From 4db2998ea2245ad83880df8c0edc08d26a6e9abe Mon Sep 17 00:00:00 2001 From: Paul Miller Date: Fri, 27 Feb 2026 06:12:03 +0000 Subject: [PATCH] Update readme --- README.cmn-CN.md | 2 +- README.md | 45 +++++++++--------------------------- generate.js | 8 +++---- src-languages/01-en.json | 2 +- src-languages/01-en.md | 43 ++++++++-------------------------- src-languages/02-cmn-CN.json | 2 +- 6 files changed, 28 insertions(+), 74 deletions(-) diff --git a/README.cmn-CN.md b/README.cmn-CN.md index 1ccea16..3377d83 100644 --- a/README.cmn-CN.md +++ b/README.cmn-CN.md @@ -19,7 +19,7 @@ “`审查=是`”表示描述文件不会发送某些主机“`主机名=IP`”关系的真实信息。 -| 名称 | 区域 | 审查 | 备注 | 安装 (已签名 - 推荐) | 安装 (未签名) | +| 名称 | 区域 | 审查 | 备注 | 安装 | 安装 (未签名) | | ------------------------------------------------------------------------------------ | ----- | ---- | ------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------- | | [360 安全 DNS][360-dns] | 🇨🇳 | 是 | 由 360 数字安全集团运营 | [HTTPS][360-dns-profile-https-signed] | [HTTPS][360-dns-profile-https] | | [AdGuard DNS 默认][adguard-dns-default] | 🇷🇺 | 是 | 由 AdGuard 运营,拦截广告、跟踪器和钓鱼网站 | [HTTPS][adguard-dns-default-profile-https-signed], [TLS][adguard-dns-default-profile-tls-signed] | [HTTPS][adguard-dns-default-profile-https], [TLS][adguard-dns-default-profile-tls] | diff --git a/README.md b/README.md index b3f9401..74b8bfc 100644 --- a/README.md +++ b/README.md @@ -6,26 +6,23 @@ Configuration profiles for [DNS over HTTPS](https://en.wikipedia.org/wiki/DNS_ov To add a new provider, or edit an existing one, edit json files in `src` directory. -### Caveats +### Known issues -Known issues (we can't fix them, maybe Apple can): - -1. Applications (e.g. Firefox in specific regions; App Store in all regions) can choose to ignore the system-level resolver and use their own. - [Check out the discussion](https://github.com/paulmillr/encrypted-dns/issues/22). -2. iCloud Private Relay, VPN clients & Little Snitch / LuLu will ignore the DNS profile. -3. Command line tools that interact with DNS (e.g. `host`, `dig`, `nslookup`) won't use DoH - - will use the DNS severs set in Network, or picked up from DHCP. -4. [Wi-Fi captive portals](https://en.wikipedia.org/wiki/Captive_portal) in cafes, hotels, airports are exempted by Apple from eDNS rules; to simplify authentication - this is good -5. TLS DNS is blocked more often by ISPs than HTTPS, because TLS uses non-standard port 853, which is easy to block. - See [Google's article](https://security.googleblog.com/2022/07/dns-over-http3-in-android.html) - -Check out [encrypted-dns over TOR](https://github.com/alecmuffett/dohot) if you need more privacy. +1. Some apps and protocols will ignore encrypted-dns: + - Firefox in specific regions, App Store in all regions. [More info](https://github.com/paulmillr/encrypted-dns/issues/22) + - iCloud Private Relay, VPN clients + - Little Snitch, LuLu + - DNS-related CLI tools: `host`, `dig`, `nslookup` etc. +2. [Wi-Fi captive portals](https://en.wikipedia.org/wiki/Captive_portal) in cafes, hotels, airports are exempted by Apple from eDNS rules; to simplify authentication - this is ok +3. TLS DNS is easier for providers to block, because it uses non-standard port 853. + [More info](https://security.googleblog.com/2022/07/dns-over-http3-in-android.html) +4. e-dns over TOR could be better privacy-wise, but we don't have this for now. ## Providers `Censorship=yes` (also known as "filtering") means the profile will not send true information about `hostname=IP` relation for some hosts. -| Name | Region | Censorship | Notes | Install (Signed - Recommended) | Install (unsigned) | +| Name | Region | Censorship | Notes | Install | Install (unsigned) | | ------------------------------------------------------------------------------------ | ------ | ---------- | --------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------- | | [360 Security DNS][360-dns] | 🇨🇳 | Yes | Operated by 360 Digital Security Group | [HTTPS][360-dns-profile-https-signed] | [HTTPS][360-dns-profile-https] | | [AdGuard DNS Default][adguard-dns-default] | 🇷🇺 | Yes | Operated by AdGuard Software Ltd. Blocks ads, tracking & phishing | [HTTPS][adguard-dns-default-profile-https-signed], [TLS][adguard-dns-default-profile-tls-signed] | [HTTPS][adguard-dns-default-profile-https], [TLS][adguard-dns-default-profile-tls] | @@ -81,28 +78,8 @@ macOS [(official docs)](https://support.apple.com/guide/mac-help/mh35561/): If an earlier version of a profile is already installed on your Mac, the settings in the updated version replace the previous ones. -## Scope - -There seems to be an [additional option](https://github.com/paulmillr/encrypted-dns/issues/22) that allows to use system-wide profiles. To try it, add this to mobileconfig file: - -```xml -PayloadScope -System -``` - ## Signed Profiles -In the `signed` folder we have signed versions of the profiles in this repository. These profiles have been signed by [@Xernium](https://github.com/Xernium) so that when you install the profiles, -they will have a verified check box on the installation screen. It also ensures that these profiles have not been tampered with. However, since they were signed by a third party, they may lag behind their unsigned counterparts a little. -The signature is valid until `2025-11-02` - -Previous signatures by: -[@Xernium](https://github.com/Xernium), replaced at `2024-11-01` - -[@Candygoblen123](https://github.com/Candygoblen123), replaced at `2023-11-29` - -[comment]: <> (We recommend that you install a signed profile instead of an unsigned profile because it ensures that it was not modified while it was downloading.) - To verify resolver IPs and hostnames, compare mobileconfig files to their documentation URLs. Internal workings of the profiles are described on [developer.apple.com](https://developer.apple.com/documentation/devicemanagement/dnssettings). In order to verify signed mobileconfigs, you will need to download them to your computer and open them in a text editor, because signing profiles makes GitHub think that they are binary files. ## On demand activation diff --git a/generate.js b/generate.js index 6f2afa5..7b322b6 100644 --- a/generate.js +++ b/generate.js @@ -2,8 +2,8 @@ const fs = require('node:fs'); const path = require('node:path'); -const LANGUAGES_DIR = path.join(__dirname, 'languages'); -const PROVIDERS_PATH = path.join(__dirname, 'providers'); +const LANGUAGES_DIR = path.join(__dirname, 'src-languages'); +const PROVIDERS_PATH = path.join(__dirname, 'src'); const DEFAULT_LANG = 'en'; const OUTPUT_DIR = __dirname; const REPO_RAW = 'https://github.com/paulmillr/encrypted-dns/raw/master'; @@ -260,8 +260,8 @@ function generateConfigs() { } // Small utility to rewrite config structure function patchConfigs() { - for (const f of fs.readdirSync(`./providers/`)) { - const path = `./providers/${f}`; + for (const f of fs.readdirSync(`./src/`)) { + const path = `./src/${f}`; const json = JSON.parse(fs.readFileSync(path, 'utf8')); fs.writeFileSync(path, JSON.stringify(json, null, 4)); } diff --git a/src-languages/01-en.json b/src-languages/01-en.json index 004e7fb..b62be4e 100644 --- a/src-languages/01-en.json +++ b/src-languages/01-en.json @@ -6,7 +6,7 @@ "region": "Region", "censorship": "Censorship", "notes": "Notes", - "install_signed": "Install (Signed - Recommended)", + "install_signed": "Install", "install_unsigned": "Install (unsigned)" }, "yes": "Yes", diff --git a/src-languages/01-en.md b/src-languages/01-en.md index 18fdef6..51ef9b3 100644 --- a/src-languages/01-en.md +++ b/src-languages/01-en.md @@ -6,20 +6,17 @@ Configuration profiles for [DNS over HTTPS](https://en.wikipedia.org/wiki/DNS_ov To add a new provider, or edit an existing one, edit json files in `src` directory. -### Caveats +### Known issues -Known issues (we can't fix them, maybe Apple can): - -1. Applications (e.g. Firefox in specific regions; App Store in all regions) can choose to ignore the system-level resolver and use their own. - [Check out the discussion](https://github.com/paulmillr/encrypted-dns/issues/22). -2. iCloud Private Relay, VPN clients & Little Snitch / LuLu will ignore the DNS profile. -3. Command line tools that interact with DNS (e.g. `host`, `dig`, `nslookup`) won't use DoH - - will use the DNS severs set in Network, or picked up from DHCP. -4. [Wi-Fi captive portals](https://en.wikipedia.org/wiki/Captive_portal) in cafes, hotels, airports are exempted by Apple from eDNS rules; to simplify authentication - this is good -5. TLS DNS is blocked more often by ISPs than HTTPS, because TLS uses non-standard port 853, which is easy to block. - See [Google's article](https://security.googleblog.com/2022/07/dns-over-http3-in-android.html) - -Check out [encrypted-dns over TOR](https://github.com/alecmuffett/dohot) if you need more privacy. +1. Some apps and protocols will ignore encrypted-dns: + - Firefox in specific regions, App Store in all regions. [More info](https://github.com/paulmillr/encrypted-dns/issues/22) + - iCloud Private Relay, VPN clients + - Little Snitch, LuLu + - DNS-related CLI tools: `host`, `dig`, `nslookup` etc. +2. [Wi-Fi captive portals](https://en.wikipedia.org/wiki/Captive_portal) in cafes, hotels, airports are exempted by Apple from eDNS rules; to simplify authentication - this is ok +3. TLS DNS is easier for providers to block, because it uses non-standard port 853. + [More info](https://security.googleblog.com/2022/07/dns-over-http3-in-android.html) +4. e-dns over TOR could be better privacy-wise, but we don't have this for now. ## Providers @@ -43,28 +40,8 @@ macOS [(official docs)](https://support.apple.com/guide/mac-help/mh35561/): If an earlier version of a profile is already installed on your Mac, the settings in the updated version replace the previous ones. -## Scope - -There seems to be an [additional option](https://github.com/paulmillr/encrypted-dns/issues/22) that allows to use system-wide profiles. To try it, add this to mobileconfig file: - -```xml -PayloadScope -System -``` - ## Signed Profiles -In the `signed` folder we have signed versions of the profiles in this repository. These profiles have been signed by [@Xernium](https://github.com/Xernium) so that when you install the profiles, -they will have a verified check box on the installation screen. It also ensures that these profiles have not been tampered with. However, since they were signed by a third party, they may lag behind their unsigned counterparts a little. -The signature is valid until `2025-11-02` - -Previous signatures by: -[@Xernium](https://github.com/Xernium), replaced at `2024-11-01` - -[@Candygoblen123](https://github.com/Candygoblen123), replaced at `2023-11-29` - -[comment]: <> (We recommend that you install a signed profile instead of an unsigned profile because it ensures that it was not modified while it was downloading.) - To verify resolver IPs and hostnames, compare mobileconfig files to their documentation URLs. Internal workings of the profiles are described on [developer.apple.com](https://developer.apple.com/documentation/devicemanagement/dnssettings). In order to verify signed mobileconfigs, you will need to download them to your computer and open them in a text editor, because signing profiles makes GitHub think that they are binary files. ## On demand activation diff --git a/src-languages/02-cmn-CN.json b/src-languages/02-cmn-CN.json index 2d06fc3..47afc82 100644 --- a/src-languages/02-cmn-CN.json +++ b/src-languages/02-cmn-CN.json @@ -6,7 +6,7 @@ "region": "区域", "censorship": "审查", "notes": "备注", - "install_signed": "安装 (已签名 - 推荐)", + "install_signed": "安装", "install_unsigned": "安装 (未签名)" }, "yes": "是",