From 214d612b4abb0d736c23d4dd1ad88396108d53fb Mon Sep 17 00:00:00 2001 From: bartender Date: Fri, 28 Apr 2023 04:06:01 +0800 Subject: [PATCH] Update `README` - Improved README doc - Localized README doc in Mandarin Chinese (CN & TW) --- README.cmn-CN.md | 170 +++++++++++++++++++++++++++++++++++++++++++++++ README.cmn-TW.md | 170 +++++++++++++++++++++++++++++++++++++++++++++++ README.md | 169 ++++++++++++++++++++++++++++++++++------------ 3 files changed, 468 insertions(+), 41 deletions(-) create mode 100644 README.cmn-CN.md create mode 100644 README.cmn-TW.md diff --git a/README.cmn-CN.md b/README.cmn-CN.md new file mode 100644 index 0000000..88de2c2 --- /dev/null +++ b/README.cmn-CN.md @@ -0,0 +1,170 @@ +[English](https://github.com/paulmillr/encrypted-dns/) | 简体中文 | [繁體中文](https://github.com/paulmillr/encrypted-dns/blob/master/README.cmn-TW.md) + +# 加密 DNS 配置 + +[DNS over HTTPS](https://zh.wikipedia.org/wiki/DNS_over_HTTPS) 和 [DNS over TLS](https://zh.wikipedia.org/wiki/DNS_over_TLS) 的配置描述文件。查看这篇文章以获取更多信息:[paulmillr.com/posts/encrypted-dns/](https://paulmillr.com/posts/encrypted-dns/) 以及有关[提交新描述文件](#提交新描述文件)的信息。 + +### 注意事项 + +根据[谷歌这篇文章](https://security.googleblog.com/2022/07/dns-over-http3-in-android.html)的介绍,DoH 似乎比 DoT 的性能更优。 + +从 iOS 和 iPadOS 15.5 开始,为了简化咖啡厅、宾馆、机场等公共场所无线网络的身份认证,苹果将这些无线网络的[强制登录门户](https://zh.wikipedia.org/wiki/%E5%BC%BA%E5%88%B6%E9%97%A8%E6%88%B7)加入到了加密 DNS 排除规则中。这是个好消息,但还有一些其他问题我们无法修复,只有等苹果来解决: + +- 无法启用加密 DNS:[Little Snitch & Lulu](https://github.com/paulmillr/encrypted-dns/issues/13)、[VPN](https://github.com/paulmillr/encrypted-dns/issues/18) +- 部分流量绕过加密 DNS:[终端和 App Store](https://github.com/paulmillr/encrypted-dns/issues/22)、[Chrome 浏览器](https://github.com/paulmillr/encrypted-dns/issues/19) + +如果你需要更进一步的隐私保护,请查看[使用 Tor 网络的加密 DNS](https://github.com/alecmuffett/dohot)。 + +## 供应商 + +“`审查=是`”表示描述文件不会发送某些主机“`主机名=IP`”关系的真实信息。 + +| 名称 | 区域 | 审查 | 备注 | 安装链接 | +| ------------------------------------------------ | ----- | ---- | ------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------- | +| [360 安全 DNS][360-dns] | 🇨🇳 | 是 | 由 360 数字安全集团运营 | [HTTPS][360-dns-profile-https] | +| [AdGuard DNS 默认][adguard-dns-default] | 🇷🇺 | 是 | 由 AdGuard 运营,拦截广告、跟踪器和钓鱼网站 | [HTTPS][adguard-dns-default-profile-https], [TLS][adguard-dns-default-profile-tls] | +| [AdGuard DNS 家庭保护][adguard-dns-family] | 🇷🇺 | 是 | 由 AdGuard 运营,除默认规则外,额外拦截恶意软件和成人内容 | [HTTPS][adguard-dns-family-profile-https], [TLS][adguard-dns-family-profile-tls] | +| [AdGuard DNS 无过滤][adguard-dns-unfiltered] | 🇷🇺 | 否 | 由 AdGuard 运营,无过滤 | [HTTPS][adguard-dns-unfiltered-profile-https], [TLS][adguard-dns-unfiltered-profile-tls] | +| [Alekberg 加密 DNS][alekberg-dns] | 🇳🇱 | 否 | 由个人提供 | [HTTPS][alekberg-dns-profile-https] | +| [阿里云公共 DNS][aliyun-dns] | 🇨🇳 | 否 | 由阿里云计算运营 | [HTTPS][aliyun-dns-profile-https], [TLS][aliyun-dns-profile-tls] | +| [BlahDNS CDN 过滤][blahdns] | 🇺🇸 | 是 | 由个人提供,拦截广告、跟踪器和恶意软件 | [HTTPS][blahdns-cdn-filtered-profile-https] | +| [BlahDNS CDN 无过滤][blahdns] | 🇺🇸 | 否 | 由个人提供,无过滤 | [HTTPS][blahdns-cdn-unfiltered-profile-https] | +| [BlahDNS 芬兰][blahdns] | 🇫🇮 | 是 | 由个人提供,拦截广告、跟踪器和恶意软件 | [HTTPS][blahdns-finland-profile-https] | +| [BlahDNS 德国][blahdns] | 🇩🇪 | 是 | 由个人提供,拦截广告、跟踪器和恶意软件 | [HTTPS][blahdns-germany-profile-https] | +| [BlahDNS 日本][blahdns] | 🇯🇵 | 是 | 由个人提供,拦截广告、跟踪器和恶意软件 | [HTTPS][blahdns-japan-profile-https] | +| [BlahDNS 新加坡][blahdns] | 🇸🇬 | 是 | 由个人提供,拦截广告、跟踪器和恶意软件 | [HTTPS][blahdns-singapore-profile-https] | +| [BlahDNS 瑞士][blahdns] | 🇨🇭 | 是 | 由个人提供,拦截广告、跟踪器和恶意软件 | [TLS][blahdns-switzerland-profile-tls] | +| [Canadian Shield 隐私][canadian-shield] | 🇨🇦 | 否 | 由加拿大互联网注册局 (CIRA) 运营 | [HTTPS][canadian-shield-private-profile-https], [TLS][canadian-shield-private-profile-tls] | +| [Canadian Shield 保护][canadian-shield] | 🇨🇦 | 是 | 由加拿大互联网注册局 (CIRA) 运营,拦截恶意软件和钓鱼网站 | [HTTPS][canadian-shield-protected-profile-https], [TLS][canadian-shield-protected-profile-tls] | +| [Canadian Shield 家庭][canadian-shield] | 🇨🇦 | 是 | 由加拿大互联网注册局 (CIRA) 运营,拦截恶意软件、钓鱼网站和成人内容 | [HTTPS][canadian-shield-family-profile-https], [TLS][canadian-shield-family-profile-tls] | +| [Cloudflare 1.1.1.1][cloudflare-dns] | 🇺🇸 | 否 | 由 Cloudflare 运营 | [HTTPS][cloudflare-dns-profile-https], [TLS][cloudflare-dns-profile-tls] | +| [Cloudflare 1.1.1.1 安全][cloudflare-dns-family] | 🇺🇸 | 是 | 由 Cloudflare 运营,拦截恶意软件和钓鱼网站 | [HTTPS][cloudflare-dns-security-profile-https] | +| [Cloudflare 1.1.1.1 家庭][cloudflare-dns-family] | 🇺🇸 | 是 | 由 Cloudflare 运营,拦截恶意软件、钓鱼网站和成人内容 | [HTTPS][cloudflare-dns-family-profile-https] | +| [DNSPod 公共 DNS][dnspod-dns] | 🇨🇳 | 否 | 由腾讯云计算旗下 DNSPod 运营 | [HTTPS][dnspod-dns-profile-https], [TLS][dnspod-dns-profile-tls] | +| [谷歌公共 DNS][google-dns] | 🇺🇸 | 否 | 由谷歌运营 | [HTTPS][google-dns-profile-https], [TLS][google-dns-profile-tls] | +| [Mullvad DNS][mullvad-dns] | 🇸🇪 | 是 | 由 Mullvad VPN 运营 | [HTTPS][mullvad-dns-profile-https] | +| [Mullvad DNS 广告过滤][mullvad-dns] | 🇸🇪 | 是 | 由 Mullvad VPN 运营,拦截广告和跟踪器 | [HTTPS][mullvad-dns-adblock-profile-https] | +| [OpenDNS 标准][opendns] | 🇺🇸 | 否 | 由思科 OpenDNS 运营 | [HTTPS][opendns-standard-profile-https] | +| [OpenDNS 家庭防护][opendns] | 🇺🇸 | 是 | 由思科 OpenDNS 运营,拦截恶意软件和成人内容 | [HTTPS][opendns-familyshield-profile-https] | +| [Quad9][quad9] | 🇨🇭 | 是 | 由 Quad9 基金会运营,拦截恶意软件 | [HTTPS][quad9-profile-https], [TLS][quad9-profile-tls] | +| [Quad9 ECS][quad9] | 🇨🇭 | 是 | 由 Quad9 基金会运营,支持 ECS,拦截恶意软件 | [HTTPS][quad9-ecs-profile-https], [TLS][quad9-ecs-profile-tls] | +| [Tiarap][tiarap] | 🇸🇬 🇺🇸 | 是 | 由 Tiarap 运营,拦截广告、跟踪器、钓鱼网站和恶意软件 | [HTTPS][tiarap-profile-https], [TLS][tiarap-profile-tls] | + +## 安装 + +要使设置在 **iOS**、**iPadOS** 和 **macOS** 中所有的应用程序上生效,你需要安装配置描述文件。此文件将指引操作系统使用 DoH 或 DoT。注意:只在系统无线局域网设置中设置 DNS 服务器 IP 是不够的——你需要安装描述文件。 + +iOS / iPadOS:使用 Safari 浏览器(其他浏览器只会下载该文件,不会弹出安装提示)打开 GitHub 上的 mobileconfig 文件,然后点击“允许”按钮,描述文件将完成下载。打开 **系统设置 => 通用 => VPN、DNS 与设备管理**,选择已下载的描述文件并点击“安装”按钮。 + +macOS [(官方文档)](https://support.apple.com/zh-cn/guide/mac-help/mh35561/): + +1. 下载并保存描述文件,将其重命名为 `NAME.mobileconfig`,而不是 txt 之类的扩展名。 +2. 选取苹果菜单 >“系统设置”,点按边栏中的“隐私和安全性” ,然后点按右侧的“描述文件”。(你可能需要向下滚动。) + 安装期间,系统可能会要求你提供密码或其他信息。 +3. 在“已下载”部分中,连按描述文件。 +4. 检查描述文件内容,然后点按“继续”、“安装”或“注册”以安装描述文件。 + + 如果 Mac 上已安装了较早版本的描述文件,其设置将替换为更新版本中的设置。 + +## 范围 + +这条[额外选项](https://github.com/paulmillr/encrypted-dns/issues/22)似乎可以让描述文件在系统全局范围生效。如果有兴趣尝试,请将下面的内容添加到 mobileconfig 文件中: + +```xml +PayloadScope +System +``` + +## 签名版描述文件 + +在 `signed` 文件夹中,存放了*稍微过时的*签名版描述文件。这些描述文件已由 [@Candygoblen123](https://github.com/Candygoblen123) 签名,因此当你安装时,界面上会有“已验证”的提示,此举还可确保这些描述文件未被篡改。但由于这些描述文件是交由第三方签名的,因此可能会稍微落后于未签名的版本。 + +[备注]: <> (我们建议安装签名版的描述文件,因为数字签名可以确保文件在下载时没有被修改。) + +如要验证 DNS 解析器的 IP 和主机名,请将描述文件内容与其官方网站的文档进行比对,描述文件内部结构和属性在[苹果开发者网站](https://developer.apple.com/documentation/devicemanagement/dnssettings)上有详细讲解。如要验证签名版的描述文件,请将其下载到本地后用文本编辑器打开,因为 GitHub 会将签名版描述文件视为二进制文件而无法直接查看。 + +## 提交新描述文件 + +描述文件本质上是文本文件,将现有的描述文件复制一份并修改其 UUID 即可,请确保在本 README 文件中更新描述文件的相关信息。 + +随机 UUID 除了可以通过网站在线生成,还有很多其他获取方法: + +- 在浏览器中按下 `F12` 打开“开发人员工具”,在控制台中运行这段代码 + +```javascript +crypto.randomUUID(); +``` + +- 在 macOS / Linux 终端中运行此命令 + +```sh +# 适用于 macOS 和 Linux +uuidgen + +# 适用于 Linux +cat /proc/sys/kernel/random/uuid +``` + +- 在 Powershell 中运行此命令 + +```powershell +New-Guid +``` + +[360-dns]: https://sdns.360.net/dnsPublic.html +[360-dns-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/360-https.mobileconfig +[adguard-dns-default]: https://adguard-dns.io/kb/zh-CN/general/dns-providers/#default +[adguard-dns-default-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/adguard-default-https.mobileconfig +[adguard-dns-default-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/adguard-default-tls.mobileconfig +[adguard-dns-family]: https://adguard-dns.io/kb/zh-CN/general/dns-providers/#family-protection +[adguard-dns-family-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/adguard-family-https.mobileconfig +[adguard-dns-family-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/adguard-family-tls.mobileconfig +[adguard-dns-unfiltered]: https://adguard-dns.io/kb/zh-CN/general/dns-providers/#non-filtering +[adguard-dns-unfiltered-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/adguard-nofilter-https.mobileconfig +[adguard-dns-unfiltered-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/adguard-nofilter-tls.mobileconfig +[alekberg-dns]: https://alekberg.net +[alekberg-dns-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/alekberg-https.mobileconfig +[aliyun-dns]: https://www.alidns.com/ +[aliyun-dns-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/alibaba-https.mobileconfig +[aliyun-dns-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/alibaba-tls.mobileconfig +[blahdns]: https://blahdns.com/ +[blahdns-cdn-filtered-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-cdn-adblock-doh1.mobileconfig +[blahdns-cdn-unfiltered-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-cdn-unfiltered-doh1.mobileconfig +[blahdns-finland-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-finland-doh.mobileconfig +[blahdns-germany-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-germany-doh.mobileconfig +[blahdns-japan-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-japan-doh.mobileconfig +[blahdns-singapore-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-singapore-doh.mobileconfig +[blahdns-switzerland-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-switzerland-dot.mobileconfig +[canadian-shield]: https://www.cira.ca/cybersecurity-services/canadian-shield/configure/summary-cira-canadian-shield-dns-resolver-addresses +[canadian-shield-private-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/canadianshield-private-https.mobileconfig +[canadian-shield-private-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/canadianshield-private-tls.mobileconfig +[canadian-shield-protected-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/canadianshield-protected-https.mobileconfig +[canadian-shield-protected-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/canadianshield-protected-tls.mobileconfig +[canadian-shield-family-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/canadianshield-family-https.mobileconfig +[canadian-shield-family-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/canadianshield-family-tls.mobileconfig +[cloudflare-dns]: https://developers.cloudflare.com/1.1.1.1/encryption/ +[cloudflare-dns-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/cloudflare-https.mobileconfig +[cloudflare-dns-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/cloudflare-tls.mobileconfig +[cloudflare-dns-family]: https://developers.cloudflare.com/1.1.1.1/setup/#1111-for-families +[cloudflare-dns-security-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/cloudflare-malware-https.mobileconfig +[cloudflare-dns-family-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/cloudflare-family-https.mobileconfig +[dnspod-dns]: https://www.dnspod.cn/products/publicdns +[dnspod-dns-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/dnspod-https.mobileconfig +[dnspod-dns-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/dnspod-tls.mobileconfig +[google-dns]: https://developers.google.com/speed/public-dns/docs/secure-transports?hl=zh-cn +[google-dns-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/google-https.mobileconfig +[google-dns-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/google-tls.mobileconfig +[mullvad-dns]: https://mullvad.net/zh-hans/help/dns-over-https-and-dns-over-tls/ +[mullvad-dns-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/mullvad-doh.mobileconfig +[mullvad-dns-adblock-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/mullvad-adblock-doh.mobileconfig +[opendns]: https://support.opendns.com/hc/articles/360038086532 +[opendns-standard-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/opendns-https.mobileconfig +[opendns-familyshield-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/opendns-family-https.mobileconfig +[quad9]: https://www.quad9.net/news/blog/doh-with-quad9-dns-servers/ +[quad9-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/quad9-https.mobileconfig +[quad9-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/quad9-tls.mobileconfig +[quad9-ecs-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/quad9-ECS-https.mobileconfig +[quad9-ecs-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/quad9-ECS-tls.mobileconfig +[tiarap]: https://doh.tiar.app +[tiarap-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/tiarapp-https.mobileconfig +[tiarap-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/tiarapp-tls.mobileconfig diff --git a/README.cmn-TW.md b/README.cmn-TW.md new file mode 100644 index 0000000..081a8c9 --- /dev/null +++ b/README.cmn-TW.md @@ -0,0 +1,170 @@ +[English](https://github.com/paulmillr/encrypted-dns/) | [简体中文](https://github.com/paulmillr/encrypted-dns/blob/master/README.cmn-CN.md) | 繁體中文 + +# 加密 DNS 配置 + +[DNS over HTTPS](https://zh.wikipedia.org/zh-tw/DNS_over_HTTPS) 和 [DNS over TLS](https://zh.wikipedia.org/zh-tw/DNS_over_TLS) 的設定描述檔。查看這篇文章以獲取更多訊息:[paulmillr.com/posts/encrypted-dns/](https://paulmillr.com/posts/encrypted-dns/) 以及有關[提交新描述檔](#提交新描述檔)的訊息。 + +### 注意事項 + +根據 [Google 這篇文章](https://security.googleblog.com/2022/07/dns-over-http3-in-android.html)的介紹,DoH 似乎比 DoT 的性能更優。 + +從 iOS 和 iPadOS 15.5 開始,為了簡化咖啡館、飯店、機場等公共場所 Wi-Fi 的身份認證,蘋果將這些 Wi-Fi 的[強制網路門戶](https://zh.wikipedia.org/zh-tw/%E5%BC%BA%E5%88%B6%E9%97%A8%E6%88%B7)加入到了加密 DNS 豁免清單中。這是個好消息,但還有一些其他問題我們無法修復,只有等蘋果來解決: + +- 無法啟用加密 DNS:[Little Snitch & Lulu](https://github.com/paulmillr/encrypted-dns/issues/13)、[VPN](https://github.com/paulmillr/encrypted-dns/issues/18) +- 部分流量繞過加密 DNS:[終端機和 App Store](https://github.com/paulmillr/encrypted-dns/issues/22)、[Chrome 瀏覽器](https://github.com/paulmillr/encrypted-dns/issues/19) + +如果你需要更進一步的隱私保護,請查看[使用 Tor 網路的加密 DNS](https://github.com/alecmuffett/dohot)。 + +## 供應商 + +「`審查=是`」意味著描述檔不會發送某些主機「`主機名=IP`」關係的真實訊息。 + +| 名稱 | 區域 | 審查 | 備註 | 安裝連結 | +| ------------------------------------------------ | ----- | ---- | ---------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | +| [360 安全 DNS][360-dns] | 🇨🇳 | 是 | 由 360 數字安全集團運營 | [HTTPS][360-dns-profile-https] | +| [AdGuard DNS 默認][adguard-dns-default] | 🇷🇺 | 是 | 由 AdGuard 運營,攔截廣告、跟蹤器和釣魚網站 | [HTTPS][adguard-dns-default-profile-https], [TLS][adguard-dns-default-profile-tls] | +| [AdGuard DNS 家庭保護][adguard-dns-family] | 🇷🇺 | 是 | 由 AdGuard 運營,除默認規則外,額外攔截惡意軟體和成人內容 | [HTTPS][adguard-dns-family-profile-https], [TLS][adguard-dns-family-profile-tls] | +| [AdGuard DNS 無過濾][adguard-dns-unfiltered] | 🇷🇺 | 否 | 由 AdGuard 運營,無攔截 | [HTTPS][adguard-dns-unfiltered-profile-https], [TLS][adguard-dns-unfiltered-profile-tls] | +| [Alekberg 加密 DNS][alekberg-dns] | 🇳🇱 | 否 | 由個人提供 | [HTTPS][alekberg-dns-profile-https] | +| [阿里雲公共 DNS][aliyun-dns] | 🇨🇳 | 否 | 由阿里雲計算運營 | [HTTPS][aliyun-dns-profile-https], [TLS][aliyun-dns-profile-tls] | +| [BlahDNS CDN 過濾][blahdns] | 🇺🇸 | 是 | 由個人提供,攔截廣告、跟蹤器和惡意軟體 | [HTTPS][blahdns-cdn-filtered-profile-https] | +| [BlahDNS CDN 無過濾][blahdns] | 🇺🇸 | 否 | 由個人提供,無過濾 | [HTTPS][blahdns-cdn-unfiltered-profile-https] | +| [BlahDNS 芬蘭][blahdns] | 🇫🇮 | 是 | 由個人提供,攔截廣告、跟蹤器和惡意軟體 | [HTTPS][blahdns-finland-profile-https] | +| [BlahDNS 德國][blahdns] | 🇩🇪 | 是 | 由個人提供,攔截廣告、跟蹤器和惡意軟體 | [HTTPS][blahdns-germany-profile-https] | +| [BlahDNS 日本][blahdns] | 🇯🇵 | 是 | 由個人提供,攔截廣告、跟蹤器和惡意軟體 | [HTTPS][blahdns-japan-profile-https] | +| [BlahDNS 新加坡][blahdns] | 🇸🇬 | 是 | 由個人提供,攔截廣告、跟蹤器和惡意軟體 | [HTTPS][blahdns-singapore-profile-https] | +| [BlahDNS 瑞士][blahdns] | 🇨🇭 | 是 | 由個人提供,攔截廣告、跟蹤器和惡意軟體 | [TLS][blahdns-switzerland-profile-tls] | +| [Canadian Shield 隱私][canadian-shield] | 🇨🇦 | 否 | 由加拿大網路註冊局 (CIRA) 運營 | [HTTPS][canadian-shield-private-profile-https], [TLS][canadian-shield-private-profile-tls] | +| [Canadian Shield 保護][canadian-shield] | 🇨🇦 | 是 | 由加拿大網路註冊局 (CIRA) 運營,攔截惡意軟體和釣魚網站 | [HTTPS][canadian-shield-protected-profile-https], [TLS][canadian-shield-protected-profile-tls] | +| [Canadian Shield 家庭][canadian-shield] | 🇨🇦 | 是 | 由加拿大網路註冊局 (CIRA) 運營,攔截惡意軟體、釣魚網站和成人內容 | [HTTPS][canadian-shield-family-profile-https], [TLS][canadian-shield-family-profile-tls] | +| [Cloudflare 1.1.1.1][cloudflare-dns] | 🇺🇸 | 否 | 由 Cloudflare 運營 | [HTTPS][cloudflare-dns-profile-https], [TLS][cloudflare-dns-profile-tls] | +| [Cloudflare 1.1.1.1 安全][cloudflare-dns-family] | 🇺🇸 | 是 | 由 Cloudflare 運營,攔截惡意軟體和釣魚網站 | [HTTPS][cloudflare-dns-security-profile-https] | +| [Cloudflare 1.1.1.1 家庭][cloudflare-dns-family] | 🇺🇸 | 是 | 由 Cloudflare 運營,攔截惡意軟體、釣魚網站和成人內容 | [HTTPS][cloudflare-dns-family-profile-https] | +| [DNSPod 公共 DNS][dnspod-dns] | 🇨🇳 | 否 | 由騰訊雲計算旗下 DNSPod 運營 | [HTTPS][dnspod-dns-profile-https], [TLS][dnspod-dns-profile-tls] | +| [Google 公共 DNS][google-dns] | 🇺🇸 | 否 | 由 Google 運營 | [HTTPS][google-dns-profile-https], [TLS][google-dns-profile-tls] | +| [Mullvad DNS][mullvad-dns] | 🇸🇪 | 是 | 由 Mullvad VPN 運營 | [HTTPS][mullvad-dns-profile-https] | +| [Mullvad DNS 廣告過濾][mullvad-dns] | 🇸🇪 | 是 | 由 Mullvad VPN 運營,攔截廣告和跟蹤器 | [HTTPS][mullvad-dns-adblock-profile-https] | +| [OpenDNS 標準][opendns] | 🇺🇸 | 否 | 由思科 OpenDNS 運營 | [HTTPS][opendns-standard-profile-https] | +| [OpenDNS 家庭防護][opendns] | 🇺🇸 | 是 | 由思科 OpenDNS 運營,攔截惡意軟體和成人內容 | [HTTPS][opendns-familyshield-profile-https] | +| [Quad9][quad9] | 🇨🇭 | 是 | 由 Quad9 基金會運營,攔截惡意軟體 | [HTTPS][quad9-profile-https], [TLS][quad9-profile-tls] | +| [Quad9 ECS][quad9] | 🇨🇭 | 是 | 由 Quad9 基金會運營,支持 ECS,攔截惡意軟體 | [HTTPS][quad9-ecs-profile-https], [TLS][quad9-ecs-profile-tls] | +| [Tiarap][tiarap] | 🇸🇬 🇺🇸 | 是 | 由 Tiarap 運營,攔截廣告、跟蹤器、釣魚網站和惡意軟體 | [HTTPS][tiarap-profile-https], [TLS][tiarap-profile-tls] | + +## 安裝 + +要使設置在 **iOS**、**iPadOS** 和 **macOS** 中所有的應用程式上生效,你需要安裝設定描述檔。此文件將指引操作系統使用 DoH 或 DoT。注意:僅在系統 Wi-Fi 設定中設置 DNS 伺服器 IP 是不夠的——你需要安裝描述檔。 + +iOS / iPadOS:使用 Safari 瀏覽器(其他瀏覽器只會下載該文件,不會彈出安裝提示)打開 GitHub 上的 mobileconfig 文件,然後點擊「允許」按鈕,描述檔將完成下載。打開 **系統設定 => 一般 => VPN、DNS 與裝置管理**,選擇已下載的描述檔並點擊「安裝」按鈕。 + +macOS [(官方文檔)](https://support.apple.com/zh-tw/guide/mac-help/mh35561/): + +1. 下載並保存描述檔,將其重命名為 `NAME.mobileconfig`,而不是 txt 之類的副檔名。 +2. 選擇「蘋果」選單 >「系統設定」,按一下側邊欄中的「隱私權和安全性」,然後按一下右側的「描述檔」。(你可能需要向下捲動。) + 安裝期間,系統可能會要求你提供密碼或其他資訊。 +3. 在「已下載」區域中,按兩下描述檔。 +4. 檢視描述檔內容然後按一下「繼續」、「安裝」或「註冊」來安裝描述檔。 + + 若 Mac 上已安裝描述檔的較早版本,則以上版本中的設定會取代先前的設定。 + +## 範圍 + +這條[額外選項](https://github.com/paulmillr/encrypted-dns/issues/22)似乎可以讓描述文件在系統全域範圍生效。如果有興趣嘗試,請將下面的內容添加到 mobileconfig 文件中: + +```xml +PayloadScope +System +``` + +## 簽署版描述檔 + +在 `signed` 文件夾中,存放了*稍微過時的*簽署版描述檔。這些描述檔已由 [@Candygoblen123](https://github.com/Candygoblen123) 簽署,因此當你安裝時,介面上會有「已驗證」的提示,此舉還可確保這些描述檔未被篡改。但由於這些描述檔是交由第三方簽署的,因此可能會稍微落後於未簽署的版本。 + +[備註]: <> (我們建議安裝簽署版的描述檔,因為數位簽章可以確保文件在下載時沒有被修改。) + +如要驗證 DNS 解析器的 IP 和主機名,請將描述檔內容與其官方網站的文檔進行比對,描述檔內部結構和屬性在[蘋果開發人員網站](https://developer.apple.com/documentation/devicemanagement/dnssettings)上有詳細講解。如要驗證簽署版的描述檔,請將其下載到本地後用文字編輯器打開,因為 GitHub 會將簽署版描述檔視為二進位檔案而無法直接查看。 + +## 提交新描述檔 + +描述檔本質上是文字檔案,將現有的描述檔複製一份並修改其 UUID 即可,請確保在本 README 文件中更新描述檔的相關訊息。 + +隨機 UUID 除了可以通過網站在線生成,還有很多其他獲取方法: + +- 在瀏覽器中按下 `F12` 打開“開發人員工具”,在主控台中執行這段程式碼 + +```javascript +crypto.randomUUID(); +``` + +- 在 macOS / Linux 終端機中執行此指令 + +```sh +# 適用於 macOS 和 Linux +uuidgen + +# 適用於 Linux +cat /proc/sys/kernel/random/uuid +``` + +- 在 Powershell 中執行此指令 + +```powershell +New-Guid +``` + +[360-dns]: https://sdns.360.net/dnsPublic.html +[360-dns-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/360-https.mobileconfig +[adguard-dns-default]: https://adguard-dns.io/kb/zh-TW/general/dns-providers/#default +[adguard-dns-default-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/adguard-default-https.mobileconfig +[adguard-dns-default-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/adguard-default-tls.mobileconfig +[adguard-dns-family]: https://adguard-dns.io/kb/zh-TW/general/dns-providers/#family-protection +[adguard-dns-family-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/adguard-family-https.mobileconfig +[adguard-dns-family-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/adguard-family-tls.mobileconfig +[adguard-dns-unfiltered]: https://adguard-dns.io/kb/zh-TW/general/dns-providers/#non-filtering +[adguard-dns-unfiltered-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/adguard-nofilter-https.mobileconfig +[adguard-dns-unfiltered-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/adguard-nofilter-tls.mobileconfig +[alekberg-dns]: https://alekberg.net +[alekberg-dns-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/alekberg-https.mobileconfig +[aliyun-dns]: https://www.alidns.com/ +[aliyun-dns-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/alibaba-https.mobileconfig +[aliyun-dns-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/alibaba-tls.mobileconfig +[blahdns]: https://blahdns.com/ +[blahdns-cdn-filtered-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-cdn-adblock-doh1.mobileconfig +[blahdns-cdn-unfiltered-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-cdn-unfiltered-doh1.mobileconfig +[blahdns-finland-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-finland-doh.mobileconfig +[blahdns-germany-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-germany-doh.mobileconfig +[blahdns-japan-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-japan-doh.mobileconfig +[blahdns-singapore-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-singapore-doh.mobileconfig +[blahdns-switzerland-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-switzerland-dot.mobileconfig +[canadian-shield]: https://www.cira.ca/cybersecurity-services/canadian-shield/configure/summary-cira-canadian-shield-dns-resolver-addresses +[canadian-shield-private-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/canadianshield-private-https.mobileconfig +[canadian-shield-private-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/canadianshield-private-tls.mobileconfig +[canadian-shield-protected-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/canadianshield-protected-https.mobileconfig +[canadian-shield-protected-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/canadianshield-protected-tls.mobileconfig +[canadian-shield-family-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/canadianshield-family-https.mobileconfig +[canadian-shield-family-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/canadianshield-family-tls.mobileconfig +[cloudflare-dns]: https://developers.cloudflare.com/1.1.1.1/encryption/ +[cloudflare-dns-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/cloudflare-https.mobileconfig +[cloudflare-dns-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/cloudflare-tls.mobileconfig +[cloudflare-dns-family]: https://developers.cloudflare.com/1.1.1.1/setup/#1111-for-families +[cloudflare-dns-security-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/cloudflare-malware-https.mobileconfig +[cloudflare-dns-family-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/cloudflare-family-https.mobileconfig +[dnspod-dns]: https://www.dnspod.cn/products/publicdns +[dnspod-dns-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/dnspod-https.mobileconfig +[dnspod-dns-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/dnspod-tls.mobileconfig +[google-dns]: https://developers.google.com/speed/public-dns/docs/secure-transports?hl=zh-tw +[google-dns-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/google-https.mobileconfig +[google-dns-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/google-tls.mobileconfig +[mullvad-dns]: https://mullvad.net/zh-hant/help/dns-over-https-and-dns-over-tls/ +[mullvad-dns-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/mullvad-doh.mobileconfig +[mullvad-dns-adblock-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/mullvad-adblock-doh.mobileconfig +[opendns]: https://support.opendns.com/hc/articles/360038086532 +[opendns-standard-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/opendns-https.mobileconfig +[opendns-familyshield-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/opendns-family-https.mobileconfig +[quad9]: https://www.quad9.net/news/blog/doh-with-quad9-dns-servers/ +[quad9-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/quad9-https.mobileconfig +[quad9-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/quad9-tls.mobileconfig +[quad9-ecs-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/quad9-ECS-https.mobileconfig +[quad9-ecs-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/quad9-ECS-tls.mobileconfig +[tiarap]: https://doh.tiar.app +[tiarap-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/tiarapp-https.mobileconfig +[tiarap-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/tiarapp-tls.mobileconfig diff --git a/README.md b/README.md index 9241855..3448abf 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,14 @@ +English | [简体中文](https://github.com/paulmillr/encrypted-dns/blob/master/README.cmn-CN.md) | [繁體中文](https://github.com/paulmillr/encrypted-dns/blob/master/README.cmn-TW.md) + # encrypted-dns-configs + Configuration profiles for [DNS over HTTPS](https://en.wikipedia.org/wiki/DNS_over_HTTPS) and [DNS over TLS](https://en.wikipedia.org/wiki/DNS_over_TLS). Check out the article for more info: [paulmillr.com/posts/encrypted-dns/](https://paulmillr.com/posts/encrypted-dns/) and info about [contributing a new profile](#contributing-a-new-profile). ### Caveats DoH seems to work faster & better than DoT judging from the [Google's article](https://security.googleblog.com/2022/07/dns-over-http3-in-android.html). -Starting from iOS 15.5, [Wi-Fi captive portals](https://en.wikipedia.org/wiki/Captive_portal) in cafes, hotels, airports are exempted by Apple from eDNS rules; to simplify authentication. This is good news. There are still some other issues; we can't fix them, only Apple can: +Starting from iOS & iPadOS 15.5, [Wi-Fi captive portals](https://en.wikipedia.org/wiki/Captive_portal) in cafes, hotels, airports are exempted by Apple from eDNS rules; to simplify authentication. This is good news. There are still some other issues; we can't fix them, only Apple can: - eDNS gets disabled: [Little Snitch & Lulu](https://github.com/paulmillr/encrypted-dns/issues/13), [VPN](https://github.com/paulmillr/encrypted-dns/issues/18) - Some traffic is exempt from eDNS: [Terminal / App Store](https://github.com/paulmillr/encrypted-dns/issues/22), [Chrome](https://github.com/paulmillr/encrypted-dns/issues/19) @@ -16,63 +19,65 @@ If you need even more privacy, check out [encrypted-dns over TOR](https://github `Censorship=yes` means the profile will not send true information about `hostname=IP` relation for some hosts. -| Name | Country | Censorship | Notes | Install button | -|---------------------------|---------|------------|-----------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 360 Public Security DNS | 🇨🇳 | Yes | [Operated](https://sdns.360.net/dnsPublic.html) by 360 Safe | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/360-https.mobileconfig) | -| AdGuard Default | 🇷🇺 | Yes | [Operated](https://adguard-dns.io/kb/general/dns-providers/#default) by AdGuard (Filters ads, tracking & phishing) | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/adguard-default-https.mobileconfig), [TLS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/adguard-default-tls.mobileconfig) | -| AdGuard Family | 🇷🇺 | Yes | [Operated](https://adguard-dns.io/kb/general/dns-providers/#family-protection) by AdGuard (Filters Default + malware & adult content) | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/adguard-family-https.mobileconfig), [TLS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/adguard-family-tls.mobileconfig) | -| AdGuard No Filter | 🇷🇺 | No | [Operated](https://adguard-dns.io/kb/general/dns-providers/#non-filtering) by AdGuard (Non-filtering) | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/adguard-nofilter-https.mobileconfig), [TLS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/adguard-nofilter-tls.mobileconfig) | -| AliDNS | 🇨🇳 | Yes | [Operated](https://www.alidns.com/) by Alibaba in China | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/alibaba-https.mobileconfig), [TLS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/alibaba-tls.mobileconfig) | -| Alekberg | 🇳🇱 | No | [Independent](https://alekberg.net) hoster in Netherlands | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/alekberg-https.mobileconfig) | -| BlahDNS CDN Filtered | 🇺🇸 | Yes | [Independent](https://blahdns.com/) | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-cdn-adblock-doh1.mobileconfig) | -| BlahDNS CDN Unfiltered | 🇺🇸 | No | [Independent](https://blahdns.com/) | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-cdn-unfiltered-doh1.mobileconfig) | -| BlahDNS Finland Adsblock | 🇫🇮 | Yes | [Independent](https://blahdns.com/) | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-finland-doh.mobileconfig) | -| BlahDNS Germany Adsblock | 🇩🇪 | Yes | [Independent](https://blahdns.com/) | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-germany-doh.mobileconfig) | -| BlahDNS Japan Adsblock | 🇯🇵 | Yes | [Independent](https://blahdns.com/) | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-japan-doh.mobileconfig) | -| BlahDNS Singapore Adsblock| 🇸🇬 | Yes | [Independent](https://blahdns.com/) | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-singapore-doh.mobileconfig) | -| BlahDNS Swiss Adsblock | 🇨🇭 | Yes | [Independent](https://blahdns.com/) | [TLS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-switzerland-dot.mobileconfig) | -| Canadian Shield Private | 🇨🇦 | No | [Operated](https://www.cira.ca/cybersecurity-services/canadian-shield/configure) by the Canadian Internet Registration Authority (CIRA) | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/canadianshield-private-https.mobileconfig), [TLS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/canadianshield-private-tls.mobileconfig) | -| Canadian Shield Protected | 🇨🇦 | Yes | [Filters](https://www.cira.ca/cybersecurity-services/canadian-shield/configure) malware | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/canadianshield-protected-https.mobileconfig), [TLS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/canadianshield-protected-tls.mobileconfig) | -| Canadian Shield Family | 🇨🇦 | Yes | [Filters](https://www.cira.ca/cybersecurity-services/canadian-shield/configure) malware & adult content | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/canadianshield-family-https.mobileconfig), [TLS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/canadianshield-family-tls.mobileconfig) | -| Cloudflare | 🇺🇸 | No | [Operated](https://developers.cloudflare.com/1.1.1.1/dns-over-https) by Cloudflare 1.1.1.1 | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/cloudflare-https.mobileconfig), [TLS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/cloudflare-tls.mobileconfig) | -| Cloudflare Malware | 🇺🇸 | Yes | Filters malware | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/cloudflare-malware-https.mobileconfig) | -| Cloudflare Family | 🇺🇸 | Yes | Filters malware & adult content | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/cloudflare-family-https.mobileconfig) | -| DNSPod | 🇨🇳 | Yes | [Operated](https://www.dnspod.cn/Products/publicdns?lang=en) by DNSPod (Tencent) in China | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/dnspod-https.mobileconfig), [TLS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/dnspod-tls.mobileconfig) | -| Google | 🇺🇸 | No | [Operated](https://developers.google.com/speed/public-dns/docs/secure-transports) by Google | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/google-https.mobileconfig), [TLS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/google-tls.mobileconfig) | -| Mullvad | 🇸🇪 | Yes | [Operated](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls/) by Mullvad VPN AB | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/mullvad-doh.mobileconfig) | -| Mullvad with ad blocking | 🇸🇪 | Yes | [Operated](https://mullvad.net/en/help/dns-over-https-and-dns-over-tls/) by Mullvad VPN AB | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/mullvad-adblock-doh.mobileconfig) | -| OpenDNS | 🇺🇸 | No | [Operated](https://support.opendns.com/hc/en-us/articles/360038086532) by OpenDNS | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/opendns-https.mobileconfig) | -| OpenDNS Family | 🇺🇸 | Yes | Filters malware & adult content | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/opendns-family-https.mobileconfig) | -| Quad9 | 🇨🇭 | Yes | [Operated](https://www.quad9.net/news/blog/doh-with-quad9-dns-servers/) by CleanerDNS, Inc. Filters malware | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/quad9-https.mobileconfig), [TLS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/quad9-tls.mobileconfig) | -| Quad9 With ECS | 🇨🇭 | Yes | [Operated](https://www.quad9.net/news/blog/doh-with-quad9-dns-servers/) by CleanerDNS, Inc. Filters malware | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/quad9-ECS-https.mobileconfig), [TLS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/quad9-ECS-tls.mobileconfig) | -| Tiar.app | 🇸🇬 🇺🇸 | Yes | ["Privacy-first DNS provider"](https://doh.tiar.app) from SG, hosted on Digital Ocean. Filters malware | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/tiarapp-https.mobileconfig), [TLS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/tiarapp-tls.mobileconfig) | +| Name | Region | Censorship | Notes | Install button | +| ---------------------------------------------------- | ------ | ---------- | --------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | +| [360 Security DNS][360-dns] | 🇨🇳 | Yes | Operated by 360 Digital Security Group | [HTTPS][360-dns-profile-https] | +| [AdGuard DNS Default][adguard-dns-default] | 🇷🇺 | Yes | Operated by AdGuard Software Ltd. Blocks ads, tracking & phishing | [HTTPS][adguard-dns-default-profile-https], [TLS][adguard-dns-default-profile-tls] | +| [AdGuard DNS Family Protection][adguard-dns-family] | 🇷🇺 | Yes | Operated by AdGuard Software Ltd. Blocks `Default` + malware & adult content | [HTTPS][adguard-dns-family-profile-https], [TLS][adguard-dns-family-profile-tls] | +| [AdGuard DNS Non-filtering][adguard-dns-unfiltered] | 🇷🇺 | No | Operated by AdGuard Software Ltd. Non-filtering | [HTTPS][adguard-dns-unfiltered-profile-https], [TLS][adguard-dns-unfiltered-profile-tls] | +| [Alekberg Encrypted DNS][alekberg-dns] | 🇳🇱 | No | Independent | [HTTPS][alekberg-dns-profile-https] | +| [Aliyun Public DNS][aliyun-dns] | 🇨🇳 | No | Operated by Alibaba Cloud Ltd. | [HTTPS][aliyun-dns-profile-https], [TLS][aliyun-dns-profile-tls] | +| [BlahDNS CDN Filtered][blahdns] | 🇺🇸 | Yes | Independent. Blocks ads, tracking & malware | [HTTPS][blahdns-cdn-filtered-profile-https] | +| [BlahDNS CDN Unfiltered][blahdns] | 🇺🇸 | No | Independent. Non-filtering | [HTTPS][blahdns-cdn-unfiltered-profile-https] | +| [BlahDNS Finland][blahdns] | 🇫🇮 | Yes | Independent. Blocks ads, tracking & malware | [HTTPS][blahdns-finland-profile-https] | +| [BlahDNS Germany][blahdns] | 🇩🇪 | Yes | Independent. Blocks ads, tracking & malware | [HTTPS][blahdns-germany-profile-https] | +| [BlahDNS Japan][blahdns] | 🇯🇵 | Yes | Independent. Blocks ads, tracking & malware | [HTTPS][blahdns-japan-profile-https] | +| [BlahDNS Singapore][blahdns] | 🇸🇬 | Yes | Independent. Blocks ads, tracking & malware | [HTTPS][blahdns-singapore-profile-https] | +| [BlahDNS Switzerland][blahdns] | 🇨🇭 | Yes | Independent. Blocks ads, tracking & malware | [TLS][blahdns-switzerland-profile-tls] | +| [Canadian Shield Private][canadian-shield] | 🇨🇦 | No | Operated by the Canadian Internet Registration Authority (CIRA) | [HTTPS][canadian-shield-private-profile-https], [TLS][canadian-shield-private-profile-tls] | +| [Canadian Shield Protected][canadian-shield] | 🇨🇦 | Yes | Operated by the Canadian Internet Registration Authority (CIRA). Blocks malware & phishing | [HTTPS][canadian-shield-protected-profile-https], [TLS][canadian-shield-protected-profile-tls] | +| [Canadian Shield Family][canadian-shield] | 🇨🇦 | Yes | Operated by the Canadian Internet Registration Authority (CIRA). Blocks malware, phishing & adult content | [HTTPS][canadian-shield-family-profile-https], [TLS][canadian-shield-family-profile-tls] | +| [Cloudflare 1.1.1.1][cloudflare-dns] | 🇺🇸 | No | Operated by Cloudflare Inc. | [HTTPS][cloudflare-dns-profile-https], [TLS][cloudflare-dns-profile-tls] | +| [Cloudflare 1.1.1.1 Security][cloudflare-dns-family] | 🇺🇸 | Yes | Operated by Cloudflare Inc. Blocks malware & phishing | [HTTPS][cloudflare-dns-security-profile-https] | +| [Cloudflare 1.1.1.1 Family][cloudflare-dns-family] | 🇺🇸 | Yes | Operated by Cloudflare Inc. Blocks malware, phishing & adult content | [HTTPS][cloudflare-dns-family-profile-https] | +| [DNSPod Public DNS][dnspod-dns] | 🇨🇳 | No | Operated by DNSPod Inc., a Tencent Cloud Company | [HTTPS][dnspod-dns-profile-https], [TLS][dnspod-dns-profile-tls] | +| [Google Public DNS][google-dns] | 🇺🇸 | No | Operated by Google LLC | [HTTPS][google-dns-profile-https], [TLS][google-dns-profile-tls] | +| [Mullvad DNS][mullvad-dns] | 🇸🇪 | Yes | Operated by Mullvad VPN AB | [HTTPS][mullvad-dns-profile-https] | +| [Mullvad DNS Adblock][mullvad-dns] | 🇸🇪 | Yes | Operated by Mullvad VPN AB. Blocks ads & tracking | [HTTPS][mullvad-dns-adblock-profile-https] | +| [OpenDNS Standard][opendns] | 🇺🇸 | No | Operated by Cisco OpenDNS LLC | [HTTPS][opendns-standard-profile-https] | +| [OpenDNS FamilyShield][opendns] | 🇺🇸 | Yes | Operated by Cisco OpenDNS LLC. Blocks malware & adult content | [HTTPS][opendns-familyshield-profile-https] | +| [Quad9][quad9] | 🇨🇭 | Yes | Operated by Quad9 Foundation. Blocks malware | [HTTPS][quad9-profile-https], [TLS][quad9-profile-tls] | +| [Quad9 w/ ECS][quad9] | 🇨🇭 | Yes | Operated by Quad9 Foundation. Supports ECS. Blocks malware | [HTTPS][quad9-ecs-profile-https], [TLS][quad9-ecs-profile-tls] | +| [Tiarap][tiarap] | 🇸🇬 🇺🇸 | Yes | Operated by Tiarap Inc. Blocks ads, tracking, phising & malware | [HTTPS][tiarap-profile-https], [TLS][tiarap-profile-tls] | ## Installation -To make settings work across all apps in **iOS** & **MacOS**, you’ll need to install configuration profile. This profile would tell operating system to use DOH / DOT. Note: it’s not enough to simply set server IPs in System Preferences — you need to install a profile. +To make settings work across all apps in **iOS**, **iPadOS** & **macOS**, you'll need to install configuration profile. This profile would tell operating system to use DoH / DoT. Note: it's not enough to simply set server IPs in System Preferences — you need to install a profile. -iOS: Open the mobileconfig file in GitHub by using Safari (other browsers will just download the file and won't ask for installation), and then click/tap on install button. The profile should download. Go to **System Settings => General => VPN, DNS & Device Management**, select downloaded profile and tap the “Install” button. +iOS / iPadOS: Open the mobileconfig file in GitHub by using Safari (other browsers will just download the file and won't ask for installation), and then click/tap on "Allow" button. The profile should download. Go to **System Settings => General => VPN, DNS & Device Management**, select downloaded profile and tap the "Install" button. + +macOS [(official docs)](https://support.apple.com/guide/mac-help/mh35561/): -macOS [(official docs)](https://support.apple.com/guide/mac-help/configuration-profiles-standardize-settings-mh35561/13.0/mac/13.0): - 1. Download and save the profile. After save, rename it to be in format: `NAME.mobileconfig`, not NAME.txt, or so -2. Choose Apple menu > System Settings, click Privacy and Security in the sidebar, then click Profiles on the right. You may need to scroll down. - You may be asked to supply your password or other information during installation. +2. Choose Apple menu > System Settings, click Privacy and Security in the sidebar, then click Profiles on the right. (You may need to scroll down.) + You may be asked to supply your password or other information during installation. 3. In the Downloaded section, double-click the profile. -4. Review the profile contents then click Continue, Install or Enroll to install the profile. If an earlier version of a profile is already installed on your Mac, the settings in the updated version replace the previous ones. +4. Review the profile contents then click Continue, Install or Enroll to install the profile. + + If an earlier version of a profile is already installed on your Mac, the settings in the updated version replace the previous ones. ## Scope There seems to be an [additional option](https://github.com/paulmillr/encrypted-dns/issues/22) that allows to use system-wide profiles. To try it, add this to mobileconfig file: -``` +```xml PayloadScope System ``` ## Signed Profiles -In the signed folder, we have *slightly outdated* signed versions of the profiles in this repository. These profiles have been signed by [@Candygoblen123](https://github.com/Candygoblen123) so that when you install the profiles, they will have a verified check box on the installation screen. It also ensures that these profiles have not been tampered with. However, since they were signed by a third party, they may lag behind their unsigned counterparts a little. +In the `signed` folder, we have _slightly outdated_ signed versions of the profiles in this repository. These profiles have been signed by [@Candygoblen123](https://github.com/Candygoblen123) so that when you install the profiles, they will have a verified check box on the installation screen. It also ensures that these profiles have not been tampered with. However, since they were signed by a third party, they may lag behind their unsigned counterparts a little. [comment]: <> (We recommend that you install a signed profile instead of an unsigned profile because it ensures that it was not modified while it was downloading.) @@ -80,4 +85,86 @@ To verify resolver IPs and hostnames, compare mobileconfig files to their docume ## Contributing a new profile -Profiles are basically text files. Copy an existing one and change its UUID, for example, by generating a new one online. Make sure you update README with new profile's info. +Profiles are basically text files. Copy an existing one and change its UUID, make sure you update README with new profile's info. + +In addition to generating online, there are many other ways to generate a random UUID: + +- Press `F12` to open DevTools in the browser, run this code in the console + +```javascript +crypto.randomUUID(); +``` + +- Run these commands in the macOS / Linux terminal + +```sh +# Works both in macOS & Linux +uuidgen + +# Works in Linux +cat /proc/sys/kernel/random/uuid +``` + +- Run this cmdlet in Powershell + +```powershell +New-Guid +``` + +[360-dns]: https://sdns.360.net/dnsPublic.html +[360-dns-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/360-https.mobileconfig +[adguard-dns-default]: https://adguard-dns.io/kb/general/dns-providers/#default +[adguard-dns-default-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/adguard-default-https.mobileconfig +[adguard-dns-default-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/adguard-default-tls.mobileconfig +[adguard-dns-family]: https://adguard-dns.io/kb/general/dns-providers/#family-protection +[adguard-dns-family-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/adguard-family-https.mobileconfig +[adguard-dns-family-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/adguard-family-tls.mobileconfig +[adguard-dns-unfiltered]: https://adguard-dns.io/kb/general/dns-providers/#non-filtering +[adguard-dns-unfiltered-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/adguard-nofilter-https.mobileconfig +[adguard-dns-unfiltered-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/adguard-nofilter-tls.mobileconfig +[alekberg-dns]: https://alekberg.net +[alekberg-dns-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/alekberg-https.mobileconfig +[aliyun-dns]: https://www.alidns.com/ +[aliyun-dns-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/alibaba-https.mobileconfig +[aliyun-dns-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/alibaba-tls.mobileconfig +[blahdns]: https://blahdns.com/ +[blahdns-cdn-filtered-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-cdn-adblock-doh1.mobileconfig +[blahdns-cdn-unfiltered-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-cdn-unfiltered-doh1.mobileconfig +[blahdns-finland-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-finland-doh.mobileconfig +[blahdns-germany-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-germany-doh.mobileconfig +[blahdns-japan-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-japan-doh.mobileconfig +[blahdns-singapore-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-singapore-doh.mobileconfig +[blahdns-switzerland-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-switzerland-dot.mobileconfig +[canadian-shield]: https://www.cira.ca/cybersecurity-services/canadian-shield/configure/summary-cira-canadian-shield-dns-resolver-addresses +[canadian-shield-private-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/canadianshield-private-https.mobileconfig +[canadian-shield-private-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/canadianshield-private-tls.mobileconfig +[canadian-shield-protected-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/canadianshield-protected-https.mobileconfig +[canadian-shield-protected-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/canadianshield-protected-tls.mobileconfig +[canadian-shield-family-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/canadianshield-family-https.mobileconfig +[canadian-shield-family-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/canadianshield-family-tls.mobileconfig +[cloudflare-dns]: https://developers.cloudflare.com/1.1.1.1/encryption/ +[cloudflare-dns-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/cloudflare-https.mobileconfig +[cloudflare-dns-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/cloudflare-tls.mobileconfig +[cloudflare-dns-family]: https://developers.cloudflare.com/1.1.1.1/setup/#1111-for-families +[cloudflare-dns-security-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/cloudflare-malware-https.mobileconfig +[cloudflare-dns-family-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/cloudflare-family-https.mobileconfig +[dnspod-dns]: https://www.dnspod.com/products/public.dns +[dnspod-dns-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/dnspod-https.mobileconfig +[dnspod-dns-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/dnspod-tls.mobileconfig +[google-dns]: https://developers.google.com/speed/public-dns/docs/secure-transports +[google-dns-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/google-https.mobileconfig +[google-dns-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/google-tls.mobileconfig +[mullvad-dns]: https://mullvad.net/help/dns-over-https-and-dns-over-tls/ +[mullvad-dns-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/mullvad-doh.mobileconfig +[mullvad-dns-adblock-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/mullvad-adblock-doh.mobileconfig +[opendns]: https://support.opendns.com/hc/articles/360038086532 +[opendns-standard-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/opendns-https.mobileconfig +[opendns-familyshield-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/opendns-family-https.mobileconfig +[quad9]: https://www.quad9.net/news/blog/doh-with-quad9-dns-servers/ +[quad9-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/quad9-https.mobileconfig +[quad9-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/quad9-tls.mobileconfig +[quad9-ecs-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/quad9-ECS-https.mobileconfig +[quad9-ecs-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/quad9-ECS-tls.mobileconfig +[tiarap]: https://doh.tiar.app +[tiarap-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/tiarapp-https.mobileconfig +[tiarap-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/tiarapp-tls.mobileconfig