xnix:nginx_dot
no way to compare when less than two revisions
差别
这里会显示出您选择的修订版和当前版本之间的差别。
前一修订版 | |||
— | xnix:nginx_dot [2021/08/18 10:18] (当前版本) – ↷ 页面freebsd:network:nginx_dot被移动至xnix:nginx_dot Hshh | ||
---|---|---|---|
行 1: | 行 1: | ||
+ | ====== 使用 Nginx 搭建 DNS over TLS (DoT) ====== | ||
+ | ==== 参考文档及源代码 ==== | ||
+ | |||
+ | - [[https:// | ||
+ | |||
+ | ==== 配置 Nginx ==== | ||
+ | |||
+ | 以下是简明配置, | ||
+ | |||
+ | 如果上游DNS服务器使用DNS over TLS(DoT), | ||
+ | |||
+ | 如果上游DNS服务器是普通形式, | ||
+ | |||
+ | < | ||
+ | stream { | ||
+ | ssl_protocols TLSv1.2 TLSv1.3; | ||
+ | ssl_ciphers " | ||
+ | ssl_prefer_server_ciphers on; | ||
+ | # | ||
+ | ssl_session_timeout 1d; | ||
+ | ssl_dhparam / | ||
+ | tcp_nodelay on; | ||
+ | upstream dot { | ||
+ | zone dot 64k; | ||
+ | server 8.8.8.8: | ||
+ | server 8.8.4.4: | ||
+ | } | ||
+ | server { | ||
+ | listen 853 ssl; | ||
+ | ssl_certificate / | ||
+ | ssl_certificate_key / | ||
+ | proxy_pass dot; | ||
+ | proxy_ssl on; | ||
+ | } | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | ==== 测试 ==== | ||
+ | |||
+ | === 用 kdig 测试 === | ||
+ | |||
+ | 简单的不检查TLS证书 | ||
+ | < | ||
+ | kdig -p 853 @dns_server_ip +tls intel.com | ||
+ | </ | ||
+ | |||
+ | 匹配TLS证书为domain | ||
+ | < | ||
+ | kdig -p 853 @dns_server_ip +tls-ca +tls-host=domain intel.com | ||
+ | </ | ||
+ | |||
+ | 使用 [[https:// | ||
+ | |||
+ | - Transport order: 选择TLS | ||
+ | - TLS resolver IP: 输入要检查的DNS服务器IP | ||
+ | - TLS auth name: (可选)TLS证书验证域名 |
xnix/nginx_dot.txt · 最后更改: 2021/08/18 10:18 由 Hshh