DNS泄漏基础概念
方案:Adguard Home自建DNS搭配Adguard客户端
如果能搭配Adguard Home,使用自己的DoH服务,安全性就大大增加。而且就我的体验,Adguard Home 服务端上游DNS使用DNS Pod效果也是非常好,也不会返回污染的地址。可参考我的文章:
然后PC端或者手机端使用Adguard客户端,且配置非默认端口的加密DNS,防止端口被封。这将极大提升DNS查询私密性,虽然不能做到100%,但对于普通人已经是够用了,我们又不去干违法乱纪的事情。
Windows
1.Adaguard 官方也针对Windows版Adguard 使用上可能存在的DNS泄漏写了一篇文章,详细说明了DNS泄漏存在的原因,以及可能的补充配置。
事实上,我认为使用DNS Pod这类公司的公共解析,退一万步,也是比运营商的更好,个人意见而已。如果你能找到更好的可用的DNS服务当然更好,只是,就我这几年的摸索,国外的DNS服务商,要不就是被封、要不就是对国内的应用反馈的都是亚太地区的IP,导致速度非常慢,都影响了正常使用了,还有什么意义?
2.智能多宿主名称解析
NordVPN网站提到,“系统运行的是 Windows 8 或更高版本,并启用了“智能多宿主名称解析”功能,该功能“将DNS请求发送到所有可用的DNS服务器,并且 接受来自 哪个DNS服务器最先响应.”将会有可能导致DNS泄漏,那么这个能够有必要关闭吗?
基本上无解。
关于DoH
Yes, the DoH resolver receives encrypted queries from the user. But when it sends those queries on to regular DNS authoritative name servers the query is not encrypted. Thus, DoH does not perform end-to-end encryption. And DoH does not really prevent an ISP from tracking your DNS requests. That’s because after your web browser receives the IP address from the DNS and sends you there, an ISP can see that IP address of your destination site if that site uses HTTP. And there are non-encrypted parts of HTTPS requests that are still in cleartext, like the IP address and Server Name Indication. Thus, using DoH will not prevent a determined ISP (or oppressive government) from knowing where you are going on the web.
按照上面文章的说法,DoH的IP查询并不是完全的隐秘,而DoT的安全性则更高。
There are other options for privacy when using DNS. These include using Domain Name System Security Extensions (DNSSEC) or DNS-over-TLS (DoT). These solutions encrypt DNS instead of partially hiding DNS traffic inside HTTPS.
关于DoQ
Adaugrad 的博客对DoQ作了详细的总结。节选了总结内容如下:
然后我搜到这篇文章,这是一份严谨的论文,总结就是,DoH/DoT都不能彻底解决Dns泄漏问题,而经过测试,DoQ也不能彻底解决。哎,这个世道。
Increased demand for DNS privacy has driven the creation of several encrypted DNS protocols, such as DNS over HTTPS (DoH), DNS over TLS (DoT), and DNS over QUIC (DoQ). Recently, the DoT and DoH have been deployed by some vendors like Google and Cloudflare.
发表回复