CalvinBackup/encrypted-dns
1
0
Fork 0
mirror of https://github.com/paulmillr/encrypted-dns.git synced 2026-05-18 15:24:44 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update readme

Browse Source
This commit is contained in:
Paul Miller
2026-02-27 06:12:03 +00:00
parent e59c0739c2
commit 4db2998ea2
6 changed files with 28 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.cmn-CN.md
+1 -1
View File
@@ -19,7 +19,7 @@
`审查=是`”表示描述文件不会发送某些主机“`主机名=IP`”关系的真实信息。
| 名称 | 区域 | 审查 | 备注 | 安装 (已签名 - 推荐) | 安装 (未签名) |
| 名称 | 区域 | 审查 | 备注 | 安装 | 安装 (未签名) |
| ------------------------------------------------------------------------------------ | ----- | ---- | ------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------- |
| [360 安全 DNS][360-dns] | 🇨🇳 | 是 | 由 360 数字安全集团运营 | [HTTPS][360-dns-profile-https-signed] | [HTTPS][360-dns-profile-https] |
| [AdGuard DNS 默认][adguard-dns-default] | 🇷🇺 | 是 | 由 AdGuard 运营,拦截广告、跟踪器和钓鱼网站 | [HTTPS][adguard-dns-default-profile-https-signed], [TLS][adguard-dns-default-profile-tls-signed] | [HTTPS][adguard-dns-default-profile-https], [TLS][adguard-dns-default-profile-tls] |
README.md
+11 -34
View File
@@ -6,26 +6,23 @@ Configuration profiles for [DNS over HTTPS](https://en.wikipedia.org/wiki/DNS_ov
To add a new provider, or edit an existing one, edit json files in `src` directory.
### Caveats
### Known issues
Known issues (we can't fix them, maybe Apple can):
1. Applications (e.g. Firefox in specific regions; App Store in all regions) can choose to ignore the system-level resolver and use their own.
[Check out the discussion](https://github.com/paulmillr/encrypted-dns/issues/22).
2. iCloud Private Relay, VPN clients & Little Snitch / LuLu will ignore the DNS profile.
3. Command line tools that interact with DNS (e.g. `host`, `dig`, `nslookup`) won't use DoH -
will use the DNS severs set in Network, or picked up from DHCP.
4. [Wi-Fi captive portals](https://en.wikipedia.org/wiki/Captive_portal) in cafes, hotels, airports are exempted by Apple from eDNS rules; to simplify authentication - this is good
5. TLS DNS is blocked more often by ISPs than HTTPS, because TLS uses non-standard port 853, which is easy to block.
See [Google's article](https://security.googleblog.com/2022/07/dns-over-http3-in-android.html)
Check out [encrypted-dns over TOR](https://github.com/alecmuffett/dohot) if you need more privacy.
1. Some apps and protocols will ignore encrypted-dns:
- Firefox in specific regions, App Store in all regions. [More info](https://github.com/paulmillr/encrypted-dns/issues/22)
- iCloud Private Relay, VPN clients
- Little Snitch, LuLu
- DNS-related CLI tools: `host`, `dig`, `nslookup` etc.
2. [Wi-Fi captive portals](https://en.wikipedia.org/wiki/Captive_portal) in cafes, hotels, airports are exempted by Apple from eDNS rules; to simplify authentication - this is ok
3. TLS DNS is easier for providers to block, because it uses non-standard port 853.
[More info](https://security.googleblog.com/2022/07/dns-over-http3-in-android.html)
4. e-dns over TOR could be better privacy-wise, but we don't have this for now.
## Providers
`Censorship=yes` (also known as "filtering") means the profile will not send true information about `hostname=IP` relation for some hosts.
| Name | Region | Censorship | Notes | Install (Signed - Recommended) | Install (unsigned) |
| Name | Region | Censorship | Notes | Install | Install (unsigned) |
| ------------------------------------------------------------------------------------ | ------ | ---------- | --------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------- |
| [360 Security DNS][360-dns] | 🇨🇳 | Yes | Operated by 360 Digital Security Group | [HTTPS][360-dns-profile-https-signed] | [HTTPS][360-dns-profile-https] |
| [AdGuard DNS Default][adguard-dns-default] | 🇷🇺 | Yes | Operated by AdGuard Software Ltd. Blocks ads, tracking & phishing | [HTTPS][adguard-dns-default-profile-https-signed], [TLS][adguard-dns-default-profile-tls-signed] | [HTTPS][adguard-dns-default-profile-https], [TLS][adguard-dns-default-profile-tls] |
@@ -81,28 +78,8 @@ macOS [(official docs)](https://support.apple.com/guide/mac-help/mh35561/):
If an earlier version of a profile is already installed on your Mac, the settings in the updated version replace the previous ones.
## Scope
There seems to be an [additional option](https://github.com/paulmillr/encrypted-dns/issues/22) that allows to use system-wide profiles. To try it, add this to mobileconfig file:
```xml
<key>PayloadScope</key>
<string>System</string>
```
## Signed Profiles
In the `signed` folder we have signed versions of the profiles in this repository. These profiles have been signed by [@Xernium](https://github.com/Xernium) so that when you install the profiles,
they will have a verified check box on the installation screen. It also ensures that these profiles have not been tampered with. However, since they were signed by a third party, they may lag behind their unsigned counterparts a little.
The signature is valid until `2025-11-02`
Previous signatures by:
[@Xernium](https://github.com/Xernium), replaced at `2024-11-01`
[@Candygoblen123](https://github.com/Candygoblen123), replaced at `2023-11-29`
[comment]: <> (We recommend that you install a signed profile instead of an unsigned profile because it ensures that it was not modified while it was downloading.)
To verify resolver IPs and hostnames, compare mobileconfig files to their documentation URLs. Internal workings of the profiles are described on [developer.apple.com](https://developer.apple.com/documentation/devicemanagement/dnssettings). In order to verify signed mobileconfigs, you will need to download them to your computer and open them in a text editor, because signing profiles makes GitHub think that they are binary files.
## On demand activation
generate.js
+4 -4
View File
@@ -2,8 +2,8 @@
const fs = require('node:fs');
const path = require('node:path');
const LANGUAGES_DIR = path.join(__dirname, 'languages');
const PROVIDERS_PATH = path.join(__dirname, 'providers');
const LANGUAGES_DIR = path.join(__dirname, 'src-languages');
const PROVIDERS_PATH = path.join(__dirname, 'src');
const DEFAULT_LANG = 'en';
const OUTPUT_DIR = __dirname;
const REPO_RAW = 'https://github.com/paulmillr/encrypted-dns/raw/master';
@@ -260,8 +260,8 @@ function generateConfigs() {
}
// Small utility to rewrite config structure
function patchConfigs() {
for (const f of fs.readdirSync(`./providers/`)) {
const path = `./providers/${f}`;
for (const f of fs.readdirSync(`./src/`)) {
const path = `./src/${f}`;
const json = JSON.parse(fs.readFileSync(path, 'utf8'));
fs.writeFileSync(path, JSON.stringify(json, null, 4));
}
src-languages/01-en.json
+1 -1
View File
@@ -6,7 +6,7 @@
"region": "Region",
"censorship": "Censorship",
"notes": "Notes",
"install_signed": "Install (Signed - Recommended)",
"install_signed": "Install",
"install_unsigned": "Install (unsigned)"
},
"yes": "Yes",
src-languages/01-en.md
+10 -33
View File
@@ -6,20 +6,17 @@ Configuration profiles for [DNS over HTTPS](https://en.wikipedia.org/wiki/DNS_ov
To add a new provider, or edit an existing one, edit json files in `src` directory.
### Caveats
### Known issues
Known issues (we can't fix them, maybe Apple can):
1. Applications (e.g. Firefox in specific regions; App Store in all regions) can choose to ignore the system-level resolver and use their own.
[Check out the discussion](https://github.com/paulmillr/encrypted-dns/issues/22).
2. iCloud Private Relay, VPN clients & Little Snitch / LuLu will ignore the DNS profile.
3. Command line tools that interact with DNS (e.g. `host`, `dig`, `nslookup`) won't use DoH -
will use the DNS severs set in Network, or picked up from DHCP.
4. [Wi-Fi captive portals](https://en.wikipedia.org/wiki/Captive_portal) in cafes, hotels, airports are exempted by Apple from eDNS rules; to simplify authentication - this is good
5. TLS DNS is blocked more often by ISPs than HTTPS, because TLS uses non-standard port 853, which is easy to block.
See [Google's article](https://security.googleblog.com/2022/07/dns-over-http3-in-android.html)
Check out [encrypted-dns over TOR](https://github.com/alecmuffett/dohot) if you need more privacy.
1. Some apps and protocols will ignore encrypted-dns:
- Firefox in specific regions, App Store in all regions. [More info](https://github.com/paulmillr/encrypted-dns/issues/22)
- iCloud Private Relay, VPN clients
- Little Snitch, LuLu
- DNS-related CLI tools: `host`, `dig`, `nslookup` etc.
2. [Wi-Fi captive portals](https://en.wikipedia.org/wiki/Captive_portal) in cafes, hotels, airports are exempted by Apple from eDNS rules; to simplify authentication - this is ok
3. TLS DNS is easier for providers to block, because it uses non-standard port 853.
[More info](https://security.googleblog.com/2022/07/dns-over-http3-in-android.html)
4. e-dns over TOR could be better privacy-wise, but we don't have this for now.
## Providers
@@ -43,28 +40,8 @@ macOS [(official docs)](https://support.apple.com/guide/mac-help/mh35561/):
If an earlier version of a profile is already installed on your Mac, the settings in the updated version replace the previous ones.
## Scope
There seems to be an [additional option](https://github.com/paulmillr/encrypted-dns/issues/22) that allows to use system-wide profiles. To try it, add this to mobileconfig file:
```xml
<key>PayloadScope</key>
<string>System</string>
```
## Signed Profiles
In the `signed` folder we have signed versions of the profiles in this repository. These profiles have been signed by [@Xernium](https://github.com/Xernium) so that when you install the profiles,
they will have a verified check box on the installation screen. It also ensures that these profiles have not been tampered with. However, since they were signed by a third party, they may lag behind their unsigned counterparts a little.
The signature is valid until `2025-11-02`
Previous signatures by:
[@Xernium](https://github.com/Xernium), replaced at `2024-11-01`
[@Candygoblen123](https://github.com/Candygoblen123), replaced at `2023-11-29`
[comment]: <> (We recommend that you install a signed profile instead of an unsigned profile because it ensures that it was not modified while it was downloading.)
To verify resolver IPs and hostnames, compare mobileconfig files to their documentation URLs. Internal workings of the profiles are described on [developer.apple.com](https://developer.apple.com/documentation/devicemanagement/dnssettings). In order to verify signed mobileconfigs, you will need to download them to your computer and open them in a text editor, because signing profiles makes GitHub think that they are binary files.
## On demand activation
src-languages/02-cmn-CN.json
+1 -1
View File
@@ -6,7 +6,7 @@
"region": "区域",
"censorship": "审查",
"notes": "备注",
"install_signed": "安装 (已签名 - 推荐)",
"install_signed": "安装",
"install_unsigned": "安装 (未签名)"
},
"yes": "是",