Skip to content

Instantly share code, notes, and snippets.

@leiless

leiless/Corefile

Last active July 7, 2022 06:51
Show Gist options
  • Save leiless/5fbdeafb69d56fe737ba639ded9ac124 to your computer and use it in GitHub Desktop.
Save leiless/5fbdeafb69d56fe737ba639ded9ac124 to your computer and use it in GitHub Desktop.
Download ZIP
Sample Corefile for leiless/dnsredir plugin
Raw
Corefile
# XXX: Deprecated, see below for updates
# https://coredns.io/plugins/cache/
(global_cache) {
cache {
# [5, 60]
success 65536 3600 300
# [1, 10]
denial 8192 600 60
prefetch 1 60m 10%
}
}
. {
debug
log . {combined}
loop
reload 2s
errors
hosts {
fallthrough
}
import global_cache
dnsredir accelerated-domains.china.conf google.china.conf apple.china.conf {
expire 15s
max_fails 3
health_check 3s
policy round_robin
path_reload 2s
to 114.114.114.114 223.5.5.5 119.29.29.29
}
dnsredir . {
expire 60s
max_fails 5
health_check 5s
policy random
spray
to tls://[email protected] tls://[email protected]
to tls://1.1.1.1 tls://1.0.0.1
to tls://[email protected]
# Global TLS server name
tls_servername one.one.one.one
}
}
@leiless
Copy link
Author

leiless commented Apr 18, 2020
edited
Loading

🚀 Encrypt all your DNS queries by using DNS-over-HTTPS

Updated Jun 19, 2021.

# Sample Corefile for leiless/dnsredir plugin
# Checkout https://git.io/JJZ3N

# https://coredns.io/plugins/cache/
(global_cache) {
    cache {
        # success CAPACITY [TTL] [MINTTL]
        success 65536 1800 300
        # denial CAPACITY [TTL] [MINTTL]
        denial 1024 300 10
        # prefetch AMOUNT [[DURATION] [PERCENTAGE%]]
        prefetch 1 30m 10%
    }
}

. {
    #debug
    #loop
    log . {combined}
    reload 2s
    errors

    hosts {
        fallthrough
    }

    import global_cache

    # accelerated, apple, google
    dnsredir https://t.cn/A6zY4e4i https://t.cn/A6zYb6sL https://t.cn/A6zYbWEM {
        health_check 5s
        policy round_robin

        to ietf-doh://223.5.5.5/dns-query ietf-doh://223.6.6.6/dns-query
        to doh://doh.pub/dns-query

        bootstrap 114.114.114.114 223.5.5.5 223.6.6.6
        no_ipv6
    }

    dnsredir . {
        expire 30s
        max_fails 5
        health_check 10s
        policy random
        spray

        # List of DoH: https://github.com/curl/curl/wiki/DNS-over-HTTPS
        to doh://cloudflare-dns.com/dns-query
        to json-doh://dns.google/resolve
        to ietf-doh://dns.google/dns-query

        bootstrap 114.114.114.114 223.5.5.5 223.6.6.6
        no_ipv6
    }
}

Your DNS queries are encrypted doesn't mean anything to your privacy safety, it only eliminated the possibility of MITM attack.
If privacy safety is a concern, please use privacy-safe DNS servers all the way down.
Note that all China mainland DNS servers are privacy unsafe(due to the regulations), in which case you may setup a private DNS server by your own.

SEE ALSO

https://github.com/curl/curl/wiki/DNS-over-HTTPS
https://github.com/missdeer/coredns_custom_build
https://coredns.minidump.info/
使用Prometheus观察CoreDNS运行状况
https://github.com/xiaodongus/encrypted-dns
DNSPod 的 DoT 和 DoH 对外公测了
https://github.com/curl/curl/wiki/DNS-over-HTTPS
https://gist.github.com/leiless/fe05aefcb08dc066cd7881933f02b9c0

@hehh2001
Copy link

简单好用,谢谢

@leiless
Copy link
Author

leiless commented Mar 5, 2021
edited
Loading

According to 防火墙屏蔽了多个 DoH 服务器, many popular DoH/DoT servers got SNI blocked in mainland China.

Please consider using other(especially minor) DoH servers listed in:

Or, you can forward all DoH/DoT traffic to your proxy.

SEE ALSO

Signal 被屏蔽
时常出现“write broken",这是什么原因? #17

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment