下一代互联网国家工程中心的官方 doh/dot 公布

证书用的是 Let's Encrypt，槽点略多

我刚试了，有 IPv4 地址，解析出来是这个 111.7.186.177 ，谁测测有没有污染

dns query not allowed because of ACL

rixcloud： https://doh.rixcloud.dev/dns-query

无法解析？

这是啥中心，够格国字吗？

@301 ocsp.int-x3.letsencrypt.org 你试试这个

看上去像私企搞的，不是工信部直属的

有污染，解析谷歌返回了 199.59.149.136 2001::9a5c:1061，分别是推特 IP 和非法 IPv6 。

```
$ curl -v --doh-url 'https://dns.cfiec.net/dns-query' www.google.com
* Added dns.cfiec.net:443:240e:e9:900b::6 to DNS cache
* Found bundle for host dns.cfiec.net: 0x7fffed0e5680 [serially]
* Server doesn't support multiplex (yet)
* Trying 240e:e9:900b::6:443...
* TCP_NODELAY set
* Hostname 'dns.cfiec.net' was found in DNS cache
* Trying 240e:e9:900b::6:443...
* TCP_NODELAY set
* Connected to dns.cfiec.net (240e:e9:900b::6) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* Connected to dns.cfiec.net (240e:e9:900b::6) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=dns.cfiec.net
* start date: Oct 26 01:01:40 2020 GMT
* expire date: Jan 24 01:01:40 2021 GMT
* subjectAltName: host "dns.cfiec.net" matched cert's "dns.cfiec.net"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fffed105700)
> POST /dns-query HTTP/2
Host: dns.cfiec.net
accept: */*
content-type: application/dns-message
content-length: 32

* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
* We are completely uploaded and fine
< HTTP/2 200
< server: h2o/dnsdist
< date: Sat, 21 Nov 2020 16:25:17 GMT
< content-type: application/dns-message
< content-length: 48
<
* Connection #0 to host dns.cfiec.net left intact
* a DOH request is completed, 1 to go
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=dns.cfiec.net
* start date: Oct 26 01:01:40 2020 GMT
* expire date: Jan 24 01:01:40 2021 GMT
* subjectAltName: host "dns.cfiec.net" matched cert's "dns.cfiec.net"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fffed10aea0)
> POST /dns-query HTTP/2
Host: dns.cfiec.net
accept: */*
content-type: application/dns-message
content-length: 32

* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
* We are completely uploaded and fine
< HTTP/2 200
< server: h2o/dnsdist
< date: Sat, 21 Nov 2020 16:25:18 GMT
< content-type: application/dns-message
< content-length: 60
<
* Connection #1 to host dns.cfiec.net left intact
* a DOH request is completed, 0 to go
* DOH Host name: www.google.com
* TTL: 101 seconds
* DOH A: 199.59.149.136
* DOH AAAA: 2001:0000:0000:0000:0000:0000:9a5c:1061
* Trying 199.59.149.136:80...
* TCP_NODELAY set
* Connected to www.google.com (199.59.149.136) port 80 (#0)
> GET / HTTP/1.1
> Host: www.google.com
> User-Agent: curl/7.68.0
> Accept: */*
>
```

DoH 手动测试几个常见被那啥的域名解析结果：
google.com. 300 IN A 172.217.27.142
www.google.com. 153 IN A 31.13.64.49
www.google.com. 88 IN AAAA 2001::1f0d:5520
facebook.com. 68 IN A 173.252.88.133
facebook.com. 77 IN AAAA 2001::45ab:e025
www.facebook.com. 138 IN A 199.59.149.244
www.facebook.com. 104 IN AAAA 2001::1f0d:440e
fb.com. 300 IN A 157.240.28.35
fb.com. 298 IN AAAA 2a03:2880:f141:82:face:b00c:0:25de
twitter.com. 162 IN A 31.13.69.129
twitter.com. 244 IN AAAA 2001::6ca0:aa2e
www.twitter.com. 158 IN A 69.171.248.128
www.twitter.com. 85 IN AAAA 2001::45ab:e614
reddit.com. 115 IN A 128.242.240.20
reddit.com. 106 IN AAAA 2001::40e9:bdc7
www.reddit.com. 66 IN A 108.160.167.147
www.reddit.com. 72 IN AAAA 2001::42dc:9e01
wikipedia.org. 178 IN A 202.160.128.205
wikipedia.org. 76 IN AAAA 2001::4a75:b24f
en.wikipedia.org. 90 IN A 67.15.100.252
en.wikipedia.org. 143 IN AAAA 2001::453f:b50c
zh.wikipedia.org. 182 IN A 67.230.169.182
zh.wikipedia.org. 174 IN AAAA 2001::48e9:4882
www.v2ray.com. 131 IN A 202.160.128.14
www.v2ray.com. 174 IN AAAA 2001::42ab:ea50

所有请求都只返回一条记录，DoT 的返回结果略有不同，应该是多条记录随机返回一条的。
在测试过程中发现他们的这个服务可能还不太稳定，一些域名他们可能还没有缓存，在前几次请求的时候会返回 502 Bad Gateway，过几秒再请求就好了。

国内备选方案
谷歌 DoT(安卓测试可无视墙) dns.google
腾讯 DoT dns.pub
阿里 DoT dns.alidns.com

上面的结果可以看出，几乎所有都是被污染的

下一代互联网不是 ipv9 吗？ [狗头]

技术原理我了解，但是国内搞这玩意有什么作用呢？

还是老老实实阿里吧

SSL 证书经费没批下来吗？

下一代互联网国家工程中心（ CFIEC，全称“下一代互联网关键技术和评测国家地方联合工程研究中心”）是天地互连公司承建，由北京市发改委于 2012 年认定的北京市工程研究中心，并于 2015 年由国家发改委批复升级为国家地方联合工程研究中心。工程中心作为领先的第三方 IPv6 基础设施服务商，以 IPv6 下一代互联网、DNS 根服务器、SDN 软件定义网络、NFV 网络功能虚拟化以及区块链、人工智能网络等先进网络技术为研究重心，参与全球网络技术标准化和市场化工作，建设运营关键信息基础设施，开展网络安全、性能、一致性等第三方测试认证业务，推动全球网络互联互通。

领导介绍
刘东
下一代互联网国家工程中心主任
北京天地互连信息技术有限公司董事长


@pmispig 所以就是个私企了

@jim9606 有被笑到，谢谢

@pmispig 下一代中心现在就是私企……

国内哪有不被污染的，

@12101111 #17 这公司以前是不是还搞过一个 6plat 的啥东西~

谷歌解析到 Facebook 爱尔兰的 IP