Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add DNS-over-TLS support #3

Merged
merged 2 commits into from Dec 6, 2018
Merged

add DNS-over-TLS support #3

merged 2 commits into from Dec 6, 2018

Conversation

@qyb
Copy link

@qyb qyb commented Dec 5, 2018

I used the 'tcp-tls' defined by miekg/dns to switch DNS-over-TLS connection routine

@lix5027
Copy link

@lix5027 lix5027 commented Dec 6, 2018

那 dns over https呢?好像作者原来的ecs不支持https?

@qyb
Copy link
Author

@qyb qyb commented Dec 6, 2018

那 dns over https呢?好像作者原来的ecs不支持https?

给 TCP -53 加上 TLS 是简单的,但是支持 DoH 是相当复杂的工作,无力在 overture 基础上做这件事。我和一个朋友计划增加 SS-Android 中 local-dns 的工作,等我这个 patch 被合并之后,她会接着提交 SS-Android 中的界面配置。这样就不一定非得远程8.8.8.8了,如果国内有靠谱的 DoT 服务做 local-dns 可能体验会更好 —— 我是 dns.rubyfish.cn 的运行维护者,相信 DoT/DoH 是未来的趋势

@lix5027
Copy link

@lix5027 lix5027 commented Dec 6, 2018

现在dns解析还只能根据chnroute的IP白名单判断吧?
好比说,我查询www.ibm.com 国内dns解析给的国际地址,那么会丢弃他而用Alternative解析的地址.
对用户来说,也许国内dns给的地址去直连,反倒比Alternative给的地址走vpn快

这样有什么好的解决办法么? 是不是只能去找一份gfwlist IP池才能解决?

@MidoriInu1
Copy link

@MidoriInu1 MidoriInu1 commented Dec 6, 2018

@lix5027 虽然现在支持DNS-over-TLS 解析的服务器很少,但我觉得这是趋势,天朝网络的dns投毒、运营商劫持不可能一直持续下去。Android 9.0 内置的网络配置已经支持制定Private DNS了,并且作为主要新特性在今年的I/O大会上提出。随着Google的提倡和支持,相信国内支持DNS-over-TLS 的服务器会越来越多。【google大法好!我是google脑残粉..虽然我的工牌是...咳咳,那不重要】
总之我已经修改了shadowsocks Android APP 的源码,支持用户从上层页面配置localDns和privateDns,已经发起了PR,希望能通过,也希望天朝的网络环境越来越好(笑)

Copy link

@Mygod Mygod left a comment

Is this code tested?

} else if (c.DNSUpstream.Protocol == "tcp-tls") {
var err error
conf := &tls.Config{
InsecureSkipVerify: true,

This comment has been minimized.

@Mygod

Mygod Dec 6, 2018

This line seems extremely problematic and IMO beats the whole purpose of using TLS.

This comment has been minimized.

@MidoriInu1

MidoriInu1 Dec 6, 2018

我认为InsecureSkipVerify应该设置为false?否则依然是容易被劫持的

This comment has been minimized.

@qyb

qyb Dec 6, 2018
Author

This line seems extremely problematic and IMO beats the whole purpose of using TLS.

This option will verify hostname and certificate chain. (https://golang.org/pkg/crypto/tls/) . If user only input IP address here, InsecureSkipVerify:true will broken.

My code just do simple ip config format parsing. Maybe we need the format as "tcp-tls:[ip][#tls port][~tls name][^tsig spec]" ...

This comment has been minimized.

@Mygod

Mygod Dec 6, 2018

@qyb See: Is it possible to have SSL certificate for IP address, not domain name? When a domain name is given, such domain name should be resolved using other DNS, just like how Android handles this.

If you disable this verification, there's nothing gained by doing DNS over TLS.

EDIT: Also domain names offer more flexibility as it can resolve to both IPv4 and IPv6 addresses.

This comment has been minimized.

@qyb

qyb Dec 6, 2018
Author

@Mygod You are right. But it need more test for 'false' option because Config.ServerName has not been set. I will test it and try add tcp-tls:hostname:port@bootstrapAddress support later.

This comment has been minimized.

@Mygod

Mygod Dec 7, 2018

I think it's best to simply use tcp-tls:hostname. Port should be 853 when omitted according to RFC 7858. Hostname can be either domain and IP address.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
5 participants