DoT DoH addition DNSCrypt,You can also learn more about the DNS encryption scheme

2018On November 2nd update,One day after switching to DoT,All stubby built-in server running unusually slow,Until daily use is immune to give up ......。

2018On November 1st update,used 5 After days DoH,Since the server is currently offering this service only,I was here at this address operators blocked。



three years ago,I wrote an article "Avoid DNS leaks on OS X"Talk about how to protect your privacy,And to avoid DNS Give way,At that time the technology is mainly used dnscrypt- in fact, then I gave up this program,The reason is severely disturbed public server,Configure complex high latency。Now three years later,Let's look at the latest DoT and DoH,Actually DNS over TLS and DNS over HTTPS

Those DNS encryption scheme

In fact, we've already talked about,DNS is expressly transmission of all content,Beginning of the design there is no such thing as safety considerations,Even answer the,You ask A Which IP address,A not had time to reply, B Responder say ! then,You believed。

It is now a common means of gfw wall websites,DNS is the principle of pollution。In short,dnscrypt Appeared,But it uses a custom protocol,And configure key exchange is needed each other,This leads to a lot of trouble。now,There are two new DNS encryption (apparently also the anti-pollution),This time we will talk about,They in the end where different。

DNS over TLS

TLS encryption fact that we used the Internet encrypted HTTPS,Security has been good protection - if this thing fails,It is estimated that ruined the entire Internet。

DoT use 853 port,Uses TCP for transport - basically it can be understood as the encrypted version of the ordinary DNS。

nowadays,DoT has been quite mature clients,use brew install stubby To install,reuse sudo brew services start stubby You will be able to start the,stubby recommended to use the default configuration,It has integrated multiple trusted server DoT。I am here to test query speed of the slowest 1 Yes seconds ......,You still need a pre-DNS cache service,For example dnsmasq,Here I will act as the direct use of Surge。

Some future doubts

DoT looks wonderful,Almost everything is done to our fantasy encryption of DNS,But one thing still to be noted,In a country like China,Once popular DoT,However, then it can no longer be contaminated,But it could easily be banned - because it has a separate fixed port,Although people do not know what site you visit,But you can know with DoT ,You simply direct interference TCP packet is not on the list?

(of course,DoT may also take up special 443 Port wants)


In short,Confusion is king,Although this will make network management headache,But in areas of severe review,Still worth a try。While it is people's attitude was wholly unknown to the DoH controversial,But there are still many Internet organizations support it - directly HTTP/2 or HTTPS Protocol request,This time it is hard to put a special DNS traffic separation singled out the interference。

Especially for self-built DNS servers,You can even hide behind the site!

To use the DoH,use brew install cloudflare/cloudflare/cloudflared To install,Run command sudo cloudflared proxy-dns Start it comes to test,You can see that it uses two upstream server:

Service can be started after the attempt to query,The first test when I met a lot of obvious error:

But the result was a return to normal,The first query time to stabilize within 300ms,Service comes with its own cache function,The second query like the nature is 0ms。

After a successful test,You need to be configured to cloudflared,So that it can automatically start as a service:

you can see,in /usr/local/etc/cloudflared/config.YML File We gave both the default upstream server,You can also add more here。

In short,After creating the configuration file,Let us execute the command to install the service into the system:

Now,You can press ctrl + c temporarily stopped using the service just tested,Then use the command to start system services: sudo launchctl start with.cloudflare.cloudflared


System Configuration

Now,Whether or DoH DoT,We have already started (note,Both at the same time you can only start a,Because the dns will be occupied by local 53 Port) you only need to configure the system to resolve dns .。

Additional content

If you're like me using the Surge,Then you may find that after turning on the Enhance Mode loop appears to be a DNS problem,Lead to an empty result set ...... it seems to be the DNS service and Surge answer in each other。Here we configure Surge does not use a custom DNS,Switching to the system settings DNS:

Surge provided using the system instead of a custom DNS


in conclusion

For now,DoT to use relatively stable in China,But a little slow,Use DoH faster speed but serious interference - this may also be a public server and DoH is not a lot about (after all, it is easy to give you kill the IP),In short,Both methods are self-built server excellent choice,simple、Shortcut,Very easy。

Rush wording,I am now in use argo tunnel ,That is the cloudflared,Own DNS cache,In a timely manner without the use of pre-DNS cache can be well run,Over time I will come to re-edit the article along with the effect of experience。(Hopefully not as frequently accessed The banned off)




Original article written by Gerber drop-off:R0uter's Blog » DoT DoH addition DNSCrypt,You can also learn more about the DNS encryption scheme

Reproduced Please keep the source and description link:

About the Author


The non-declaration,I have written articles are original,Reproduced, please indicate the link on this page and my name。


  1. Can the dots built by bloggers be used directly by filling in the domain name in the private DNS of the Android phone? My self-built Adguard_Home,dot port 853,Phone says can't connect。

    1. something like dns,No problem with chained requests,You can also set one layer,But that does n’t make much sense,All three are dns encryption solutions,You only need to use one of them,Three sets are used together,Also ok,It ’s just encryption redundancy.,Same request,Three requests,Encrypt three times,Are you slow。

        1. System or browser has a DNS cache,Only a relatively short time on the cache fills。
          You will be able to use a domestic mail message is received correctly。(probably
          My letter service is actually foxmail aka qq

Leave a Reply

Your email address will not be published. Required fields are marked *