add DNS-over-TLS support

[qyb]

I used the 'tcp-tls' defined by miekg/dns to switch DNS-over-TLS connection routine

[lix5027]

那 dns over https呢?好像作者原来的ecs不支持https?

[qyb]

那 dns over https呢?好像作者原来的ecs不支持https?

给 TCP -53 加上 TLS 是简单的，但是支持 DoH 是相当复杂的工作，无力在 overture 基础上做这件事。我和一个朋友计划增加 SS-Android 中 local-dns 的工作，等我这个 patch 被合并之后，她会接着提交 SS-Android 中的界面配置。这样就不一定非得远程8.8.8.8了，如果国内有靠谱的 DoT 服务做 local-dns 可能体验会更好 —— 我是 dns.rubyfish.cn 的运行维护者，相信 DoT/DoH 是未来的趋势

[lix5027]

现在dns解析还只能根据chnroute的IP白名单判断吧?
好比说,我查询www.ibm.com 国内dns解析给的国际地址,那么会丢弃他而用Alternative解析的地址.
对用户来说,也许国内dns给的地址去直连,反倒比Alternative给的地址走vpn快

这样有什么好的解决办法么? 是不是只能去找一份gfwlist IP池才能解决?

[MidoriInu1]

@lix5027 虽然现在支持DNS-over-TLS 解析的服务器很少，但我觉得这是趋势，天朝网络的dns投毒、运营商劫持不可能一直持续下去。Android 9.0 内置的网络配置已经支持制定Private DNS了，并且作为主要新特性在今年的I/O大会上提出。随着Google的提倡和支持，相信国内支持DNS-over-TLS 的服务器会越来越多。【google大法好！我是google脑残粉..虽然我的工牌是...咳咳，那不重要】
总之我已经修改了shadowsocks Android APP 的源码，支持用户从上层页面配置localDns和privateDns，已经发起了PR，希望能通过，也希望天朝的网络环境越来越好（笑）

[Mygod]

Is this code tested?

[Mygod]

This line seems extremely problematic and IMO beats the whole purpose of using TLS.

[MidoriInu1]

我认为InsecureSkipVerify应该设置为false？否则依然是容易被劫持的

[qyb]

This line seems extremely problematic and IMO beats the whole purpose of using TLS.

This option will verify hostname and certificate chain. (https://golang.org/pkg/crypto/tls/) . If user only input IP address here, InsecureSkipVerify:true will broken.

My code just do simple ip config format parsing. Maybe we need the format as "tcp-tls:[ip][#tls port][~tls name][^tsig spec]" ...

[Mygod]

@qyb See: Is it possible to have SSL certificate for IP address, not domain name? When a domain name is given, such domain name should be resolved using other DNS, just like how Android handles this.

If you disable this verification, there's nothing gained by doing DNS over TLS.

EDIT: Also domain names offer more flexibility as it can resolve to both IPv4 and IPv6 addresses.

[qyb]

@Mygod You are right. But it need more test for 'false' option because Config.ServerName has not been set. I will test it and try add tcp-tls:hostname:port@bootstrapAddress support later.

[Mygod]

I think it's best to simply use tcp-tls:hostname. Port should be 853 when omitted according to RFC 7858. Hostname can be either domain and IP address.