net4people
ip6.arpa域名托管到cloudflare后,域名被防火墙封禁,各位有什么好办法吗?/ Since the ip6.arpa domain name became hosted on cloudflare, the domain name is blocked by the firewall. Do you have any suggestions?
ip6.arpa域名托管到cloudflare后,域名被防火墙封禁,各位有什么好办法吗?我遇到的错误是connection was reset.
Since the ip6.arpa domain name became hosted on cloudflare, the domain name is blocked by the firewall. Do you have any suggestions?
What do you mean, about ip6.arpa being hosted on Cloudflare?
I found a couple of posts online that talk about setting up reverse DNS PTR records on Cloudflare, and then using the x.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa DNS name for forward DNS resolution? (And even get a certificate for it?) Do I understand that correctly?
https://www.answeroverflow.com/m/1356604577717162134
Certificate issue for ip6.arpa
I own 1.9.8.0.b.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa, and added it to cloudflare (which worked!) But the "Universal" certificate doesn't work, I guess google doesn't support ip6.arpa The backup certificate works though... But I cannot select it without paying apparently? Despite literally not having any other working certificate?
https://www.hudi.space/posts/2706f9f7/index.html (archive)
IPV6.ARPA域名申请并托管到Cloudflare
在这之前其实我申请过不少免费的二级域名,比如在cloudns 、zoneabc、desec 等都申请到了免费的域名。但是这些网站申请的域名没办法托管到cloudflare上,也申请过eu.org的域名,申请提交了了一个月就没有回应了。这段时间看到LiuShen申请了一个ip6.arpa的域名。其实我不是非要也申请一个的,但是有的话,可以拿来玩玩,主要是准备抄作业的。在这以前我看一个很不错的子域名作为开发使用很不错 is-a.dev 。但是倒腾了半天,又是fork仓库,又是添加配置的弄的我有点烦🤣,就想着先放放,后面看到有一个ip6.arpa域名可以申请,于是就申请了一个,喜欢的朋友可以注册一个玩玩。
Apply for IPV6.ARPA domain name and host it on Cloudflare
Before this, I actually applied for many free second-level domain names, such as cloudns, zoneabc, desec, etc. I applied for free domain names. However, the domain names applied for by these websites cannot be hosted on cloudflare. They also applied for the domain name of eu.org, but there was no response after a month of application submission. During this time, I saw that LiuShen applied for a domain name of ip6.arpa. Actually, I don’t have to apply for one, but if there is one, I can use it for fun, mainly to prepare for copying homework. Before this I looked at a very good subdomain for development use is-a.dev. But after spending a long time, I was a little annoyed by forking the warehouse and adding configurations🤣, so I thought about putting it aside first. Later I saw that there was an ip6.arpa domain name available for application, so I applied for one. Friends who like it can register one for fun.
Is this a common thing to do? What is the advantage of it?
Do you know how the domain name is being blocked? Does the DNS query fail, does the TCP connection fail, does the TLS handshake fail?
打开https://www.itdog.cn/http
测试一下这个网址 https://ssl.5.8.7.b.0.d.0.0.1.0.a.2.ip6.arpa/
Open https://www.itdog.cn/http
Test this website https://ssl.5.8.7.b.0.d.0.0.1.0.a.2.ip6.arpa/
Seems that *.2.ip6.arpa is blocked by TLS interference.
Currently itdog.cn doesn't provide enough information about why the tests failed.
没想到Cloudflare竟然允许*.arpa域名 如果是基于SNI的封锁,使用ECH(Encrypted Client Hello)即可! 更多玩法可以参考 #529
Cloudflare allows *.arpa domain names If it is based on SNI, use ECH (Encrypted Client Hello)! More games can be read: #529
xray出站配置,开启ech,成功解决域名被拦截问题,直接起飞!!!!!!!!!!!!!!!!!!
xray outbound configuration, open ech, successfully solve the problem of domain name interception, take off directly!!!!!!!!!!!!!!!!!!
{
"outbounds": [
{
"tag": "worker-1",
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "###########", // fill in preferred CF IP
"port": 443,
"users": [
{
"id": "###########", // fill in your UUID
"encryption": "none"
}
]
}
]
},
"streamSettings": {
"network": "ws",
"wsSettings": {
"host": "###########.workers.dev", // workers domain supports ECH, so you can put the workers domain here
"path": "/?ed=2560"
},
"security": "tls",
"tlsSettings": {
"serverName": "###########.workers.dev", // workers domain supports ECH, so you can put the workers domain here
"allowInsecure": false,
"echConfigList": "gitlab.io+udp://1.1.1.1", // echConfigList should point to a domain that can fetch CF's ECH config + a DNS that can resolve it successfully
"echForceQuery": "full",
"fingerprint": "chrome"
}
}
}
]
}
但是v2rayn和clash-party都不支持ech这个功能,有没有人帮我问问
But v2rayn and clash-party do not support the ech function, no one can help me ask.
看来就是封SNI了 core早已支持,可以去对应客户端那边发issues 如果你只是VLESS workers,直接用*.workers.dev,开ECH即可,没必要弄一个奇怪的*.arpa域名
It looks like it's SNI. core has long been supported, can go to the client side to issue If you are just VLESS workers, just use *.workers.dev and open ech, there is no need to get a strange *.arpa domain name.
Seems that
*.2.ip6.arpais blocked by TLS interference.Currently
itdog.cndoesn't provide enough information about why the tests failed.
I noticed this days ago. SNI/Host RST and temporary route black hole
