New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add DNS-over-TLS support #3

Merged
merged 2 commits into from Dec 6, 2018

Conversation

Projects
None yet
5 participants
@qyb
Copy link

qyb commented Dec 5, 2018

I used the 'tcp-tls' defined by miekg/dns to switch DNS-over-TLS connection routine

@lix5027

This comment has been minimized.

Copy link

lix5027 commented Dec 6, 2018

那 dns over https呢?好像作者原来的ecs不支持https?

@qyb

This comment has been minimized.

Copy link

qyb commented Dec 6, 2018

那 dns over https呢?好像作者原来的ecs不支持https?

给 TCP -53 加上 TLS 是简单的,但是支持 DoH 是相当复杂的工作,无力在 overture 基础上做这件事。我和一个朋友计划增加 SS-Android 中 local-dns 的工作,等我这个 patch 被合并之后,她会接着提交 SS-Android 中的界面配置。这样就不一定非得远程8.8.8.8了,如果国内有靠谱的 DoT 服务做 local-dns 可能体验会更好 —— 我是 dns.rubyfish.cn 的运行维护者,相信 DoT/DoH 是未来的趋势

@lix5027

This comment has been minimized.

Copy link

lix5027 commented Dec 6, 2018

现在dns解析还只能根据chnroute的IP白名单判断吧?
好比说,我查询www.ibm.com 国内dns解析给的国际地址,那么会丢弃他而用Alternative解析的地址.
对用户来说,也许国内dns给的地址去直连,反倒比Alternative给的地址走vpn快

这样有什么好的解决办法么? 是不是只能去找一份gfwlist IP池才能解决?

@madeye madeye merged commit f8e0e79 into shadowsocks:shadowsocks Dec 6, 2018

@MidoriInu1

This comment has been minimized.

Copy link

MidoriInu1 commented Dec 6, 2018

@lix5027 虽然现在支持DNS-over-TLS 解析的服务器很少,但我觉得这是趋势,天朝网络的dns投毒、运营商劫持不可能一直持续下去。Android 9.0 内置的网络配置已经支持制定Private DNS了,并且作为主要新特性在今年的I/O大会上提出。随着Google的提倡和支持,相信国内支持DNS-over-TLS 的服务器会越来越多。【google大法好!我是google脑残粉..虽然我的工牌是...咳咳,那不重要】
总之我已经修改了shadowsocks Android APP 的源码,支持用户从上层页面配置localDns和privateDns,已经发起了PR,希望能通过,也希望天朝的网络环境越来越好(笑)

@Mygod
Copy link

Mygod left a comment

Is this code tested?

} else if (c.DNSUpstream.Protocol == "tcp-tls") {
var err error
conf := &tls.Config{
InsecureSkipVerify: true,

This comment has been minimized.

@Mygod

Mygod Dec 6, 2018

This line seems extremely problematic and IMO beats the whole purpose of using TLS.

This comment has been minimized.

@MidoriInu1

MidoriInu1 Dec 6, 2018

我认为InsecureSkipVerify应该设置为false?否则依然是容易被劫持的

This comment has been minimized.

@qyb

qyb Dec 6, 2018

This line seems extremely problematic and IMO beats the whole purpose of using TLS.

This option will verify hostname and certificate chain. (https://golang.org/pkg/crypto/tls/) . If user only input IP address here, InsecureSkipVerify:true will broken.

My code just do simple ip config format parsing. Maybe we need the format as "tcp-tls:[ip][#tls port][~tls name][^tsig spec]" ...

This comment has been minimized.

@Mygod

Mygod Dec 6, 2018

@qyb See: Is it possible to have SSL certificate for IP address, not domain name? When a domain name is given, such domain name should be resolved using other DNS, just like how Android handles this.

If you disable this verification, there's nothing gained by doing DNS over TLS.

EDIT: Also domain names offer more flexibility as it can resolve to both IPv4 and IPv6 addresses.

This comment has been minimized.

@qyb

qyb Dec 6, 2018

@Mygod You are right. But it need more test for 'false' option because Config.ServerName has not been set. I will test it and try add tcp-tls:hostname:port@bootstrapAddress support later.

This comment has been minimized.

@Mygod

Mygod Dec 7, 2018

I think it's best to simply use tcp-tls:hostname. Port should be 853 when omitted according to RFC 7858. Hostname can be either domain and IP address.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment