[wip] Add "How to Create DNS Stamps" guide #262
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| # How to Create Your Own DNS Stamp for Secure DNS | ||
|
|
||
| This guide will help you learn how to create your own DNS stamp for Secure DNS. Secure DNS is a service that enhances your internet security and privacy by encrypting your DNS queries. This prevents the possibility of your queries being intercepted or manipulated by malicious actors. | ||
|
|
||
| By creating and using your own DNS stamp, you're taking an important step towards a more secure and private internet experience. This guide should equip you with the knowledge you need to generate your own DNS stamp confidently, whether for use in AdGuard, AdGuard VPN, or any other application that supports DNS stamps. | ||
|
|
||
| ## Introduction to DNS Stamps | ||
|
|
||
| DNS Stamps are short strings that include all the information needed to connect to a secure DNS server. They simplify the process of setting up Secure DNS as the user does not need to manually enter all this data. | ||
|
|
||
| DNS stamps allow you to customize secure DNS settings beyond the usual URLs. In particular, they allow you to specify hard-coded server addresses, use certificate hashing, and so on. These features make DNS stamps a more robust and versatile option for configuring secure DNS settings. | ||
|
|
||
| ## Choosing the Protocol | ||
|
|
||
| Types of secure DNS include DNS-over-HTTPS (DoH), DNS-over-QUIC (DoQ), and DNS-over-TLS (DoT) and others, and we will be looking at these three since they are the only ones that allow you to set the hash of the server's public certificate. Choosing one of these protocols depends on your preferences and usage conditions. | ||
|
|
||
| ## Creating a DNS Stamp | ||
|
|
||
| 1. Open the [DNSCrypt Stamp Generator](https://dnscrypt.info/stamps/). | ||
|
|
||
| 2. Depending on the chosen protocol, select the corresponding protocol from the dropdown menu (DoH, DoT, or DoQ). | ||
|
|
||
| 3. Fill in the necessary fields: | ||
| - **IP address**: Enter the DNS server's IP address. If you are using the DoT or DoQ protocol, ensure you have also specified the corresponding port. | ||
|
There was a problem hiding this comment. Нужно отметить, что данное поле необязательно, и нужно использовать с осторожностью: использование данной опции может сломать интернет в IPv6-only сетях. |
||
| - **Hashes**: Insert the SHA256 hash of the server's certificate. If the DNS server you are using provides a ready-made Ed25519 public key, find and copy it. Otherwise, you can obtain it by following the instructions in the ["Obtaining the Certificate Hash"](###obtaining-the-certificate-hash) section. | ||
|
There was a problem hiding this comment. А причём тут Ed25519? У TLS-сертов тип публичного ключа - ECDSA или RSA Плюс нужно отметить, что данное поле необязательно. |
||
| - **Host name**: Enter the DNS server's hostname. This field is used for server name verification in DoT and DoQ protocols. | ||
| - For **DoH**: | ||
| - **Path**: Enter the path for performing DoH requests. This is usually "/dns-query", but your provider may provide a different path. | ||
| - For **DoT and DoQ**: | ||
| - There are usually no specific fields for these protocols in this tool. Just make sure the port specified in the resolver address is the correct port. | ||
| - In the "Properties" section, you can check the relevant properties if they are known and applicable to your DNS server. | ||
|
|
||
| 4. Your stamp will be automatically generated and you will see it in the "Stamp" field. | ||
|
|
||
| ### Obtaining the Certificate Hash | ||
|
|
||
| To fill in the "Hashes of the server's certificate" field, you can use the following command, replacing `<IP_ADDRESS>`, `<PORT>`, and `<SERVER_NAME>` with the corresponding values for your DNS server: | ||
|
|
||
| ```bash | ||
| echo | openssl s_client -connect <IP_ADDRESS>:<PORT> -servername <SERVER_NAME> 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 | ||
| ``` | ||
|
|
||
| **NOTE**: Keep in mind that the result of the hash calculation command can change over time as the server's certificate may be updated. Therefore, if your DNS stamp suddenly stops working, you may need to recalculate the hash of the certificate and generate a new stamp. Regularly updating your DNS stamp will help ensure the continued secure operation of your Secure DNS service. | ||
|
|
||
| ## Using the DNS Stamp | ||
|
|
||
| You now have your own DNS stamp, which you can use to set up Secure DNS in your internet connection. This stamp can be entered into AdGuard and AdGuard VPN for enhanced internet privacy and security. | ||
|
|
||
| ## Example of Creating a DNS Stamp | ||
|
|
||
| Let's walk through an example of creating a stamp for AdGuard DNS using DoT: | ||
|
|
||
| 1. Open the DNSCrypt stamp generator web page at https://dnscrypt.info/stamps/. | ||
|
|
||
| 2. Select the "DNS-over-TLS (DoT)" protocol. | ||
|
|
||
| 3. Fill in the following fields: | ||
|
|
||
| - **IP address**: Enter the DNS server's IP address and port. In this case, it's `94.140.14.14:853`. | ||
|
|
||
| - **Host name**: Enter the host name of the DNS server. In this case, it's `dns.adguard-dns.com`. | ||
|
|
||
| - **Hashes**: | ||
| Execute the command | ||
| ```bash | ||
| echo | openssl s_client -connect 94.140.14.14:853 -servername dns.adguard-dns.com 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 | ||
| ``` | ||
| The result is `a54670fda8ed13bded0a9515f35d0a2bed937e100aa6282703cb3b87282055ec` | ||
| Paste this SHA256 hash of the server's certificate into the field. | ||
|
|
||
| 4. Leave the Properties section blank. | ||
|
|
||
| 5. Your stamp will be automatically generated and you will see it in the "Stamp" field. | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Слишком ChatGPT'шно, имхо :) Это совсем не important step, а опции для параноиков, если они хотят дополнительные меры безопасности :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For Secure DNS,
tls://,https://orquic://URLs are normally used and it is enough for most users, and is recommended way.However, if you need additional security, like pre-resolved server IPs and certificate pinning by hash, you may generate your own DNS stamp. This guide tells you how to do it.