什么是安全DNS

传统的DNS数据报文不加密,可以被任意劫持和篡改。DNS over TLS(RFC7858,RFC8310) 和 DNS over HTTPS(RFC 8484)是很好的解决方案,它们用不同的方法达成了相同的目的:防止DNS报文被中间人窥探、篡改或伪造。

浏览器ONLY 安全DNS解决方案

此方式难度较低!

目前(2019.7)Chrome还正在实现此功能,Firefox早已支持此功能了。如果你用的是中国浏览器,请不要指望他们。

  • Firefox 在右上角->Preferences->最下面的Network Settings->勾上最下面的Enable DNS over HTTPS->确定即可。
    (翻译: 在右上角->选项->最下面的网络设置->勾上最下面的启用DNS over HTTPS->确定即可。)

全局安全DNS解决方案

这一类解决方案让你的所有网络流量不受DNS污染攻击的影响。这类小工具有很多,我的推荐不一定适合你,但我会推荐最容易操作、最广泛使用、足够安全的解决方案。

Windows推荐: SimpleDNSCrypt

请访问这个网站下载安装包。https://simplednscrypt.org/ 安装之后,启动软件,点击中间的Service的开关启动服务,然后在下方点击你的WLAN或者网线的图标,即可对这条网络连接启用安全DNS服务。
提示,右上角的设置里可以改界面为中文,可以禁止启动软件时检查更新(因为检查更新有点慢)。这软件的默认配置就足够大多数人用了,如果你不懂的话,不必自己改配置。
这是一个开源软件,发布的安装包也经过数字签名,如果你懂得计算机知识并且重视安全,你可以自行验证它的安全性。如果你不懂得计算机知识且重视安全,相信我,你没有能力重视安全。

Linux推荐: stubby

Linux直接用包管理器一条命令安装,然后systemd启动就好了。下面我写的命令只是示例,请修改成你使用的包管理器。同样,这个软件的默认配置就足够好用了。如果你希望加上GoogleDNS作为你的服务器,你可以参考这里的配置

  • Ubuntu
sudo apt-get install -y stubby ; sudo systemctl disable systemd-resolved --now ; sudo systemctl enable stubby --now
  • ArchLinux
sudo pacman  -S --noconfirm stubby ; sudo systemctl disable systemd-resolved --now ; sudo systemctl enable stubby --now
  • Android 9+ 请在Settings -> Network&internet -> Private DNS -> Private DNS provider hostname填写dns.google并确定。我不清楚这个路径的中文翻译会被翻译成什么样,请自己寻找吧。

  • 其他Android和IOS设备 请搜索下载Cloudflare的手机app,这是全球最大的网络公司,能帮助你一键解决DNS不安全的问题。当然,中国对它不太友好,因为它是安全的。
    在Google Play Store或Apple App Store搜索Cloudflare或1.1.1.1即可找到这个好用的App。

  • 如果你认识Recolic 他在墙内搭建了一个无污染的新DNS服务器,它可以帮你在路由器上或设备上,不启用安全DNS,通过不过中国边境的方法来避免DNS污染。快去找他吧。
    他是用stubby搭建的这个服务器,如果你也想搭一个,你可以参考这里的配置,和上面Linux小标题下的指导。

测试我的设置

请尝试访问https://recolic.net 。选择全局方案的Windows用户可能需要用命令ipconfig /flushdns来清理缓存,如果能正常访问,说明配置成功。

作者:Telegram CEO Durov, 翻译 @tggeek

大公司利用营销来欺骗我们,让我们认为解决我们所有问题的方法就是购买更多的他们的产品。

真正的解决方案恰恰相反:它是少消费,而不是多消费。在大多数情况下,我们的问题首先是由过度消费引起的。

例如,如果你体重超标,你会被健身房订阅或食品补充剂的广告轰炸。但减肥的关键是少吃,而不是买新鞋和蛋白粉。

再或者,如果你有头痛和压力的困扰,他们会试图向你推销头痛药和抗抑郁药。但要想真正减少压力,你应该开始睡觉和多走路,而不是让自己沉迷于娱乐产品或在深夜浏览社交媒体。药片的设计从来都不是一个永久的解决方案:它们会随着时间的推移而失去效果,并引起副作用,进而需要更多的药片。一旦你踏上无休止的消费之旅,你就会陷入一个旨在让你痛苦、让企业快乐的陷阱。

通过进化,大自然让我们具备了高效应对资源不足的能力,但它从未让我们为现在相对丰富的生活做好准备。今天,死于肥胖的人比死于饥饿的人更多,因信息过载而焦虑的人比缺乏新闻的人更多。

人类的DNA,作为我们的硬件,已经过时了。大约在1万到2万年前,它就停止了进化,当时我们还生活在小型的狩猎采集型社区中。那时候,每一口甜食和每一条信息都非常有价值。我们现在生活在特大城市,周围有大量廉价的糖,但我们的DNA并不知道这一点。我们的身体仍在积累多余的脂肪,为永远不会到来的严寒饥饿的冬天做准备。我们的大脑紧紧抓住每一条令人不安的新闻,告诉我们永远不会实现的威胁。

我们的经济体系强调GDP的增长和企业利润的最大化,使这一生物矛盾更加严重。政府和企业都鼓励人们增加消费。美国这个在20世纪经济增长中表现突出的国家,也是世界上最肥胖的发达国家,这不是巧合。他们的市场驱动型社会变得太有效率了。

这种制度不仅对人类有害,从长远来看也是不可持续的。与企业的胃口不同,我们地球的资源是有限的。作为一个物种,我们在制造和销售自己不需要的东西方面变得非常高效,但买单的却是地球。我们的身体仍然希望我们生活在1万到2万年前的原始环境中,充满绿色的森林和干净的湖泊。当我们为了永恒的追求经济增长而不断破坏自己的栖息地时,因污染而导致的疾病数量不断增加。

我是幸运的,我很早就富裕起来了。在我22岁时,我的银行账户上就有了100万美金;到25岁时,有了几千万;到28岁时,有了上亿。然而,这从来都不是让我快乐的原因。

我真正的幸运在于很早就意识到,最有价值的一种职业是创造东西,而不是消费它们。因此,我没有购买游艇、飞机和昂贵的房地产,而是专注于我最喜欢的事情,创建社交平台,希望为人类带来好处。我把大部分个人资金都花在了 Telegram 上,让人们享受到了一种追求完美的免费服务。

我认为为他人创造事物的能力是我最宝贵的,也是最有价值的资产。我猜想,我之所以在做自己喜欢的事情的过程中碰巧发了财,其中一个原因是金钱对我来说从来都不是一个重要的目标。

当我还是学生的时候,我喜欢建设游戏和网站。那时候,这被认为是书呆子的职业。有前途的学生有望从事法律或解决商业案例。但我从来没有真正关心过别人如何定义成功。对我来说,成功在于能够花时间创造自己喜欢的东西。

我从不后悔没有买有钱人喜欢的昂贵物品。我唯一的遗憾是没有更多的时间去创造东西。

我们生活在一个人类创造力无限可能的时代。人们可以发明机器人、编辑基因、设计虚拟世界......有太多令人兴奋的未知领域可以探索。我希望更多的人能够发现为他人建造东西的乐趣。我希望有一天,作为一个物种,我们将摆脱永无止境的自我毁灭之路,转而走上为自己和周围的人创造更美好世界的充实之旅。

via. @durov

fio --loops=5 --size=1000m --filename=/mnt/fs/fiotest.tmp --stonewall --ioengine=libaio --direct=1 \
  --name=Seqread --bs=1m --rw=read \
  --name=Seqwrite --bs=1m --rw=write \
  --name=512Kread --bs=512k --rw=randread \
  --name=512Kwrite --bs=512k --rw=randwrite \
  --name=4kQD32read --bs=4k --iodepth=32 --rw=randread \
  --name=4kQD32write --bs=4k --iodepth=32 --rw=randwrite

Use recolic.cc instead of recolic.net if you're fucked by P.R.China government.

  • Public
Web Service Link
shortlink (tmp) https://recolic.net/go
shortlink (perm) https://recolic.net/s
monitor board https://recolic.net/status
gitlab https://git.recolic.net
cloud drive https://drive.recolic.net
email service https://mail.recolic.net
blog https://recolic.net/blog
resource site https://dl.recolic.net
minecraft server https://recolic.net/s/mc
public proxy service https://recolic.net/s/proxy
unsafe pastebin https://recolic.net/paste
simple web proxy https://recolic.net/proxy.php
hust physics exp https://recolic.net/phy
hust physics exp H2 https://recolic.net/phy2
sitemap (myself) https://recolic.net/s/sitemap
donate https://recolic.net/donate
  • Private

https://git.recolic.net/snippets/20

  • Introducing me / social media

https://github.com/recolic

https://git.recolic.net/root

https://recolic.net/blog

This is just a draft. Still Working-In-Progress. Many bugs!

another PC run nginx Then we have mirror: 10.100.100.34/$arch/$repo

    server {
        listen       [::]:80;
        listen       80;
        #server_name  localhost;
    root /var/www/html;
        index  index.html index.htm;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location /aarch64 {
        proxy_pass https://mirror.tuna.tsinghua.edu.cn/archlinuxarm/aarch64;
        }
......

android chroot:

prepare root.

mount -t proc /proc proc/
mount -o bind /sys sys/
mount -o bind /dev dev/
# Maybe we should bind every mountpoint manually. Write a script, or copy from debian-arm blog. 
chroot /path/to/.../root/

inside: /bin/bash

export PATH=/usr/bin
export LD_LIBRARY_PATH=/usr/lib

# we should run `pacman-key --init` and `pacman-key --populate archlinuxarm`. But I failed. 
vi /etc/pacman.conf # Set Siglevel to Never

# I don't know why DNS is still not working. Modify mirrorlist to use our repo. 
rm /etc/resolv.conf
echo 10.100.100.1 > /etc/resolv.conf

Deploy

(certificate should be valid. although frontend nginx has proxy_ssl_verify off;, STARTTLS still requires a valid certificate. ) (service should be restarted every 3 month, to use latest renewed certificate, just like nginx does. )

docker run -tid --privileged -p 3092:443 -p 110:110 -p 995:995 -p 143:143 -p 993:993 -p 25:25 -p 465:465 -p 587:587 -v /srv/iredmail/vmail:/var/vmail -v /srv/iredmail/mysql:/var/lib/mysql -v /srv/iredmail/clamav:/var/lib/clamav -v /root/.acme.sh/mail.recolic.net/mail.recolic.net.key:/etc/ssl/private/iRedMail.key:ro -v /root/.acme.sh/mail.recolic.net/fullchain.cer:/etc/ssl/certs/iRedMail.crt:ro -v /sys/fs/cgroup:/sys/fs/cgroup:ro --name rmail --restart=always --hostname func.mail.recolic.net 600163736385.dkr.ecr.us-west-2.amazonaws.com/mail.recolic.net /sbin/init

If can not connect database, you need to run chown -R mysql:mysql mysql inside container. (required if mysql dir are updated. )

Upgrade from lower version

If you upgraded mysql version, you must use following code to migrate data, rather than simply copy /var/lib/mysql. see more

mysqldump -u root -p --all-databases > alldb.sql
mysql -u root -p < alldb.sql

Upgrade step:

  1. export alldb.sql from old iredmail.
  2. export alldb.sql from new iredmail.
  3. manually move all userdata from oldiredmail to new iredmail. (take care!!! DB table format may changed!)
  4. import the manually-modified new-iredmail-alldb.sql into new db, save the resulting /var/lib/mysql directory. Use this as your new mysqlDir!!

Recolic's further customize (image built at 20201021)

after making some further modification below , recolic is using 600163736385.dkr.ecr.us-west-2.amazonaws.com/mail.recolic.net in PROD. https://git.recolic.net/recolic/notebook#mailrecolicnet

Disable heavy clamav, but do not disable DKIM! https://docs.iredmail.org/completely.disable.amavisd.clamav.spamassassin.html

Disable greylisting, which causes email lost from bankofchina. Also enable reject_sender_login_mismatch. https://docs.iredmail.org/manage.iredapd.html

fix facebook problem. https://docs.iredmail.org/upgrade.iredmail.0.9.9-1.0.html#fixed-fix-improper-helo-rule-which-blocks-new-facebook-servers

allow larger attachment size. https://docs.iredmail.org/change.mail.attachment.size.html

Set session timeout to 99999 min: https://forum.iredmail.org/topic8839-iredmail-support-howwhere-to-increase-timeout-session-via-roundcube.html

DNS record guide

https://docs.iredmail.org/setup.dns.html

Manual DKIM:

echo -n "v=DKIM1; p="
openssl rsa -in /root/.acme.sh/mail.recolic.net/mail.recolic.net.key  -pubout -outform der 2>/dev/null | openssl base64 -A

iredmail docker fresh deploy

YOU MUST CREATE /root/.acme.sh/mail.recolic.net/mail.recolic.net.key and /root/.acme.sh/mail.recolic.net/fullchain.cer BEFORE ANYTHING!


docker run -tid --privileged -p 3092:443 -p 110:110 -p 995:995 -p 143:143 -p 993:993 -p 25:25 -p 465:465 -p 587:587 -v /srv/iredmail/vmail:/var/vmail -v /srv/iredmail/mysql:/var/lib/mysql -v /srv/iredmail/clamav:/var/lib/clamav -v /root/.acme.sh/mail.recolic.net/mail.recolic.net.key:/etc/ssl/private/iRedMail.key:ro -v /root/.acme.sh/mail.recolic.net/fullchain.cer:/etc/ssl/certs/iRedMail.crt:ro -v /sys/fs/cgroup:/sys/fs/cgroup:ro --name rmail --hostname func.mail.recolic.net jrei/systemd-ubuntu /sbin/init docker exec -ti rmail /bin/bash

In docker:

echo func.mail > /etc/hostname
echo 127.0.0.1 func.mail.recolic.net func.mail localhost localhost.localdomain >> /etc/hosts

apt update
apt install -y gzip vim wget rsyslog
systemctl enable rsyslog --now

wget https://github.com/iredmail/iRedMail/releases/download/1.3.1/iRedMail-1.3.1.tar.gz
tar -xvzf iRedMail-1.3.1.tar.gz ; rm iRedMail-1.3.1.tar.gz
cd iRedMail-* ; bash iRedMail.sh

NOW you have some interactive operations!

no need to edit mail storage path.

recolic note: db password/postmaster password is genpasswd('mail.recolic.net', v4)

Would you like to use filewall rules by iRedMail? NO!

docker commit rmail 600163736385.dkr.ecr.us-west-2.amazonaws.com/mail.recolic.net-20.04
docker push 600163736385.dkr.ecr.us-west-2.amazonaws.com/mail.recolic.net-20.04

Do not delete the generated dir /srv/iredmail while building image. You need the dir /srv/iredmail/mysql as template to migrate in.

Current Content

Minecraft 1.12, TerrafirmaCraft-TNG. Please download to see the mod pack.

It's completely ok to use your own Minecraft client. Just copy-paste my mods folder.

Join Server

  1. Download client. Visit http://home.recolic-backend.xyz:81/games/ and search for minecraft112. Download the latest version. (if you don't know how to de-compress, use 7-zip)

  2. Start game. HMCL.exe for windows, or HMCL.jar for Linux/MacOS/Windows/BSD/...

  3. Server address: mc.recolic.net or mc.recolic.cc(If you're in P.R.China). Server location: Suzhou Unicom, PRC.

Problem:

Win10 LTSE N version is too low. unable to install surface laptop drivers.

Idea:

Open msi with notepad++, replace all text "17763" with your win10 version. Don't replace other "17763" in the binary...

Quick solution:

  1. Download me and me.

  2. run SurfaceLaptop3_Win10_17763_316_bluescreen_but_works_20.020.4371.0.msi You will bluescreen but it works. rebooting.

  3. run SurfaceLaptop3_Win10_17763_20.020.4371.0.msi

  4. done

Shadowsocks

Check this: https://shadowsocks.org/en/download/clients.html

NOTE:

ArchLinux and Ubuntu users: Install from your offical repo:

# pacman –S shadowsocks 
# apt install shadowsocks 

For Chinese:

中国区的iOS推荐使用Outline, 趁着现在还没被下架, 赶紧装. 直接AppStore搜索就行.

ShadowsocksR

wiki

https://github.com/iMeiji/shadowsocks_install/wiki/ShadowsocksR-%E5%8D%8F%E8%AE%AE%E6%8F%92%E4%BB%B6%E6%96%87%E6%A1%A3

linux server/client

use branch manyuser.

https://github.com/shadowsocksr-backup/shadowsocksr

ArchLinux server/client

AUR shadowsocksr

Windows Client

https://github.com/shadowsocksrr/shadowsocksr-csharp/releases

Android client

https://github.com/shadowsocksr-backup/shadowsocksr-android/releases

v2ray

https://www.v2ray.com/en/awesome/tools.html

NOTE:

Ubuntu and ArchLinux users, you can install from your offical repo:

# pacman –S v2ray 
# apt install v2ray 

OpenVPN

  • ArchLinux/Ubuntu:
# pacman –S openvpn
# apt install openvpn
  • Other Linux:

Try your package manager before refer to this webpage: https://openvpn.net/community-resources/installing-openvpn/

  • Windows:

PLEASE download OpenVPN community version!!!

https://openvpn.net/community-downloads/

Use "WINDOWS 64-BIT MSI INSTALLER" or "WINDOWS 32-BIT MSI INSTALLER"

  • Router: Use your google.

udp2raw

  • ArchLinux

pacman –S udp2raw-tunnel

ubuntu also has udp2raw in apt repo.

  • Other Linux (including router):

https://github.com/wangyu-/udp2raw-tunnel

  • Other OS (windows/MacOS/BSD):

https://github.com/wangyu-/udp2raw-multiplatform

udp-forwarder-ex

https://github.com/recolic/udp-forwarder-ex

Notice: Domain Issue

recolic.net is ALWAYS my main domain, use it if possible.

However, recolic.net has been attacked by P.R.China government since 2019.

"recolic.net" in all URL could be replaced by "recolic.cc". Only use it as a workaround if you're fucked by china Great Firewall DNS pollution attack. Read more about this: https://recolic.net/

IPLC Proxy [NO HEAVY TRAFFIC]

Please login to view information. https://git.recolic.net/root/premium-proxy

Public Proxy Nodes [All Any Heavy Traffic]

USA/California and PRC/HongKong: Shadowsocks:

ss://chacha20-ietf-poly1305:[email protected]:25551
ss://chacha20-ietf-poly1305:[email protected]:25551

Or encoded url:

ss://Y2hhY2hhMjAtaWV0Zi1wb2x5MTMwNTpyZWNvbGljLmZ1Y2tpbmcuY3BjQGJhc2UudXMxMi5yZWNvbGljLmNjOjI1NTUx#RECOLIC-US12
ss://Y2hhY2hhMjAtaWV0Zi1wb2x5MTMwNTpyZWNvbGljLmZ1Y2tpbmcuY3BjQGJhc2UuaGsyLnJlY29saWMuY2M6MjU1NTE#RECOLIC-HK2

Or QR code:

Failed to load QR image

Failed to load QR image

We use AEAD methods to avoid being fucked. https://shadowsocks.org/en/spec/AEAD-Ciphers.html

Download Software

Refer to this article.

View realtime node status

https://recolic.net/status