq+qqsdDHByq/DFR5/u23qcDNOQJzjYBcSfjrGNLdY2+vY+ubhu iz0hG1xk5D+dK78Eh58wZ3tQnsRr3bVNVfcovlx/rdwuw5blez2TT0Et 4IF/3b/RpMpCwSSOWTMGvi0EwIMNsjYWEZlRjcWku3cnAAvSD3YdaRW2 JCKsbkK5OQp2YjuQgIOL7J6f8mN6nkfAWd9L2U9H+TSEnx8gqqkXIEIR WcbdWN1FiCdy3L8CaHbZcttzx5lLOGrjPW+raXn+KaQSU+WW9n2PPOZb NUrQnsW/DJ+b+soNQQbhwFlp/av5VzaxB7/57vEKqj71x+Xu8S0sGpLc Xrkf5p3ri93ScLsJOT11fIlMRIwcKsWZEIIyYzuQeq8MoVTenvN6re/y 872Vb6JBHbBMk0JmsRwkXltz9PINWyvVyqM3PA1bJ4fz8QbqXnTnJiR/ yylhcE8rjPUtnf29NyDN7Co9JzPwnwE74F3k3R18w45L8E5Dt5it2PIA 9/rb6GDMrPAPsa1X82qNLzcboosMj9vT7Ofg8M+x2/VYt6u4xX4glZRa vyjTs6qGfzFS+Z44zrIP4CtNa0fL0AwJ/wsK4YJSX0xZ6/CJI/NNXeSg G5vfMw04kUDI9d9oO9jkAhYDmTaOI6C5nVTymAs3uje8/mZlo/pUSllB 0DkpTgd5PTAwQsA1";
. 256 3 8 "AwEAAcnclWrEkYgk+zGEAtbUoFpkKojImn4go0WwsD3TyGq5Mp7Xb5yv yO3VzcGLyeMJ1p55PFTij4xXR+LiXlzdjIgvy8JloXDh6Pg3mhQ/x6YR aWjkstFbeTicyR94Q7ns7/0tqcR/4kjvcK/haViADuamvt0flv04wBeq ZaJBdj5TLYXfYCYr8QVvlryvHf6SCF9Xwgo/34iP+T0EH1yGL4HASeHL Cn8Kh5zTsIbefAvjkPPv7T23xeiT0FfJ4AJim9tMU5DYZFPU4J5Gtsk9 LIFBju5TAlbXf9nldM9WfESP/ZPBvLlrPeNzXrSEbyqkE72xtpr/3ckY jZd5aODWCmhp3tTc/UBcZxzw4IcJ3j5cmdTnrnOlLOA4DXnkB1Ts90BM G00ySdBeXeW0abKOiCH/qqdWlPR3jLEZth9y5WWHVIcY5JsjbpQnv85A YaQYzUA2W79oM1XoQ35EB5PHPs3lCMJ/42zDmbhJ2n7m2xx3DbCnzHTt H9Fsqi1+8s8LNQAbQeINBkiDeyeEpY2CFVz222zEusCOj/cbWuirBqMD WjIajMwBpF2z0x8FznahSEoR+djYNpXpv9pFcl4rYTCqnQcKy0PUoGrs 8X4OzLW7egrAWodF3z7KieAMyK09/0qBf7rtB8qOLR7NiFA/UYvkZTwz E74ZGP9Y4kOi0lA5";
. 256 3 8 "AwEAAetFT8ZCzhqTOT7em1LxFynu1zwZXwu0qzSNtO8ABxfls+QfDMxB 4jUdOkAVJKG313bS9rHwUqG3Sg2fPGmdo4xzt3ps9/Tmh6c657r5zYTd tlAy3tjU2G7VUWnbwwHFAIe4R9ajnScvdNfFZpUalrxT3FsfLbTfhnt3 HZljYbyVYi9v8H+gweoBGfq5xIrNwKz4DNu217GWtZaOGhPcS2HYgqDD 0BuRxYwAkoiphcoHwc9QOHIMWlN9Wdw1+udpHZ43Oysp8EXqF2miYljd 3EprDthfZ0MU0xqbHzLbtPQCVQir3HymJxTbrpE1fpKbKyXlyRqSUxTL ONud5BQISb0=";
};

26
server-conf/unbound/opennic.hints
View File

@@ -1,26 +0,0 @@
;; ANSWER SECTION:
. 86400 IN NS ns2.opennic.glue.
. 86400 IN NS ns6.opennic.glue.
. 86400 IN NS ns5.opennic.glue.
. 86400 IN NS ns8.opennic.glue.
. 86400 IN NS ns9.opennic.glue.
. 86400 IN NS ns10.opennic.glue.
. 86400 IN NS ns4.opennic.glue.
;; ADDITIONAL SECTION:
ns2.opennic.glue. 7200 IN A 161.97.219.84
ns2.opennic.glue. 7200 IN AAAA 2001:470:4212:10::100:53:10
ns4.opennic.glue. 7200 IN A 163.172.168.171
ns5.opennic.glue. 7200 IN A 94.103.153.176
ns5.opennic.glue. 7200 IN AAAA 2a02:990:219:1:ba:1337:cafe:3
ns6.opennic.glue. 7200 IN A 207.192.71.13
ns8.opennic.glue. 7200 IN A 178.63.116.152
ns8.opennic.glue. 7200 IN AAAA 2a01:4f8:141:4281::999
ns9.opennic.glue. 7200 IN A 174.138.48.29
ns9.opennic.glue. 7200 IN AAAA 2604:a880:800:a1::2a:2001
ns10.opennic.glue. 7200 IN A 188.226.146.136
ns10.opennic.glue. 7200 IN AAAA 2001:470:1f04:ebf::2
;; Query time: 212 msec
;; SERVER: 174.138.48.29#53(174.138.48.29)
;; WHEN: Wed Oct 31 15:28:13 CST 2018

127
server-conf/unbound/unbound.conf
View File

@@ -1,127 +0,0 @@
server:
interface: 127.0.0.1@48
interface: ::1@48
access-control: 127.0.0.1 allow
access-control: ::1 allow
#access-control: 0.0.0.0/0 allow
#access-control: ::/0 allow
prefer-ip6: yes
delay-close: 1500
do-ip4: yes
do-ip6: yes
do-tcp: yes
do-udp: yes
do-not-query-localhost: no
verbosity: 0
log-time-ascii: no
log-servfail: no
client-subnet-always-forward: yes
aggressive-nsec: yes
harden-dnssec-stripped: yes # if 'no', disable dnssec
harden-short-bufsize: yes
harden-large-queries: yes
harden-glue: yes
harden-below-nxdomain: yes
harden-referral-path: yes
use-caps-for-id: yes
qname-minimisation: yes
qname-minimisation-strict: no #some domain might be failed to request
so-reuseport: yes
minimal-responses: yes
deny-any: yes
rrset-roundrobin: yes
prefetch: yes
prefetch-key: yes
serve-expired: yes
serve-expired-ttl: 86400 # max 1 day
#serve-expired-ttl-reset: no
hide-identity: yes
hide-version: yes
hide-trustanchor: yes
edns-tcp-keepalive: yes
#edns-tcp-keepalive-timeout: 12000 # 2min
#tcp-idle-timeout: 30000 # 30 sec
num-threads: 1
msg-cache-slabs: 1
rrset-cache-slabs: 1
key-cache-slabs: 1
infra-cache-slabs: 1
msg-cache-size: 54m # default 4m
rrset-cache-size: 108m # rrset=msg*2 # default 4m
key-cache-size: 54m # default 4m
neg-cache-size: 27m # default 1m
infra-cache-numhosts: 50000
# dnscrypt-shared-secret-cache-size: 13m # default 4m
# dnscrypt-nonce-cache-size: 13m # default 4m
outgoing-range: 4096
incoming-num-tcp: 100
outgoing-num-tcp: 100
neg-cache-size: 25m
unwanted-reply-threshold: 10000000
cache-min-ttl: 90
cache-max-ttl: 900
infra-host-ttl: 3600
val-bogus-ttl: 120
cache-max-negative-ttl: 10 # Time to live maximum for negative responses, these have a SOA in the authority section that is limited in time. Default is 3600. This applies to nxdomain and nodata answers.
infra-cache-numhosts: 50000
auto-trust-anchor-file: "/var/lib/unbound/root.key"
# Refence: https://github.com/publicarray/dns-resolver-infra/blob/master/unbound/unbound.conf
local-zone: example. static
local-zone: local. static
local-zone: i2p. static
local-zone: home. static
local-zone: zghjccbob3n0. static
local-zone: dhcp. static
local-zone: lan. static
local-zone: localdomain. static
local-zone: ip. static
local-zone: internal. static
local-zone: openstacklocal. static
local-zone: dlink. static
local-zone: gateway. static
local-zone: corp. static
local-zone: workgroup. static
local-zone: belkin. static
local-zone: davolink. static
local-zone: z. static
local-zone: domain. static
local-zone: virtualmin. static
private-address: 0.0.0.0/8 # Should not be on the Internet (only valid as source address)
private-address: 10.0.0.0/8 # Private networks
private-address: 127.0.0.0/8 # Loopback, spam-blocklists (RBL) (https://www.dnsbl.info/) e.g. "dig +short 0.0.0.0.zen.spamhaus.org" will stop working (https://www.spamhaus.org/zen/, https://www.spamhaus.org/faq/section/DNSBL%20Usage#202)
private-address: 169.254.0.0/16 # link-local (networks without DHCP)
private-address: 172.16.0.0/12 # Private networks
private-address: 192.168.0.0/16 # Private networks
private-address: 255.255.255.255/32 # Broadcast destination
## IPv6
private-address: ::/128 # Unspecified addresses (only valid as source address)
private-address: ::1/128 # Loopback
private-address: 2001:db8::/32 # Documentation addresses used for documentation purposes such as user manuals, RFCs, etc. (RFC3849)
# private-address: ::ffff:0:0/96 # IPv4-mapped IPv6 addresses (depreciated and should not be on the public internet) (blocks potentially valid addresses / gives wrong result from DNS Benchmark)
private-address: fe80::/10 # IP address autoconfiguration (link-local unicast, Private network)
private-address: fc00::/7 # Unique Local Addresses (Private network)
# private-address: fec0::/10 # Depreciated site networks
# private-address: 2002::/16 # 6to4 (deprecated)
# private-address: 64:ff9b::/96 # 6to4 "Well-Known" Prefix
# private-address: 2001::/32 # Teredo
private-address: 2001:10::/28 # ORCHID
# private-address: ff00::/8 # Multicast
## Selected IPv4 mapped addresses from IPv4 above (fixes potentially wrong result from DNS Benchmark if blocking all of ::ffff:0:0/96)
private-address: ::ffff:0.0.0.0/120 # Private IPv4-mapped addresses
private-address: ::ffff:10.0.0.0/120 # Private IPv4-mapped addresses
private-address: ::ffff:127.0.0.1/120 # Loopback IPv4-mapped addresses, spam-blocklists (RBL)
private-address: ::ffff:169.254.0.0/112 # Link-local IPv4-mapped addresses
private-address: ::ffff:172.16.0.0/116 # Private IPv4-mapped addresses
private-address: ::ffff:192.168.0.0/112 # Private IPv4-mapped addresses
private-address: ::ffff:255.255.255.255/128 # Broadcast IPv4-mapped addresses

468
server-conf/unbound/unbound.conf.d/opennic.root.conf
View File

@@ -1,468 +0,0 @@
server:
domain-insecure: "opennic.glue"
auth-zone:
name: "opennic.glue"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/opennic.glue"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "dns.opennic.glue"
auth-zone:
name: "dns.opennic.glue"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/dns.opennic.glue"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "micro"
auth-zone:
name: "micro"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/micro"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "ing"
auth-zone:
name: "ing"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/ing"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "glue"
auth-zone:
name: "glue"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/glue"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "bbs"
auth-zone:
name: "bbs"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/bbs"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "bit"
auth-zone:
name: "bit"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/bit"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "chan"
auth-zone:
name: "chan"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/chan"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "dyn"
auth-zone:
name: "dyn"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/dyn"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "free"
auth-zone:
name: "free"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/free"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "fur"
auth-zone:
name: "fur"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/fur"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "geek"
auth-zone:
name: "geek"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/geek"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "gopher"
auth-zone:
name: "gopher"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/gopher"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "indy"
auth-zone:
name: "indy"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/indy"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "libre"
auth-zone:
name: "libre"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/libre"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "neo"
auth-zone:
name: "neo"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/neo"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "null"
auth-zone:
name: "null"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/null"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "oss"
auth-zone:
name: "oss"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/oss"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "oz"
auth-zone:
name: "oz"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/oz"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "parody"
auth-zone:
name: "parody"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/parody"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "pirate"
auth-zone:
name: "pirate"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/pirate"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "o"
auth-zone:
name: "o"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/o"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "lib"
auth-zone:
name: "lib"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/lib"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "coin"
auth-zone:
name: "coin"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/coin"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "emc"
auth-zone:
name: "emc"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/emc"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "bazar"
auth-zone:
name: "bazar"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/bazar"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "cyb"
auth-zone:
name: "cyb"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/cyb"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "ku"
auth-zone:
name: "ku"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/ku"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "te"
auth-zone:
name: "te"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/te"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "uu"
auth-zone:
name: "uu"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/uu"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53
server:
domain-insecure: "ti"
auth-zone:
name: "ti"
for-downstream: no
for-upstream: yes
fallback-enabled: no
zonefile: "opennic.zone.d/ti"
master: 2a02:2770:15:0:21a:4aff:fefe:55e5
master: 84.22.107.90
master: 185.121.177.177
master: 2a05:dfc7:5353::53

42
website/index.html
View File

@@ -41,9 +41,9 @@
No logs | No EDNS Client-Subnet | OpenNIC TLDs | DNSSEC ready | Filtered some ads, trackers, malware No logs | No EDNS Client-Subnet | OpenNIC TLDs | DNSSEC ready | Filtered some ads, trackers, malware
<ul class="w3-left-align"> <ul class="w3-left-align">
<li class="w3-text-red">DNS-over-TLS, DNS-over-HTTPS on PORT 443 will required strict SNI, without SNI will drop by default. </li> <li class="w3-text-red"> Switzerland server is online July 29, 2019, IPv6 ONLY, DoT port 443, 853 </li>
<li class="w3-text-red">DNS-over-TLS, DNS-over-HTTPS on PORT 443 will required strict SNI, without SNI will drop by default. </li>
<li class="w3-text-red">If you are developer, this DNS will block analytics, crashlytics, admob, baidu stats, Pls be aware. </li> <li class="w3-text-red">If you are developer, this DNS will block analytics, crashlytics, admob, baidu stats, Pls be aware. </li>
<li class="w3-text-purple"> Start from Jan 1 2019, our serivce only support DoT, DoH, DNScryptv2 </li>
<li><a href="https://stats.blahdns.com" target="_blank"><strong>Server status</strong></a></li> <li><a href="https://stats.blahdns.com" target="_blank"><strong>Server status</strong></a></li>
<li>If you encounter problem, please submit it on <a href="https://github.com/ookangzheng/blahdns" target="_blank">Github</a></li> <li>If you encounter problem, please submit it on <a href="https://github.com/ookangzheng/blahdns" target="_blank">Github</a></li>
@@ -76,11 +76,11 @@
<p>IPv6-stamp:</p> <p>IPv6-stamp:</p>
<textarea readonly rows="3" cols="50" maxlength="50">sdns://AgMAAAAAAAAAIFsyYTBhOmU1YzA6MjoyOjA6YzhmZjpmZTY4OmJmNDhdABJkb2gtY2guYmxhaGRucy5jb20KL2Rucy1xdWVyeQ</textarea> <textarea readonly rows="3" cols="50" maxlength="50">sdns://AgMAAAAAAAAAIFsyYTBhOmU1YzA6MjoyOjA6YzhmZjpmZTY4OmJmNDhdABJkb2gtY2guYmxhaGRucy5jb20KL2Rucy1xdWVyeQ</textarea>
<h3>DNS-over-TLS</h3> <h3>DNS-over-TLS</h3>
<p>IP: <br> <p>IPv6 ONLY: <br>
<textarea readonly rows="2" cols="20" maxlength="50">2a0a:e5c0:2:2:0:c8ff:fe68:bf48</textarea> <textarea readonly rows="2" cols="20" maxlength="50">2a0a:e5c0:2:2:0:c8ff:fe68:bf48</textarea>
<p>tls_auth_name: <br> <p>tls_auth_name: <br>
<textarea readonly rows="1" cols="50" maxlength="50">dot-ch.blahdns.com</textarea> <textarea readonly rows="1" cols="50" maxlength="50">dot-ch.blahdns.com</textarea>
port: 853 port: 443, 853
</p> </p>
<h3>DNSCrypt v2</h3> <h3>DNSCrypt v2</h3>
port: 8443 port: 8443
@@ -98,7 +98,7 @@
<div class="w3-third"> <div class="w3-third">
<div class="w3-card white"> <div class="w3-card white">
<div class="w3-container w3-indigo"> <div class="w3-container w3-indigo">
<h3>Japan🇯🇵</h3> <h3>Japan 🇯🇵</h3>
</div> </div>
<ul class="w3-ul w3-border-top"> <ul class="w3-ul w3-border-top">
@@ -138,7 +138,7 @@
<div class="w3-third"> <div class="w3-third">
<div class="w3-card white"> <div class="w3-card white">
<div class="w3-container w3-theme"> <div class="w3-container w3-theme">
<h3>Germany🇩🇪</h3> <h3>Germany 🇩🇪</h3>
</div> </div>
<ul class="w3-ul w3-border-top"> <ul class="w3-ul w3-border-top">
@@ -383,6 +383,7 @@ Cipher : TLS_AES_256_GCM_SHA384
<button class="w3-bar-item w3-button testbtn w3-padding-16" onclick="openCity(event,'TLS')">Common question</button> <button class="w3-bar-item w3-button testbtn w3-padding-16" onclick="openCity(event,'TLS')">Common question</button>
<button class="w3-bar-item w3-button testbtn w3-padding-16" onclick="openCity(event,'News')">News</button> <button class="w3-bar-item w3-button testbtn w3-padding-16" onclick="openCity(event,'News')">News</button>
<button class="w3-bar-item w3-button testbtn w3-padding-16" onclick="openCity(event,'troubleshooting')">Troubleshoot</button> <button class="w3-bar-item w3-button testbtn w3-padding-16" onclick="openCity(event,'troubleshooting')">Troubleshoot</button>
<button class="w3-bar-item w3-button testbtn w3-padding-16" onclick="openCity(event,'donation')">Donation</button>
</div> </div>
<div id="TLS" class="w3-container city w3-animate-opacity"> <div id="TLS" class="w3-container city w3-animate-opacity">
@@ -430,6 +431,22 @@ Cipher : TLS_AES_256_GCM_SHA384
</p> </p>
</div> </div>
<!-- Donation -->
<div id="donation" class="w3-container city w3-animate-opacity">
<p>
<ul>
<li>
Thanks for mikaela 10 EUR
</li>
<li>
Thanks for Tim 331 TWD
</li>
</ul>
</p>
</div>
</div> </div>
</div> </div>
@@ -466,15 +483,20 @@ Cipher : TLS_AES_256_GCM_SHA384
| |
<script src="https://liberapay.com/ookangzheng/widgets/button.js"></script> <script src="https://liberapay.com/ookangzheng/widgets/button.js"></script>
<noscript><a href="https://liberapay.com/ookangzheng/donate"><img alt="Donate using Liberapay" src="https://liberapay.com/assets/widgets/donate.svg"></a></noscript> <noscript><a href="https://liberapay.com/ookangzheng/donate"><img alt="Donate using Liberapay" src="https://liberapay.com/assets/widgets/donate.svg"></a></noscript>
|
<!--<a class="bmc-button" target="_blank" href="https://www.buymeacoffee.com/elk6NqZhi">--> <!--<a class="bmc-button" target="_blank" href="https://www.buymeacoffee.com/elk6NqZhi">-->
<!-- <img src="https://www.buymeacoffee.com/assets/img/BMC-btn-logo.svg">--> <!-- <img src="https://www.buymeacoffee.com/assets/img/BMC-btn-logo.svg">-->
<!-- <span style="margin-left:5px">Buy me a coffee</span></a>--> <!-- <span style="margin-left:5px">Buy me a coffee</span></a>-->
<a href="https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=F2H8HS44QAV8N&source=url"><img style="height:40px" src="https://camo.githubusercontent.com/f896f7d176663a1559376bb56aac4bdbbbe85ed1/68747470733a2f2f7777772e70617970616c6f626a656374732e636f6d2f656e5f55532f692f62746e2f62746e5f646f6e61746543435f4c472e676966" alt="Donate with PayPal button" /></a> <!-- hi@blahdns.com -->
| <a href="https://paypal.me/okz5289tw/100"><img style="height:40px" src="https://camo.githubusercontent.com/f896f7d176663a1559376bb56aac4bdbbbe85ed1/68747470733a2f2f7777772e70617970616c6f626a656374732e636f6d2f656e5f55532f692f62746e2f62746e5f646f6e61746543435f4c472e676966" alt="Donate with PayPal button" /></a>
🧘‍♂ <a href="https://qr.allpay.com.tw/ZoYHr">贊助</a> <!-- <form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top">-->
<!--<input type="hidden" name="cmd" value="_s-xclick" />-->
<!--<input type="hidden" name="hosted_button_id" value="KC33GK5CT2Q9Y" />-->
<!--<input type="image" src="https://www.paypalobjects.com/en_US/TW/i/btn/btn_donateCC_LG.gif" border="0" name="submit" title="PayPal - The safer, easier way to pay online!" alt="Donate with PayPal button" />-->
<!--<img alt="" border="0" src="https://www.paypal.com/en_TW/i/scr/pixel.gif" width="1" height="1" />-->
<!--</form>-->
</p> </p>
<div style="position:relative;bottom:55px;" class="w3-tooltip w3-right"> <div style="position:relative;bottom:55px;" class="w3-tooltip w3-right">