飞社-令人惊奇的创意工作者社区-DNS目前几乎全部的境外 DoH 的域名被 Reset

yyzh

@eferfly 不会吧...现在很多 doh 都给自己 ip 申请证书了.程序会不检查?

KHHj7U2DNR

> 可以考虑自建，但不要用 “/dns-query” 这种常规的 URL

HTTPS 协议下面，请求 path 都是加密的。用`/dns-query`一点问题没有。

Kinnice

@KHHj7U2DNR 会有设备主动探测这个默认路径，然后就知道你是 dns 服务器了，并不是什么设备知道你在访问这个路径.

spartacussoft

但凡是大一点的服务商，提供 DOH 的证书都支持解析到 IP ，所以使用 IP 来访问 tls 不但符合 tls 验证，而且也没有 SNI 。

fanxasy

@cookii #4 我这边可以直连 nextdns ，表里没得

miaomiao888

NEXTDNS 有很多节点 IP 可以自选
搭配 MOSDNS 指定 IP 并 insecure_skip_ferify: true

ChicC

[2024-09-20 08:11:55,886][ WARN][    dns_client.c:3320] Handshake with 104.16.249.249 failed, Connection reset by peer
[2024-09-20 10:06:31,161][ WARN][    dns_client.c:3320] Handshake with 104.16.249.249 failed, Connection reset by peer
[2024-09-20 10:14:19,160][ WARN][    dns_client.c:3320] Handshake with 104.16.249.249 failed, Connection reset by peer
[2024-09-20 12:42:57,162][ WARN][    dns_client.c:3320] Handshake with 104.16.249.249 failed, Connection reset by peer
[2024-09-20 12:54:07,305][ WARN][    dns_client.c:3320] Handshake with 104.16.249.249 failed, Connection reset by peer
[2024-09-20 14:37:30,751][ WARN][    dns_client.c:3320] Handshake with 104.16.249.249 failed, Connection reset by peer
[2024-09-20 16:44:20,162][ WARN][    dns_client.c:3320] Handshake with 104.16.249.249 failed, Connection reset by peer
[2024-09-20 18:54:35,247][ WARN][    dns_client.c:3320] Handshake with 104.16.249.249 failed, Connection reset by peer
[2024-09-20 18:57:34,098][ WARN][    dns_client.c:3320] Handshake with 104.16.249.249 failed, Connection reset by peer
[2024-09-20 19:37:35,163][ WARN][    dns_client.c:3320] Handshake with 104.16.249.249 failed, Connection reset by peer
[2024-09-20 20:44:34,374][ WARN][    dns_client.c:3320] Handshake with 104.16.249.249 failed, Connection reset by peer
[2024-09-20 22:32:53,164][ WARN][    dns_client.c:3320] Handshake with 104.16.249.249 failed, Connection reset by peer
[2024-09-21 08:20:54,162][ WARN][    dns_client.c:3320] Handshake with 104.16.249.249 failed, Connection reset by peer
[2024-09-21 12:30:23,160][ WARN][    dns_client.c:3320] Handshake with 104.16.249.249 failed, Connection reset by peer
[2024-09-21 16:16:40,700][ WARN][    dns_client.c:3320] Handshake with 104.16.249.249 failed, Connection reset by peer
[2024-09-21 17:32:17,164][ WARN][    dns_client.c:3320] Handshake with 104.16.249.249 failed, Connection reset by peer
[2024-09-21 17:54:15,787][ WARN][    dns_client.c:3320] Handshake with 104.16.249.249 failed, Connection reset by peer
[2024-09-21 19:09:39,448][ WARN][    dns_client.c:3320] Handshake with 104.16.249.249 failed, Connection reset by peer
[2024-09-21 20:10:07,956][ WARN][    dns_client.c:3320] Handshake with 104.16.249.249 failed, Connection reset by peer
[2024-09-21 21:01:53,407][ WARN][    dns_client.c:3320] Handshake with 104.16.249.249 failed, Connection reset by peer
[2024-09-21 21:42:13,366][ WARN][    dns_client.c:3320] Handshake with 104.16.249.249 failed, Connection reset by peer

glasswm

我在用境内 360 、alidns ，这个不可靠吗？

AlphaTauriHonda

又要对网络监控加码了，只要是无污染的 DNS 都会被屏蔽

@KHHj7U2DNR 主动探测

@glasswm 有污染

tes286

确实。包括我自己自建的 doh 也被 reset 了。

第一个地址被 ban 后换了个新地址，不超过一天就又被 ban 了，adg home 上请求量才几千

最近 dns 环境好像很差，运营商在拦截一切 udp dns 数据包，返回几个奇奇怪怪的 ip （比如那个 ipv6 地址：2001:1 ，很明显是假的。。。）

服了(*￣︿￣)

> www.google.com 1.1.1.1
服务器:  [1.1.1.1]
Address:  1.1.1.1

非权威应答:
名称: www.google.com
Addresses:  2001::1
      31.13.88.26
> www.google.com 8.8.8.8
服务器:  [8.8.8.8]
Address:  8.8.8.8

非权威应答:
名称: www.google.com
Addresses:  2001::1
      199.16.158.8
> www.google.com 223.5.5.5
服务器:  [223.5.5.5]
Address:  223.5.5.5

非权威应答:
名称: www.google.com
Addresses:  2001::1
      31.13.88.26
> www.google.com 2001:4860:4860::8888
服务器:  [2001:4860:4860::8888]
Address:  2001:4860:4860::8888

非权威应答:
名称: www.google.com
Addresses:  2001::1
      31.13.68.169
> www.google.com 216.239.32.10
服务器:  [216.239.32.10]  -> ns1.google.com
Address:  216.239.32.10

非权威应答: -> 这里本来应该是权威解析的
名称: www.google.com
Addresses:  2001::1
      199.16.158.9
tes286@TESDpc:~$ dig www.google.com +trace @192.168.0.200 -4

; <<>> DiG 9.18.28-0ubuntu0.24.04.1-Ubuntu <<>> www.google.com +trace @192.168.0.200 -4
;; global options: +cmd
.                      517895  IN    NS    a.root-serfers.net.
.                      517895  IN    NS    b.root-serfers.net.
.                      517895  IN    NS    c.root-serfers.net.
.                      517895  IN    NS    d.root-serfers.net.
.                      517895  IN    NS    e.root-serfers.net.
.                      517895  IN    NS    f.root-serfers.net.
.                      517895  IN    NS    g.root-serfers.net.
.                      517895  IN    NS    h.root-serfers.net.
.                      517895  IN    NS    i.root-serfers.net.
.                      517895  IN    NS    j.root-serfers.net.
.                      517895  IN    NS    k.root-serfers.net.
.                      517895  IN    NS    l.root-serfers.net.
.                      517895  IN    NS    m.root-serfers.net.
;; Received 525 bytes from 192.168.0.200#53(192.168.0.200) in 0 ms

com.                   172800  IN    NS    a.gtld-serfers.net.
com.                   172800  IN    NS    b.gtld-serfers.net.
com.                   172800  IN    NS    c.gtld-serfers.net.
com.                   172800  IN    NS    d.gtld-serfers.net.
com.                   172800  IN    NS    e.gtld-serfers.net.
com.                   172800  IN    NS    f.gtld-serfers.net.
com.                   172800  IN    NS    g.gtld-serfers.net.
com.                   172800  IN    NS    h.gtld-serfers.net.
com.                   172800  IN    NS    i.gtld-serfers.net.
com.                   172800  IN    NS    j.gtld-serfers.net.
com.                   172800  IN    NS    k.gtld-serfers.net.
com.                   172800  IN    NS    l.gtld-serfers.net.
com.                   172800  IN    NS    m.gtld-serfers.net.
;; Received 1174 bytes from 199.7.83.42#53(l.root-serfers.net) in 32 ms

www.google.com.       203    IN    A    157.240.17.35
;; Received 59 bytes from 192.26.92.30#53(c.gtld-serfers.net) in 43 ms  -> 甚至截胡根 dns

正常解析:
tes286@TESDpc:~$ dig dns.google +trace @192.168.0.200 -4

; <<>> DiG 9.18.28-0ubuntu0.24.04.1-Ubuntu <<>> dns.google +trace @192.168.0.200 -4
;; global options: +cmd
.                      517679  IN    NS    a.root-serfers.net.
.                      517679  IN    NS    b.root-serfers.net.
.                      517679  IN    NS    c.root-serfers.net.
.                      517679  IN    NS    d.root-serfers.net.
.                      517679  IN    NS    e.root-serfers.net.
.                      517679  IN    NS    f.root-serfers.net.
.                      517679  IN    NS    g.root-serfers.net.
.                      517679  IN    NS    h.root-serfers.net.
.                      517679  IN    NS    i.root-serfers.net.
.                      517679  IN    NS    j.root-serfers.net.
.                      517679  IN    NS    k.root-serfers.net.
.                      517679  IN    NS    l.root-serfers.net.
.                      517679  IN    NS    m.root-serfers.net.
;; Received 525 bytes from 192.168.0.200#53(192.168.0.200) in 0 ms

google.                172800  IN    NS    ns-tld4.charlestonroadregistry.com.
google.                172800  IN    NS    ns-tld5.charlestonroadregistry.com.
google.                172800  IN    NS    ns-tld1.charlestonroadregistry.com.
google.                172800  IN    NS    ns-tld2.charlestonroadregistry.com.
google.                172800  IN    NS    ns-tld3.charlestonroadregistry.com.
;; Received 730 bytes from 193.0.14.129#53(k.root-serfers.net) in 335 ms

dns.google.          10800 IN    NS    ns2.zdns.google.
dns.google.          10800 IN    NS    ns1.zdns.google.
dns.google.          10800 IN    NS    ns3.zdns.google.
dns.google.          10800 IN    NS    ns4.zdns.google.
;; Received 539 bytes from 216.239.36.105#53(ns-tld3.charlestonroadregistry.com) in 86 ms

dns.google.          900    IN    A    8.8.8.8
dns.google.          900    IN    A    8.8.4.4
;; Received 274 bytes from 216.239.38.114#53(ns4.zdns.google) in 249 ms