jkle112 commented 2 years ago

[-spki-pin [sha256-pin]]: TLS合法性校验SPKI值，base64编码的sha256 SPKI pin值 [-host-name]：TLS SNI名称。

以上是官方的配置文件说明，但是实际的配置项目发生了变化。 TLS Hostname Verify TLS SNI name HTTP Host TLS SPKI Pinning 想将https://raw.githubusercontent.com/getdnsapi/stubby/develop/stubby.yml.example的配置完整移植过来，于是将对应的参数填写

The getdnsapi.net server

address_data: 185.49.141.37 tls_auth_name: "getdnsapi.net" tls_pubkey_pinset:
- digest: "sha256" value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=

TLS Hostname Verify:getdnsapi.net TLS SNI name:getdnsapi.net HTTP Host:getdnsapi.net TLS SPKI Pinning:foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=

以上转换是否正确，测试了一下，SMARTDNS运行停止了，希望更新一下参数指南，谢谢！另外有一些特殊的情况希望支持一下。

The Uncensored DNS servers

- address_data: 91.239.100.100

tls_auth_name: "anycast.censurfridns.dk"

tls_pubkey_pinset:

- digest: "sha256"

value: 2JjZgBZkfjSjs117vX+AnyKeYzJNM38zwsaxHwStWsg=

comment: "deic-ore.anycast.censurfridns.dk RSA"

- digest: "sha256"

value: UXs8xWXai9ZXBAjDKYDiYl/jbIYtyV/bY2w3F1FFTDs=

comment: "deic-ore.anycast.censurfridns.dk ECDSA"

- digest: "sha256"

value: oDxJrI/lG1Jhl1J7LvapMlYwlHMphZUODvCDBm0nof8=

comment: "deic-lgb.anycast.censurfridns.dk RSA"

- digest: "sha256"

value: iYkCUwXdH7sT8qh26zt+r5dbTySL43wgJtLCTHaSH9M=

comment: "deic-lgb.anycast.censurfridns.dk ECDSA"

- digest: "sha256"

value: Clii3HzZr48onFoog7I0ma5QmMPSpOBpCykXqgA0Wn0=

comment: "kracon.anycast.censurfridns.dk RSA"

- digest: "sha256"

value: 6eW98h0+xxuaGQkgNalEU5e/hbgKyUoydpPMY6xcKyY=

comment: "kracon.anycast.censurfridns.dk ECDSA"

- digest: "sha256"

value: sp2Low3+oTsQljNzs3gkYgLRYo7o91t3XGka+pwX//4=

comment: "rgnet-iad.anycast.censurfridns.dk RSA"

- digest: "sha256"

value: /NPc7sIUzKLAQbsvRRhK6Ul3jip6Gi49bxutfrzpsQM=

comment: "rgnet-iad.anycast.censurfridns.dk ECDSA"

PikuZheng commented 2 years ago

没懂你要干啥如果是想把getdnsapi.net 作为smartdns的上游，那么应该在smartdns的配置文件中

server-tls 185.49.141.37 -tls-host-verify getdnsapi.net -spki-pin foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=

PikuZheng commented 2 years ago

对应stubby.yml.example中的

# The getdnsapi.net server
  - address_data: 185.49.141.37
    tls_auth_name: "getdnsapi.net"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q=

jkle112 commented 2 years ago

address_data: 91.239.100.100 tls_auth_name: "anycast.censurfridns.dk" 这个服务器，它有多个不同的value和comment，希望界面可以升级支持一下，谢谢！如果所有的服务器都可以添加tls-host-verify和 -spki-pin，用HTTP Strict Transport Security (HSTS) 来减少劫持和钓鱼，那样更安全。不对请谅解

PikuZheng commented 2 years ago

address_data: 91.239.100.100 tls_auth_name: "anycast.censurfridns.dk" 这个服务器，它有多个不同的value和comment，希望界面可以升级支持一下，谢谢！如果所有的服务器都可以添加tls-host-verify和 -spki-pin，用HTTP Strict Transport Security (HSTS) 来减少劫持和钓鱼，那样更安全。不对请谅解

多个spki-pin一般是因为对应证书链中的多个证书，可以任选一个l比较好的方式是选用证书链中第二层的）。comment字面意思是注释，不对应smartdns中的任何参数

pymumu / smartdns

升级配置参数问题 #874

The getdnsapi.net server

The Uncensored DNS servers

- address_data: 91.239.100.100

tls_auth_name: "anycast.censurfridns.dk"

tls_pubkey_pinset:

- digest: "sha256"

value: 2JjZgBZkfjSjs117vX+AnyKeYzJNM38zwsaxHwStWsg=

comment: "deic-ore.anycast.censurfridns.dk RSA"

- digest: "sha256"

value: UXs8xWXai9ZXBAjDKYDiYl/jbIYtyV/bY2w3F1FFTDs=

comment: "deic-ore.anycast.censurfridns.dk ECDSA"

- digest: "sha256"

value: oDxJrI/lG1Jhl1J7LvapMlYwlHMphZUODvCDBm0nof8=

comment: "deic-lgb.anycast.censurfridns.dk RSA"

- digest: "sha256"

value: iYkCUwXdH7sT8qh26zt+r5dbTySL43wgJtLCTHaSH9M=

comment: "deic-lgb.anycast.censurfridns.dk ECDSA"

- digest: "sha256"

value: Clii3HzZr48onFoog7I0ma5QmMPSpOBpCykXqgA0Wn0=

comment: "kracon.anycast.censurfridns.dk RSA"

- digest: "sha256"

value: 6eW98h0+xxuaGQkgNalEU5e/hbgKyUoydpPMY6xcKyY=

comment: "kracon.anycast.censurfridns.dk ECDSA"

- digest: "sha256"

value: sp2Low3+oTsQljNzs3gkYgLRYo7o91t3XGka+pwX//4=

comment: "rgnet-iad.anycast.censurfridns.dk RSA"

- digest: "sha256"

value: /NPc7sIUzKLAQbsvRRhK6Ul3jip6Gi49bxutfrzpsQM=

comment: "rgnet-iad.anycast.censurfridns.dk ECDSA"