bbs icon indicating copy to clipboard operation
bbs copied to clipboard
verified publisher icon net4people

Chrome has already use --host-rules, --host-resolver-rules plus private ssl can currently bypass dns pollution

Open novvoo opened this issue 7 months ago • 5 comments

In fact, what I want is the function that Chrome has already implemented, and further support for secure DNS.--host-rules, --host-resolver-rules plus private ssl can currently bypass dns pollution, but it requires manual configuration and the number of supported ips is limited, so I am wondering whether secure dns can also support this function.

https://chromium.googlesource.com/chromium/src/+/main/net/dns/README.md

PS: ip+tls (don't use domain)

novvoo avatar Sep 15 '25 08:09 novvoo

Thank you, I was not aware of --host-resolver-rules in Chromium. That sounds like it can be similarly useful to curl --connect-to and --resolve.

wkrp avatar Sep 16 '25 01:09 wkrp

Thank you, I was not aware of --host-resolver-rules in Chromium. That sounds like it can be similarly useful to curl --connect-to and --resolve.

The resolve of curl will still be polluted, so I implemented this

https://github.com/novohool/gcurl

novvoo avatar Sep 16 '25 03:09 novvoo

This parameter exists since long ago, and it's in experimental Cronet library, too.

DNS and SNI manipulation tool based on this is already there:

  • https://github.com/SpaceTimee/Sheas-Cealer

Part of it is not open source.

UjuiUjuMandan avatar Sep 16 '25 04:09 UjuiUjuMandan

This parameter exists since long ago, and it's in experimental Cronet library, too.

DNS and SNI manipulation tool based on this is already there:

  • https://github.com/SpaceTimee/Sheas-Cealer

Part of it is not open source.

I know this and I have implemented it (hostURL part). I have also implemented the dohURL part I hope for. What I hope is that Chrome can support the doh part. The number of hosts is limited. The gcurl I mentioned above is actually its internal principle. It uses mitm to hijack and modify the ClientHello during http access. Of course, if you use pure IP https, you can bypass the domain name problem. This problem itself is because the design flaw of https is exploited. Later, https also proposed to use ECH to solve this problem, but due to the cumbersome setup, almost no website sets it up.

var (
insecure = flag.Bool("k", true, "Ignore certificate errors (default: true)")
headOnly = flag.Bool("I", false, "Get response headers only")
verbose = flag.Bool("v", false, "Enable verbose logging, including TLS handshake, packet, and ClientHello details")
help = flag.Bool("help", false, "Show usage help")
requestURL string
httpProxyAddr = flag.String("L", "", "Run an HTTP proxy on the specified address (e.g., http://<your host>:8080</your>)")
hostURL = flag.String("host-url", "https://gitlab.com/SpaceTimee/Cealing-Host/raw/main/Cealing-Host.json", "URL for the Cealing-Host.json rule")
dohURL = flag.String("doh", "https://ns.net.kg/dns-query", "DNS over HTTPS resolver URL")
noHostRule = flag.Bool("D", false, "Disable Cealing-Host rules, always use DoH (proxy mode only)")
xffHeaders = flag.String("XFF", "", "Inject X-Forwarded-For and other headers in proxy mode, specifying the client IP (default: 100.100.100.100)")
cealingHostRules []CealingHostRule
)

novvoo avatar Sep 16 '25 06:09 novvoo

Naiveproxy already allows you to use host-resolver-rules https://github.com/klzgrad/naiveproxy/blob/master/USAGE.txt

aaravrav avatar Sep 23 '25 22:09 aaravrav