ECH先遣服：搭建修改HTTPS记录的DoH服务，强制为Cloudflare CDN与Meta CDN开启ECH功能

[RememberOurPromise]

总之就是1小时22分速通GFW
直连CF网站、X、Facebook、Instagram、Threads、WhatsApp，当然不直连也行，通过代理时也能开ECH

前言

大概三个月前发现CF可以强制开ECH

一个多月前 @JonSnowWhite 在 #529 提到的论文

As discovered by Mücke et al. (https://dl.acm.org/doi/pdf/10.1145/3744969.3748401)

It is also possible to discover ECH configurations of TLS servers by handshaking with them using a non-valid ECH extension (https://www.ietf.org/archive/id/draft-ietf-tls-esni-25.html#section-6.1.6).

研究提出了一种如何探测 ECH 部署情况的方法，利用TLS的HelloRetryRequest来获取ECH配置，结果发现 Meta(Facebook) 正在偷偷测试 ECH ，并且没有在 HTTPS 记录中发布 ECH 配置，仅可以通过该方法获取

当时见到 FB 的几个 SNI 应该早就被封，过了一个月再看，发现有一个没被封，而且 FB 目前的测试 ECH 并没有轮换密钥AEj+DQBEAQAgACAdd+scUi0IYFsXnUIU7ko2Nd9+F8M26pAGZVpz/KrWPgAEAAEAAWQVZWNoLXB1YmxpYy5hdG1ldGEuY29tAAA=

那就容易了，结果一试，好家伙，Meta系也能强制ECH

既然过了一百天GFW都没封cloudflare-ech.com，还有白票怪的各种什么ECH workers，那么就有必要去利用它了

正片

之前尝试的方法，要么是采用MitM强制开启ECH，引入自签根证书的风险，要么是在本地路由的DNS服务上强制修改HTTPS记录，有一定的搭建成本

那么为什么不利用大善人的互联网基础设施直接搭建修改HTTPS记录的公共DoH服务呢？

等了辣么久还没人去搞，那么今天我来打个样

还是搭在Cloudflare Workers，

需求喂给LLM：
（其他Prompt略）

通过ip4/ip6参数传递CF优选IP
path不要用/dns-query
默认页面伪装404
Workers无法访问CF的IP段，采用Google的DoH服务
Chrome开启DoH后会并行查询A AAAA HTTPS记录，HTTPS记录仅用于获取alpn和ECH

ECH Fronting:
通过其他域名的HTTPS记录获取ECHconfig并修改
CF的ECHconfig从cloudflare-ech.com获取
Mata的ECHconfig目前固定为AEj+DQBEAQAgACAdd+scUi0IYFsXnUIU7ko2Nd9+F8M26pAGZVpz/KrWPgAEAAEAAWQVZWNoLXB1YmxpYy5hdG1ldGEuY29tAAA=

DNS记录的修改逻辑:
X会负载均衡到自有IP/fastly，且不支持IPv6访问，如果是X的域名则直接返回CF优选IP的A 记录，AAAA记录返回空，并且HTTPS记录采用CF ECH
查询 A AAAA 记录如果任意记录是 CF IP 则返回 CF 优选IP，否则直接转发
查询HTTPS记录时，向源DoH查询A和AAAA，如果有任意返回 CF IP 则转发CF ECH，如果有任意返回Meta IP，则转发固定alpn和Meta ECH

CF和Meta的IP段:
（参见geoip，略）

调研1小时，拷打 LLM 22分钟，部署workers，绑域名，就可以用了

打开Chrome浏览器，设置安全DNS，填写https://你绑定的域名/doh-ech-test?&ip4=104.18.10.118,104.18.11.118&ip6=2606:4700::6812:a76,2606:4700::6812:b76

可替换为优选IP，如果cloudflare-ech.com故障或CF让其不返回ECH，后面增加&ech=可以获取的域名，CF Free Plan站点都有ECH

吐槽一下Meta的IPv6都有一段face:b00c，真实写在脸上....

结论

就是提前体验ECH全面部署的状况，至少目前CF和Meta(一些IP)还是可以直连的，目前没有迹象表明CF会轮换outerSNI，当然压力全部给到outerSNI了

如果后续其他CDN跟进部署，也可以用上述的方法探测到ECHconfig，并自己添加HTTPS记录

因为没有用Meta系的东西，没测试是否所有Meta CDN的资源都能ECH直连，似乎是都可以
绕地球一圈回国测试直连太麻烦了吧

如果不直连也可利用ECH防止代理看到真实SNI，总之可以提升隐私保护

至于如果全面强制ECH的话，喜欢分流的同学，可能不喜欢ECH，但换个角度或许也是利好分流，规则更简单？一条ech.google就不会漏了？

欢迎各种ytber转载，给你们贡献收益，反正都是LLM写的

致敬一下直连老英雄们，在赛博大善人的帮助下，现在twitter.com真的可以直连了
也多亏各种标准和协议的推动，让GFW千疮百孔，希望明年ECH转正

祝大家新年快乐，２０２６年ＧＦＷ倒塌，谢谢大家！

[RememberOurPromise]

Gemini3写的有问题找他
AI辣鸡，随便转
建议用workers以及自己域名，别把pages.dev给搞死了

/**
 * Cloudflare Worker DoH
 * 逻辑：
 * 1. [Twitter/X 域名]: 完全本地伪造响应。A -> 优选IP; AAAA -> 空; HTTPS -> CF ECH。
 * 2. [Meta 域名]: 基于 IP 归属判定。A/AAAA -> 原始IP并去CNAME; HTTPS -> 固定 Meta ECH。
 * 3. [其他 CF 域名]: 基于 IP 归属判定。A/AAAA -> 优选IP; HTTPS -> 动态 CF ECH。
 */

const UPSTREAM_DNS = 'https://dns.google/dns-query';
const UPSTREAM_JSON = 'https://dns.google/resolve';
const API_PATH = '/doh-ech-test';

// --- Twitter / X 域名配置 ---
const TWITTER_DOMAINS = ["twimg.com", "twitter.com", "x.com", "t.co"];

// --- Meta 固定配置 ---
const META_ECH_CONFIG = "AEj+DQBEAQAgACAdd+scUi0IYFsXnUIU7ko2Nd9+F8M26pAGZVpz/KrWPgAEAAEAAWQVZWNoLXB1YmxpYy5hdG1ldGEuY29tAAA=";
const META_CIDRS = [
'31.13.24.0/21','31.13.64.0/18','45.64.40.0/22','57.141.0.0/24','57.141.2.0/23','57.141.4.0/22','57.141.8.0/21','57.141.16.0/23','57.144.0.0/14','66.220.144.0/20','69.63.176.0/20','69.171.224.0/19','74.119.76.0/22','102.132.96.0/20','102.132.112.0/24','102.132.114.0/23','102.132.116.0/23','102.132.119.0/24','102.132.120.0/23','102.132.123.0/24','102.132.125.0/24','102.132.126.0/23','102.221.188.0/22','103.4.96.0/22','129.134.0.0/17','129.134.130.0/24','129.134.135.0/24','129.134.136.0/22','129.134.140.0/24','129.134.143.0/24','129.134.144.0/24','129.134.147.0/24','129.134.148.0/23','129.134.154.0/23','129.134.156.0/22','129.134.160.0/22','129.134.164.0/23','129.134.168.0/21','129.134.176.0/20','129.134.194.0/24','157.240.0.0/17','157.240.128.0/23','157.240.131.0/24','157.240.132.0/24','157.240.134.0/24','157.240.136.0/23','157.240.139.0/24','157.240.156.0/23','157.240.159.0/24','157.240.169.0/24','157.240.175.0/24','157.240.177.0/24','157.240.179.0/24','157.240.181.0/24','157.240.182.0/23','157.240.184.0/21','157.240.192.0/18','163.70.128.0/17','163.77.132.0/23','163.77.136.0/23','163.114.128.0/20','173.252.64.0/18','179.60.192.0/22','185.60.216.0/22','185.89.216.0/22','199.201.64.0/22','204.15.20.0/22','2620:0:1c00::/40','2620:10d:c090::/44','2a03:2880::/32','2a03:2887:ff00::/48','2a03:2887:ff02::/48','2a03:2887:ff04::/46','2a03:2887:ff09::/48','2a03:2887:ff0a::/48','2a03:2887:ff1b::/48','2a03:2887:ff1c::/48','2a03:2887:ff1e::/48','2a03:2887:ff20::/48','2a03:2887:ff22::/47','2a03:2887:ff27::/48','2a03:2887:ff28::/46','2a03:2887:ff2f::/48','2a03:2887:ff30::/48','2a03:2887:ff33::/48','2a03:2887:ff37::/48','2a03:2887:ff38::/46','2a03:2887:ff3f::/48','2a03:2887:ff40::/46','2a03:2887:ff44::/47','2a03:2887:ff48::/46','2a03:2887:ff4d::/48','2a03:2887:ff4e::/47','2a03:2887:ff50::/45','2a03:2887:ff58::/47','2a03:2887:ff5a::/48','2a03:2887:ff5f::/48','2a03:2887:ff60::/48','2a03:2887:ff62::/47','2a03:2887:ff64::/46','2a03:2887:ff68::/47','2a03:2887:ff6a::/48','2a03:2887:ff70::/47','2c0f:ef78:3::/48','2c0f:ef78:5::/48','2c0f:ef78:9::/48','2c0f:ef78:c::/47','2c0f:ef78:e::/48','2c0f:ef78:10::/47'
];

// --- Cloudflare 配置 ---
const CF_CIDRS = [
'1.0.0.0/24','1.1.1.0/24','5.10.214.0/23','5.10.244.0/22','5.175.141.0/24','5.182.84.0/23','5.226.179.0/24','5.226.181.0/24','5.226.183.0/24','8.6.112.0/24','8.6.144.0/23','8.9.231.0/24','8.10.148.0/24','8.14.199.0/24','8.14.201.0/24','8.14.202.0/24','8.14.204.0/24','8.17.205.0/24','8.17.206.0/23','8.18.50.0/24','8.18.113.0/24','8.18.195.0/24','8.18.196.0/24','8.19.8.0/24','8.20.100.0/23','8.20.103.0/24','8.20.122.0/23','8.20.124.0/23','8.20.126.0/24','8.21.8.0/23','8.21.10.0/24','8.21.12.0/23','8.21.110.0/23','8.21.239.0/24','8.23.139.0/24','8.23.240.0/24','8.24.87.0/24','8.24.243.0/24','8.24.244.0/24','8.25.96.0/23','8.25.249.0/24','8.26.182.0/24','8.27.64.0/24','8.27.66.0/23','8.27.68.0/23','8.27.79.0/24','8.28.20.0/24','8.28.82.0/24','8.28.126.0/23','8.28.213.0/24','8.29.105.0/24','8.29.109.0/24','8.29.228.0/24','8.29.230.0/23','8.30.234.0/24','8.31.2.0/24','8.31.160.0/23','8.34.69.0/24','8.34.70.0/23','8.34.146.0/24','8.34.201.0/24','8.34.202.0/24','8.35.57.0/24','8.35.58.0/24','8.35.149.0/24','8.35.211.0/24','8.36.216.0/22','8.36.220.0/24','8.37.41.0/24','8.37.43.0/24','8.38.147.0/24','8.38.148.0/23','8.39.6.0/24','8.39.18.0/24','8.39.125.0/24','8.39.126.0/24','8.39.201.0/24','8.39.202.0/23','8.39.204.0/22','8.39.213.0/24','8.39.214.0/23','8.40.26.0/23','8.40.29.0/24','8.40.30.0/23','8.40.107.0/24','8.40.111.0/24','8.40.140.0/24','8.41.5.0/24','8.41.6.0/23','8.41.36.0/23','8.42.51.0/24','8.42.54.0/23','8.42.161.0/24','8.42.164.0/24','8.42.172.0/24','8.43.121.0/24','8.43.122.0/23','8.43.224.0/23','8.43.226.0/24','8.44.2.0/24','8.44.6.0/24','8.44.60.0/24','8.44.62.0/23','8.45.41.0/24','8.45.43.0/24','8.45.44.0/22','8.45.97.0/24','8.45.100.0/23','8.45.102.0/24','8.45.108.0/24','8.45.111.0/24','8.45.145.0/24','8.45.146.0/23','8.46.113.0/24','8.46.115.0/24','8.46.117.0/24','8.46.118.0/23','8.47.9.0/24','8.47.12.0/23','8.47.15.0/24','8.47.69.0/24','8.47.71.0/24','8.48.130.0/23','8.48.132.0/23','8.48.134.0/24','14.102.228.0/23','23.131.204.0/24','23.145.136.0/24','23.145.152.0/24','23.145.232.0/24','23.145.248.0/24','23.167.152.0/24','23.178.112.0/24','23.179.248.0/24','23.180.136.0/24','23.227.37.0/24','23.227.38.0/23','23.227.48.0/23','23.227.60.0/24','23.247.163.0/24','25.25.25.0/24','25.26.27.0/24','25.129.196.0/22','27.50.48.0/23','31.12.75.0/24','31.43.179.0/24','31.185.108.0/24','37.153.171.0/24','38.96.28.0/23','44.31.142.0/24','45.8.211.0/24','45.12.30.0/23','45.80.108.0/24','45.80.110.0/23','45.81.58.0/24','45.85.118.0/23','45.95.241.0/24','45.128.76.0/24','45.130.125.0/24','45.131.4.0/22','45.131.208.0/22','45.135.235.0/24','45.142.120.0/24','45.146.201.0/24','45.149.12.0/24','45.153.7.0/24','45.157.17.0/24','45.192.222.0/23','45.192.224.0/24','45.194.11.0/24','45.194.53.0/24','45.195.14.0/24','45.196.29.0/24','45.199.183.0/24','45.202.113.0/24','45.205.0.0/24','45.250.154.0/23','46.202.30.0/24','46.254.92.0/23','49.213.44.0/24','49.238.236.0/22','61.32.240.0/24','62.72.166.0/24','62.146.255.0/24','62.169.155.0/24','64.40.138.0/24','64.40.140.0/24','64.69.24.0/23','64.239.31.0/24','65.110.63.0/24','65.205.150.0/24','66.45.118.0/24','66.71.220.0/24','66.81.247.0/24','66.81.255.0/24','66.84.82.0/24','66.93.178.0/24','66.94.32.0/20','66.203.249.0/24','66.225.252.0/24','66.235.200.0/24','68.169.48.0/20','68.182.187.0/24','69.48.218.0/24','69.89.0.0/20','69.90.210.0/24','72.52.113.0/24','74.49.214.0/23','74.204.59.0/24','74.205.180.0/24','77.37.33.0/24','77.74.228.0/24','77.75.199.0/24','77.105.163.0/24','77.111.106.0/24','77.232.140.0/24','78.128.122.0/24','80.93.202.0/24','82.21.82.0/24','82.22.16.0/24','82.26.156.0/24','82.118.242.0/24','82.139.216.0/23','83.118.224.0/22','86.38.214.0/24','86.38.251.0/24','87.229.48.0/24','88.216.66.0/23','88.216.69.0/24','89.47.56.0/23','89.106.90.0/24','89.116.46.0/24','89.116.161.0/24','89.116.180.0/24','89.116.250.0/24','89.117.112.0/24','89.207.18.0/24','89.249.200.0/24','91.124.127.0/24','91.192.106.0/24','91.193.58.0/23','91.199.81.0/24','91.206.71.0/24','91.209.253.0/24','92.53.188.0/22','92.60.74.0/24','92.243.74.0/23','93.114.64.0/23','93.115.102.0/24','94.140.0.0/24','94.156.10.0/24','94.247.142.0/24','96.43.100.0/23','102.132.188.0/24','102.177.176.0/24','102.177.189.0/24','103.11.212.0/24','103.11.214.0/24','103.15.85.0/24','103.19.144.0/23','103.21.244.0/22','103.22.200.0/22','103.31.4.0/22','103.31.79.0/24','103.81.228.0/24','103.112.176.0/24','103.116.7.0/24','103.121.59.0/24','103.133.1.0/24','103.135.208.0/23','103.169.142.0/24','103.172.110.0/23','103.186.74.0/24','103.198.92.0/24','103.204.13.0/24','103.215.22.0/24','103.219.64.0/22','103.245.228.0/23','104.16.0.0/13','104.24.0.0/14','104.28.0.0/16','104.29.0.0/21','104.29.8.0/23','104.29.11.0/24','104.29.12.0/22','104.29.16.0/23','104.29.19.0/24','104.29.20.0/22','104.29.24.0/21','104.29.32.0/24','104.29.34.0/23','104.29.36.0/22','104.29.40.0/22','104.29.44.0/23','104.29.47.0/24','104.29.48.0/23','104.29.50.0/24','104.29.52.0/22','104.29.57.0/24','104.29.59.0/24','104.29.61.0/24','104.29.62.0/23','104.29.64.0/23','104.29.67.0/24','104.29.68.0/22','104.29.72.0/21','104.29.80.0/23','104.29.82.0/24','104.29.85.0/24','104.29.86.0/24','104.29.88.0/21','104.29.96.0/22','104.29.100.0/23','104.29.102.0/24','104.29.104.0/21','104.29.112.0/22','104.29.116.0/23','104.29.121.0/24','104.29.122.0/23','104.29.124.0/22','104.29.128.0/18','104.30.0.0/19','104.30.32.0/23','104.30.128.0/23','104.30.132.0/22','104.30.136.0/23','104.30.144.0/21','104.30.160.0/19','104.31.0.0/21','104.31.16.0/22','104.31.20.0/24','104.36.195.0/24','104.129.164.0/22','104.156.176.0/23','104.165.248.0/24','104.234.239.0/24','104.239.72.0/24','104.254.140.0/24','108.162.192.0/18','108.165.152.0/24','108.165.216.0/24','109.234.211.0/24','114.129.43.0/24','123.108.75.0/24','130.108.73.0/24','130.108.104.0/23','130.108.121.0/24','130.108.253.0/24','131.0.72.0/22','131.167.255.0/24','136.143.138.0/24','137.66.96.0/24','138.5.248.0/24','138.226.234.0/24','138.249.21.0/24','139.64.234.0/23','140.99.233.0/24','141.11.202.0/23','141.101.64.0/18','141.193.213.0/24','143.14.224.0/24','143.14.229.0/24','143.14.251.0/24','143.20.247.0/24','144.124.211.0/24','147.78.140.0/24','147.185.161.0/24','148.227.167.0/24','150.48.128.0/18','151.243.128.0/22','151.243.133.0/24','151.246.216.0/23','152.114.0.0/17','152.114.128.0/18','154.51.129.0/24','154.51.160.0/24','154.62.129.0/24','154.81.141.0/24','154.83.2.0/24','154.83.22.0/23','154.83.30.0/24','154.84.14.0/23','154.84.16.0/24','154.84.18.0/24','154.84.20.0/23','154.84.24.0/24','154.84.26.0/23','154.90.70.0/24','154.92.9.0/24','154.193.133.0/24','154.193.184.0/24','154.194.12.0/24','154.194.225.0/24','154.197.64.0/23','154.197.75.0/24','154.197.80.0/24','154.197.88.0/24','154.197.108.0/24','154.197.121.0/24','154.198.173.0/24','154.200.89.0/24','154.202.89.0/24','154.206.12.0/24','154.207.77.0/24','154.207.79.0/24','154.207.127.0/24','154.207.189.0/24','154.207.252.0/23','154.211.8.0/24','154.218.15.0/24','154.219.5.0/24','154.223.134.0/23','155.46.167.0/24','155.46.213.0/24','156.224.73.0/24','156.225.72.0/24','156.243.83.0/24','156.243.246.0/24','156.246.69.0/24','156.246.70.0/24','156.252.2.0/23','156.255.123.0/24','158.94.212.0/24','159.112.235.0/24','159.242.242.0/24','159.246.55.0/24','160.153.0.0/24','161.248.134.0/23','162.44.32.0/22','162.44.118.0/23','162.44.208.0/23','162.120.94.0/24','162.158.0.0/15','162.251.82.0/24','162.251.205.0/24','164.38.155.0/24','164.77.28.0/23','165.101.60.0/23','167.1.137.0/24','167.1.148.0/23','167.1.150.0/24','167.1.181.0/24','167.68.4.0/23','167.68.11.0/24','167.68.42.0/24','167.74.94.0/23','167.74.130.0/24','169.40.133.0/24','169.197.101.0/24','170.114.45.0/24','170.114.46.0/24','170.114.52.0/24','170.114.78.0/24','170.168.7.0/24','170.176.152.0/24','170.176.163.0/24','172.64.0.0/13','172.83.72.0/23','172.83.76.0/24','173.0.92.0/24','173.245.48.0/20','176.103.113.0/24','176.124.223.0/24','176.126.206.0/23','178.94.249.0/24','178.211.142.0/24','178.213.76.0/24','181.214.1.0/24','182.23.210.0/24','184.174.80.0/24','185.7.190.0/23','185.7.240.0/24','185.18.184.0/24','185.18.250.0/24','185.29.76.0/24','185.38.25.0/24','185.38.135.0/24','185.60.251.0/24','185.122.0.0/24','185.126.66.0/24','185.132.85.0/24','185.132.86.0/23','185.133.172.0/24','185.135.9.0/24','185.146.172.0/23','185.148.104.0/22','185.149.135.0/24','185.156.19.0/24','185.158.133.0/24','185.159.247.0/24','185.162.228.0/22','185.170.166.0/24','185.176.24.0/24','185.176.26.0/24','185.178.196.0/22','185.193.28.0/22','185.207.92.0/24','185.207.196.0/22','185.209.154.0/24','185.229.206.0/24','185.238.228.0/24','185.251.80.0/23','188.42.88.0/23','188.42.98.0/24','188.42.145.0/24','188.95.12.0/24','188.114.96.0/20','188.164.158.0/23','188.164.248.0/24','188.244.122.0/24','190.93.240.0/20','192.65.217.0/24','192.71.82.0/24','192.86.150.0/24','192.103.56.0/24','192.133.11.0/24','192.152.138.0/24','192.236.26.0/24','193.8.237.0/24','193.9.49.0/24','193.16.63.0/24','193.17.206.0/24','193.67.144.0/24','193.124.18.0/24','193.124.224.0/24','193.162.35.0/24','193.202.90.0/24','193.227.99.0/24','193.233.21.0/24','193.233.132.0/24','194.1.194.0/24','194.26.68.0/24','194.36.49.0/24','194.36.55.0/24','194.39.112.0/21','194.41.114.0/24','194.53.53.0/24','194.59.5.0/24','194.113.223.0/24','194.152.44.0/24','194.169.194.0/24','195.26.229.0/24','195.28.190.0/23','195.82.109.0/24','195.85.23.0/24','195.85.59.0/24','195.189.177.0/24','195.242.122.0/23','195.245.221.0/24','195.250.46.0/24','196.13.241.0/24','196.207.45.0/24','197.234.240.0/22','198.41.128.0/17','198.177.56.0/23','198.202.211.0/24','198.217.251.0/24','198.252.206.0/24','199.5.242.0/24','199.27.128.0/21','199.33.230.0/23','199.33.232.0/23','199.60.103.0/24','199.181.197.0/24','200.73.67.0/24','202.27.69.0/24','202.82.250.0/24','203.6.66.0/24','203.6.74.0/24','203.13.32.0/24','203.17.126.0/24','203.19.222.0/24','203.22.223.0/24','203.22.241.0/24','203.23.103.0/24','203.23.104.0/24','203.23.106.0/24','203.24.102.0/23','203.24.108.0/23','203.28.8.0/23','203.29.52.0/22','203.30.188.0/22','203.32.120.0/23','203.34.28.0/24','203.34.80.0/24','203.55.107.0/24','203.89.5.0/24','203.168.128.0/22','203.168.192.0/20','204.62.141.0/24','204.68.111.0/24','204.69.207.0/24','204.153.16.0/24','204.195.192.0/18','205.233.181.0/24','207.189.149.0/24','208.42.188.0/24','208.77.33.0/24','208.77.35.0/24','208.88.71.0/24','208.100.60.0/24','209.46.30.0/24','209.55.226.0/24','209.55.232.0/24','209.55.234.0/24','209.55.246.0/23','209.55.253.0/24','209.55.254.0/24','209.222.114.0/23','212.6.39.0/24','212.22.76.0/24','212.104.128.0/24','212.239.86.0/24','213.182.199.0/24','213.219.247.0/24','213.241.198.0/24','216.19.107.0/24','216.74.106.0/24','216.120.131.0/24','216.120.180.0/23','216.154.208.0/20','216.163.179.0/24','216.198.53.0/24','216.198.54.0/24','216.205.52.0/24','216.224.121.0/24','223.27.176.0/23','2001:503:ff40::/46','2001:678:19c::/48','2001:df7:6e80::/48','2400:c760:a::/48','2400:cb00::/32','2405:8100::/32','2405:b500::/32','2407:30c0:180::/46','2602:80c:cf::/48','2602:f660::/40','2602:f830::/48','2606:2c0:20::/47','2606:2c40::/48','2606:4700::/32','2606:54c0::/32','2606:54c1::/48','2606:54c1:2::/47','2606:54c1:6::/47','2606:54c1:8::/46','2606:54c1:c::/47','2606:54c1:10::/46','2606:54c2::/47','2606:54c2:2::/48','2606:54c3::/45','2606:ae80:10::/48','2607:8940:2000::/35','2607:9240:201::/48','2607:9240:202::/47','2620:78:200f::/48','2620:cb:2000::/48','2620:117:bfb0::/44','2620:127:f00c::/46','2620:12c:90af::/48','2620:132:1000::/48','2803:f800::/32','2a02:d21:20::/44','2a03:f940::/48','2a05:7880::/32','2a06:98c0::/29','2a06:9ac0::/32','2a07:180::/32','2a08:600::/48','2a08:600:e0::/47','2a08:600:ee::/47','2a08:600:ff::/48','2a09:bac0:4::/48','2a09:bac0:11::/48','2a09:bac0:12::/48','2a09:bac0:14::/46','2a09:bac0:19::/48','2a09:bac0:20::/46','2a09:bac0:26::/47','2a09:bac0:28::/47','2a09:bac0:31::/48','2a09:bac0:34::/47','2a09:bac0:38::/47','2a09:bac0:40::/48','2a09:bac0:43::/48','2a09:bac0:44::/47','2a09:bac0:47::/48','2a09:bac0:48::/47','2a09:bac0:50::/48','2a09:bac0:52::/48','2a09:bac0:54::/48','2a09:bac0:57::/48','2a09:bac0:59::/48','2a09:bac0:63::/48','2a09:bac0:64::/46','2a09:bac0:68::/47','2a09:bac0:70::/46','2a09:bac0:74::/47','2a09:bac0:78::/47','2a09:bac0:80::/47','2a09:bac0:83::/48','2a09:bac0:84::/47','2a09:bac0:87::/48','2a09:bac0:88::/47','2a09:bac0:94::/48','2a09:bac0:96::/47','2a09:bac0:98::/48','2a09:bac0:100::/48','2a09:bac0:102::/47','2a09:bac0:106::/47','2a09:bac0:109::/48','2a09:bac0:113::/48','2a09:bac0:114::/47','2a09:bac0:116::/48','2a09:bac0:119::/48','2a09:bac0:120::/47','2a09:bac0:123::/48','2a09:bac0:124::/47','2a09:bac0:128::/48','2a09:bac0:130::/48','2a09:bac0:132::/48','2a09:bac0:134::/48','2a09:bac0:136::/47','2a09:bac0:138::/48','2a09:bac0:143::/48','2a09:bac0:145::/48','2a09:bac0:149::/48','2a09:bac0:151::/48','2a09:bac0:152::/47','2a09:bac0:154::/47','2a09:bac0:156::/48','2a09:bac0:158::/47','2a09:bac0:160::/48','2a09:bac0:162::/48','2a09:bac0:165::/48','2a09:bac0:166::/47','2a09:bac0:168::/47','2a09:bac0:172::/48','2a09:bac0:174::/48','2a09:bac0:181::/48','2a09:bac0:185::/48','2a09:bac0:192::/47','2a09:bac0:194::/48','2a09:bac0:196::/47','2a09:bac0:199::/48','2a09:bac0:202::/47','2a09:bac0:212::/48','2a09:bac0:216::/47','2a09:bac0:218::/48','2a09:bac0:227::/48','2a09:bac0:228::/48','2a09:bac0:237::/48','2a09:bac0:243::/48','2a09:bac0:246::/48','2a09:bac0:254::/48','2a09:bac0:268::/47','2a09:bac0:270::/48','2a09:bac0:275::/48','2a09:bac0:281::/48','2a09:bac0:282::/47','2a09:bac0:284::/47','2a09:bac0:298::/47','2a09:bac0:301::/48','2a09:bac0:337::/48','2a09:bac0:338::/47','2a09:bac0:341::/48','2a09:bac0:343::/48','2a09:bac0:346::/48','2a09:bac0:352::/48','2a09:bac0:358::/48','2a09:bac0:360::/48','2a09:bac0:374::/48','2a09:bac0:376::/48','2a09:bac0:380::/47','2a09:bac0:382::/48','2a09:bac0:384::/47','2a09:bac0:388::/48','2a09:bac0:390::/47','2a09:bac0:393::/48','2a09:bac0:403::/48','2a09:bac0:404::/48','2a09:bac0:407::/48','2a09:bac0:408::/48','2a09:bac0:411::/48','2a09:bac0:412::/48','2a09:bac0:423::/48','2a09:bac0:428::/48','2a09:bac0:431::/48','2a09:bac0:439::/48','2a09:bac0:441::/48','2a09:bac0:445::/48','2a09:bac0:448::/48','2a09:bac0:450::/48','2a09:bac0:453::/48','2a09:bac0:455::/48','2a09:bac0:458::/48','2a09:bac0:462::/48','2a09:bac0:464::/48','2a09:bac0:466::/47','2a09:bac0:470::/48','2a09:bac0:472::/48','2a09:bac0:476::/47','2a09:bac0:478::/48','2a09:bac0:481::/48','2a09:bac0:483::/48','2a09:bac0:485::/48','2a09:bac0:497::/48','2a09:bac0:507::/48','2a09:bac0:522::/47','2a09:bac0:525::/48','2a09:bac0:532::/47','2a09:bac0:534::/48','2a09:bac0:537::/48','2a09:bac0:538::/48','2a09:bac0:542::/47','2a09:bac0:557::/48','2a09:bac0:558::/47','2a09:bac0:566::/47','2a09:bac0:572::/47','2a09:bac0:574::/48','2a09:bac0:581::/48','2a09:bac0:582::/47','2a09:bac0:594::/48','2a09:bac0:597::/48','2a09:bac0:598::/48','2a09:bac0:601::/48','2a09:bac0:612::/48','2a09:bac0:618::/47','2a09:bac0:626::/48','2a09:bac0:631::/48','2a09:bac0:632::/47','2a09:bac0:636::/47','2a09:bac0:641::/48','2a09:bac0:646::/48','2a09:bac0:649::/48','2a09:bac0:650::/48','2a09:bac0:658::/48','2a09:bac0:663::/48','2a09:bac0:670::/48','2a09:bac0:677::/48','2a09:bac0:679::/48','2a09:bac0:684::/48','2a09:bac0:694::/48','2a09:bac0:704::/48','2a09:bac0:711::/48','2a09:bac0:712::/48','2a09:bac0:719::/48','2a09:bac0:721::/48','2a09:bac0:724::/47','2a09:bac0:735::/48','2a09:bac0:745::/48','2a09:bac0:748::/48','2a09:bac0:920::/48','2a09:bac0:1000::/47','2a09:bac0:1008::/45','2a09:bac1::/32','2a09:bac2::/31','2a09:bac4::/30','2a0a:6c80::/29','2a0b:4144::/48','2a0b:85c7:ffff::/48','2a13:9500:3e::/48','2a14:7ac0::/48','2a14:a087::/47','2c0f:f248::/32'
];

export default {
  async fetch(request, env, ctx) {
    const url = new URL(request.url);
    if (url.pathname !== API_PATH) return new Response(null, { status: 404 });

    const config = {
      ip4: url.searchParams.get('ip4'),
      ip6: url.searchParams.get('ip6'),
      echDomain: url.searchParams.get('ech') || 'cloudflare-ech.com'
    };

    if (request.method === 'POST') {
      const rawBuffer = await request.arrayBuffer();
      return await handleDnsQuery(rawBuffer, config);
    }
    return new Response(null, { status: 404 });
  }
};

async function handleDnsQuery(rawBuffer, config) {
  const query = parseDnsPacket(rawBuffer);
  if (!query || query.questions.length === 0) return forwardQuery(rawBuffer);

  const { id, questions } = query;
  const qType = questions[0].type;
  const qName = questions[0].name.toLowerCase().replace(/\.$/, "");

  // --- 1. Twitter/X 域名短路逻辑 ---
  const isTwitter = TWITTER_DOMAINS.some(d => qName === d || qName.endsWith("." + d));
  
  if (isTwitter) {
    // HTTPS (65): 直接注入 CF ECH
    if (qType === 65) {
      const echRdata = await fetchCleanEchRdata(config);
      if (echRdata) {
        return dnsResponse(createMultiAnsResponse(id, qName, 65, [echRdata]));
      }
    }
    // A (1): 强制返回优选 IP
    if (qType === 1) {
      if (config.ip4) {
        const rds = config.ip4.split(',').map(ipToBytes);
        return dnsResponse(createMultiAnsResponse(id, qName, 1, rds));
      }
    }
    // AAAA (28): 强制返回空 (防止走非优选 IPv6)
    if (qType === 28) {
      return dnsResponse(createMultiAnsResponse(id, qName, 28, [], 3600)); // 只有 Question 没有 Answer 的标准空响应
    }
    // 其他记录 (如 TXT/MX) 转发上游
    return forwardQuery(rawBuffer);
  }

  // --- 2. Meta 及其他域名的 IP 判定逻辑 ---
  if (qType === 65) {
    const [originalHttpsBuf, owner, echRdataCf] = await Promise.all([
      forwardQuery(rawBuffer).then(res => res.arrayBuffer()),
      resolveAndCheckOwner(qName),
      fetchCleanEchRdata(config)
    ]);

    if (owner === 'META') {
      const echRdata = packHttpsParams(1, ".", [{ key: 'alpn', val: 'h3,h2,http/1.1' }, { key: 'ech', val: META_ECH_CONFIG }]);
      return dnsResponse(createMultiAnsResponse(id, qName, 65, [echRdata], 111));
    }
    if (owner === 'CF' && echRdataCf) {
      return dnsResponse(createMultiAnsResponse(id, qName, 65, [echRdataCf]));
    }
    return dnsResponse(originalHttpsBuf);
  }

  if (qType === 1 || qType === 28) {
    const upstreamRes = await forwardQuery(rawBuffer);
    const upstreamBuf = await upstreamRes.arrayBuffer();
    const ips = extractIpsFromPacket(upstreamBuf);
    
    let owner = null;
    for (const ip of ips) {
      if (ipInCidrs(ip, META_CIDRS)) { owner = 'META'; break; }
      if (ipInCidrs(ip, CF_CIDRS)) { owner = 'CF'; break; }
    }

    if (owner === 'META') {
      const rawIps = qType === 1 ? ips.filter(ip => !ip.includes(':')).map(ipToBytes) : ips.filter(ip => ip.includes(':')).map(ipv6ToBytes);
      if (rawIps.length > 0) return dnsResponse(createMultiAnsResponse(id, qName, qType, rawIps, 300));
    }

    if (owner === 'CF') {
      let replaceIps = (qType === 1 && config.ip4) ? config.ip4.split(',').map(ipToBytes) : (qType === 28 && config.ip6) ? config.ip6.split(',').map(ipv6ToBytes) : null;
      if (replaceIps) return dnsResponse(createMultiAnsResponse(id, qName, qType, replaceIps));
    }

    return dnsResponse(upstreamBuf);
  }

  return forwardQuery(rawBuffer);
}

// --- 封装响应 ---
function dnsResponse(buffer) {
  return new Response(buffer, { headers: { 'Content-Type': 'application/dns-message', 'Access-Control-Allow-Origin': '*' } });
}

// --- 并发检测函数 ---
async function resolveAndCheckOwner(name) {
  try {
    const [res4, res6] = await Promise.all([
      fetch(`${UPSTREAM_JSON}?name=${name}&type=1`).then(r => r.json()),
      fetch(`${UPSTREAM_JSON}?name=${name}&type=28`).then(r => r.json())
    ]);
    const ips = [...(res4.Answer || []), ...(res6.Answer || [])].map(a => a.data);
    for (const ip of ips) {
      if (ipInCidrs(ip, META_CIDRS)) return 'META';
      if (ipInCidrs(ip, CF_CIDRS)) return 'CF';
    }
  } catch (e) {}
  return null;
}

// --- 基础工具函数 (保持不变) ---
function ipInCidrs(ip, cidrList) {
  return cidrList.some(cidr => {
    try {
      const [range, bits] = cidr.split('/');
      const mask = parseInt(bits, 10);
      if (ip.includes(':')) {
        const iB = ipv6ToBigInt(ip), rB = ipv6ToBigInt(range);
        return (iB ^ rB) >> (128n - BigInt(mask)) === 0n;
      } else {
        const iL = ipToLong(ip), rL = ipToLong(range);
        return (iL ^ rL) >>> (32 - mask) === 0;
      }
    } catch(e) {}
    return false;
  });
}

function createMultiAnsResponse(id, qn, qt, rds, ttl = 3600) {
  const encodedName = encodeDnsName(qn);
  let totalLen = 12 + encodedName.length + 4;
  rds.forEach(r => totalLen += 12 + r.length); 
  const buf = new Uint8Array(totalLen); const v = new DataView(buf.buffer);
  v.setUint16(0, id); v.setUint16(2, 0x8180); v.setUint16(4, 1); v.setUint16(6, rds.length);
  let offset = 12; buf.set(encodedName, offset); offset += encodedName.length;
  v.setUint16(offset, qt); offset += 2; v.setUint16(offset, 1); offset += 2;
  rds.forEach(r => {
    v.setUint16(offset, 0xC00C); offset += 2; v.setUint16(offset, qt); offset += 2;
    v.setUint16(offset, 1); offset += 2; v.setUint32(offset, ttl); offset += 4;
    v.setUint16(offset, r.length); offset += 2; buf.set(r, offset); offset += r.length;
  });
  return buf.buffer;
}

function packHttpsParams(priority, target, params) {
  const targetBuf = target === "." ? new Uint8Array([0]) : encodeDnsName(target);
  const paramBufs = params.map(p => encodeSvcParam(p.key, p.val)).filter(b => b);
  paramBufs.sort((a, b) => new DataView(a.buffer).getUint16(0) - new DataView(b.buffer).getUint16(0));
  let totalLen = 2 + targetBuf.length; paramBufs.forEach(b => totalLen += b.length);
  const res = new Uint8Array(totalLen); const v = new DataView(res.buffer);
  v.setUint16(0, priority); res.set(targetBuf, 2);
  let offset = 2 + targetBuf.length; paramBufs.forEach(b => { res.set(b, offset); offset += b.length; });
  return res;
}

function encodeSvcParam(key, value) {
  const ids = { 'alpn': 1, 'ech': 5 }; const id = ids[key]; if (!id) return null;
  let valBuf;
  if (key === 'alpn') {
    const parts = value.split(','); valBuf = new Uint8Array(parts.reduce((a, b) => a + b.length + 1, 0));
    let o = 0; for (const p of parts) { valBuf[o++] = p.length; for (let i = 0; i < p.length; i++) valBuf[o++] = p.charCodeAt(i); }
  } else {
    const s = atob(value.replace(/-/g, '+').replace(/_/g, '/'));
    valBuf = new Uint8Array(s.length); for (let i = 0; i < s.length; i++) valBuf[i] = s.charCodeAt(i);
  }
  const res = new Uint8Array(4 + valBuf.length); const v = new DataView(res.buffer);
  v.setUint16(0, id); v.setUint16(2, valBuf.length); res.set(valBuf, 4); return res;
}

function encodeDnsName(domain) {
  const parts = domain.split('.'); const buf = new Uint8Array(domain.length + 2);
  let offset = 0; for (const part of parts) { buf[offset++] = part.length; for (let i = 0; i < part.length; i++) buf[offset++] = part.charCodeAt(i); }
  buf[offset++] = 0; return buf.slice(0, offset);
}

function parseDnsPacket(buf) {
  const v = new DataView(buf); if (buf.byteLength < 12) return null;
  let offset = 12; const labels = [];
  while (offset < buf.byteLength) {
    const len = v.getUint8(offset); if (len === 0) { offset++; break; }
    if ((len & 0xC0) === 0xC0) { offset += 2; break; }
    offset++; labels.push(new TextDecoder().decode(buf.slice(offset, offset + len))); offset += len;
  }
  const qt = v.getUint16(offset);
  return { id: v.getUint16(0), questions: [{ name: labels.join('.'), type: qt }] };
}

function extractIpsFromPacket(buffer) {
  const ips = []; const view = new DataView(buffer); if (buffer.byteLength < 12) return [];
  const ancount = view.getUint16(6); let offset = 12;
  try {
    for (let i = 0; i < view.getUint16(4); i++) {
      while (view.getUint8(offset) !== 0) { if ((view.getUint8(offset) & 0xC0) === 0xC0) { offset += 1; break; } offset += view.getUint8(offset) + 1; }
      offset += 5;
    }
    for (let i = 0; i < ancount; i++) {
      while (view.getUint8(offset) !== 0) { if ((view.getUint8(offset) & 0xC0) === 0xC0) { offset += 1; break; } offset += view.getUint8(offset) + 1; }
      offset += 1; const type = view.getUint16(offset); offset += 8; const rdlen = view.getUint16(offset); offset += 2;
      if (type === 1 && rdlen === 4) ips.push(Array.from(new Uint8Array(buffer.slice(offset, offset + 4))).join('.'));
      else if (type === 28 && rdlen === 16) {
        const v6 = new Uint8Array(buffer.slice(offset, offset + 16)); let s = "";
        for(let j=0; j<16; j+=2) s += ((v6[j]<<8)|v6[j+1]).toString(16) + (j===14?"":":");
        ips.push(s);
      }
      offset += rdlen;
    }
  } catch(e) {} return ips;
}

async function fetchCleanEchRdata(config) {
  try {
    const res = await fetch(`${UPSTREAM_JSON}?name=${config.echDomain}&type=65`);
    const data = await res.json();
    if (data.Status === 0 && data.Answer) {
      const ans = data.Answer.find(a => a.type === 65);
      if (!ans || ans.data.startsWith('\\#')) return null;
      const parts = ans.data.split(/\s+/); const params = [];
      for (let i = 2; i < parts.length; i++) { if (parts[i].includes('=')) { const [k, v] = parts[i].split('='); if (k === 'alpn' || k === 'ech') params.push({ key: k, val: v }); } }
      return packHttpsParams(parseInt(parts[0]), parts[1], params);
    }
  } catch (e) {} return null;
}

function forwardQuery(body) { return fetch(UPSTREAM_DNS, { method: 'POST', headers: { 'Content-Type': 'application/dns-message' }, body }); }
function ipToLong(ip) { return ip.split('.').reduce((a, b) => (a << 8) + parseInt(b, 10), 0) >>> 0; }
function ipv6ToBigInt(ip) {
  let p = ip.split(':'); if (ip.includes('::')) { const [f, s] = ip.split('::'), fP = f ? f.split(':') : [], sP = s ? s.split(':') : []; p = [...fP, ...Array(8 - fP.length - sP.length).fill('0'), ...sP]; }
  return p.reduce((a, b) => (a << 16n) + BigInt(parseInt(b || '0', 16)), 0n);
}
function ipToBytes(ip) { return new Uint8Array(ip.split('.').map(Number)); }
function ipv6ToBytes(ip) {
  let p = ip.split(':'); if (ip.includes('::')) { const [l, r] = ip.split('::'), lp = l ? l.split(':') : [], rp = r ? r.split(':') : []; p = [...lp, ...Array(8 - lp.length - rp.length).fill('0'), ...rp]; }
  const b = new Uint8Array(16); p.forEach((v, i) => { const val = parseInt(v, 16) || 0; b[i * 2] = val >> 8; b[i * 2 + 1] = val & 0xFF; });
  return b;
}

[Fangliding]

HelloRetryRequest 获取ECH Config我早就知道了 甚至去IETF讨论过 不过因为隐私问题被禁止 所以这事作罢了
cloudflare-ech.com 没被封因为CF绑架了一大堆CF网站都用它 这个ech-public.atmeta.com没理由不毙掉它 不过毕竟小众所以不知道能用多久

[RememberOurPromise]

风扇大佬🙇

[Kc2353]

@RememberOurPromise
大佬，请问有没有测试某个网站是否开启的方法？
能否提供一下测试脚本？
如果我想测国内有没有这种先遣服，应该如何修改？（假设我想测固定几个网址域名是否支持ECH）
如果有其他知道的也可以(在这里)回复一下，谢谢了！
edit：
（试了一下，无梯上X！（不过资源加载异常，悲，直接用是没法用，登录可以正常保持），个人只是把edge浏览器的DoH 和 ECH打开了)

[RememberOurPromise]

直连适合冲塔爱好者，确定知晓风险再去尝试噢..
而且直连是中国IP，什么都解锁不了噢..
用代理也是可以用ECH的

测试某个网站是否开启的方法

简单的方法就是看DNS HTTPS记录有没有ech=
但是存在例外，上述facebook测试阶段就不在DNS发布ech，方法这里有描述，直接AI写一个工具就行
不想整工具也可以给浏览器请求目标站点HTTPS记录时提供无效的ech值然后访问目标站点wireshark抓包再导入SSLKEY过滤一下tls.handshake.extension.type == 65037
openssl有专门测试ech的分支

国内站不用试了，在墙内连墙内站，ECH毫无意义，并不能保证隐私
国内真的会部署吗？ech.bilibili.com有什么意义.. 还是说大家outerSNI都用gov.cn？XD

资源加载异常

浏览器上没法强制ECH，修改HTTPS记录是欺骗浏览器去开启ECH，但如果HTTPS记录返回延迟或异常，它就直接不ECH
清除浏览器DNS再试试，应该是api.x.com和twimg.com
chrome://net-internals/#dns

这个方法才能强制ECH

---

更新:
噢..原来openssl有ECH分支

mkdir -p $HOME/code
cd $HOME/code
git clone https://github.com/openssl/openssl --branch feature/ech
cd openssl
./config --libdir=lib --prefix=$HOME/code/openssl-local-inst
make
make install_sw

命令:
openssl s_client -connect domain.com:443 -ech_grease -trace

    EncryptedExtensions, Length=77
      extensions, length = 75
        extension_type=encrypted_client_hello(65037), length=71
          0000 - 00 45 fe 0d 00 41 47 00-20 00 20 ad 9e 49 24   .E...AG. . ..I$
          000f - 1f 68 1a 69 3c 8c 8c 4e-bd 01 31 e9 c4 97 1a   .h.i<..N..1....
          001e - 64 ac 9e 9b 40 a4 c5 36-5a 33 9e ec 59 00 04   d...@..6Z3..Y..
          002d - 00 01 00 01 00 12 63 6c-6f 75 64 66 6c 61 72   ......cloudflar
          003c - 65 2d 65 63 68 2e 63 6f-6d 00 00               e-ech.com..

[Kc2353]

谢谢，我不是这种爱好者，只要单纯的收听敌台不发言没问题那就应该没太大问题
另外可能是上面意思没表达太清楚我，我的意思是国内也不是完全铁板一块，至少防一下地区的运营商不是吗？
我不相信每一座城市的所有运营商都会有中国所有网址的监听能力。之前还有访问国家的某些网址会被地区运营商阻断的。
推进加密clienthello常态化建设
不过谢谢你提供的测试建议

[RememberOurPromise]

有更简单的方法，你可以自己编译openssl的ECH分支，尝试一下扫描国内的网站有没有偷开

盲猜一个都没有

[maoxikun]

直连太复杂，客户端配置ech为doh就完事了，又增加了一点延迟

[Fangliding]

ray里这个ech已经尽可能优化过了 除了启动的第一次请求或者晾太久再用要花时间查DNS其他都是零延迟的

[maoxikun]

日常使用是没啥感觉，国外的doh要么没法用要么延迟太高，用ali的好像哪里有点不对，如果自建（国外服务器）那不是又额外把ip暴露了，套cdn貌似没必要开ech？

[RememberOurPromise]

国外的doh要么没法用要么延迟太高

为什么不在CF自建一个DOH呢，这篇文章就是这个方法，如果不需要强制ECH，直接用现成的CF workers DoH项目搭一个即可，而且CF ZeroTrust的DoH到现在还能用的

[maoxikun]

为什么不在CF自建一个DOH呢，而且CF ZeroTrust的DoH到现在还能用的

好像是哦，我一直考虑到服务器在美西的情况，实际上用workers不需要考虑服务端，感觉像翻版域前置

[RememberOurPromise]

cloudflare-ech.com又存活一个月

搭一个给大伙儿用用看
https://api1.eu.cc/doh-ech-test?&ip4=104.18.10.118&ip6=2606:4700::6812:a76

ip4 / ip6 可替换为优选IP

[6c67b9]

为什么不能把 Cloudflare DoH 走代理访问，而是要这么折腾？
然后只按 IP 分流，用透明代理（不懂轻喷）

[RememberOurPromise]

为什么不能把 Cloudflare DoH 走代理访问，而是要这么折腾？ 然后只按 IP 分流，用透明代理（不懂轻喷）

跟你讲的完全没关系

CF的部分网站以及Meta的ECHconfig不在HTTPS记录里，而它们全CDN其实都支持ECH，这个方法是自己修改记录，让CF CDN和Meta CDN强制ECH，顺便还能指定优选IP

不懂就算了直接用就行，用它就能直连，或者让你的代理提供方看不到真实SNI