[dnscrypt-proxy][1] 是一款灵活的 、拥有加密协议的 DNS 代理软件,可以实现 DNS 流量的加密与验证。
在 Linux 加密 DNS
下载 [Linux 64 位安装包][2],解压到指定目录
1
2
3
| wget https://github.com/jedisct1/dnscrypt-proxy/releases/download/2.0.16/dnscrypt-proxy-linux_x86_64-2.0.16.tar.gz
tar zxf dnscrypt-proxy-linux_x86_64-2.0.16.tar.gz -C <your-services-dir>
mv linux_x86_64 dnscrypt_proxy
|
配置dnscrypt-proxy.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
| ipv4_servers = true
ipv6_servers = false
require_dnssec = true
require_nolog = true
require_nofilter = true
cache = true
block_ipv6 = true
force_tcp = false
listen_addresses = ["127.0.0.1:53", "[::1]:53"]
max_clients = 250
dnscrypt_servers = true
doh_servers = true
daemonize = false
timeout = 2500
keepalive = 30
netprobe_timeout = 45
log_level = 0
use_syslog = false
cert_refresh_delay = 240
fallback_resolver = "114.114.114.114:53"
ignore_system_dns = false
log_files_max_size = 10
log_files_max_age = 7
log_files_max_backups = 1
cache_size = 256
cache_min_ttl = 600
cache_max_ttl = 86400
cache_neg_ttl = 60
[query_log]
format = "ltsv"
file = "query.log"
[nx_log]
format = "ltsv"
[blacklist]
blacklist_file = "blacklist.txt"
log_file = "blocked.log"
log_format = "ltsv"
[ip_blacklist]
[sources]
[sources.public-resolvers]
urls = ["https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md", "https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md"]
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"
cache_file = "public-resolvers.md"
refresh_delay = 72
prefix = ""
|
启动
1
2
| ./dnscrypt-proxy -service install
./dnscrypt-proxy -service start
|
自定义服务
/etc/systemd/system/dnscrypt-proxy.service
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| [Unit]
Description=Encrypted/authenticated DNS proxy
ConditionFileIsExecutable=/opt/dnscrypt-proxy/dnscrypt-proxy
[Service]
StartLimitInterval=5
StartLimitBurst=10
ExecStart=/opt/dnscrypt-proxy/dnscrypt-proxy
WorkingDirectory=/opt/dnscrypt-proxy
Restart=always
RestartSec=120
EnvironmentFile=-/etc/sysconfig/dnscrypt-proxy
[Install]
WantedBy=multi-user.target
|
关闭系统分配 DNS
1
| systemctl disable NetworkManager.service
|
修改系统 DNS 地址 /etc/resolv.conf
测试
1
2
| yum install bind-utils
dig @127.0.0.1 www.google.com
|
DoH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
| git clone https://github.com/m13253/dns-over-https.git
cd dns-over-https/
make && make install
cat << EOM > /etc/dns-over-https/doh-server.conf listen = [
"127.0.0.1:8053",
"[::1]:8053",
]
cert = ""
key = ""
path = "/dns-query"
upstream = [
"127.0.0.1:53"
]
timeout = 10
tries = 3
tcp_only = false
verbose = false
log_guessed_client_ip = false
EOM
cat << EOM > /etc/nginx/conf.d/doh.conf
upstream dns-backend {
server 127.0.0.1:8053;
keepalive 30;
}
server {
listen 80
server_name dns.bentasker.co.uk;
root /tmp/NOEXIST;
location /dns-query {
limit_req zone=doh_limit burst=50 nodelay;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header Host \$http_host;
proxy_set_header X-NginX-Proxy true;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "";
proxy_redirect off;
proxy_set_header X-Forwarded-Proto \$scheme;
proxy_read_timeout 86400;
proxy_pass http://dns-backend/dns-query;
}
location / {
return 404;
}
}
EOM
|
在 Winwos 上加密 DNS
下载 [Simple DNSCrypt][3] 安装后修改系统 DNS 地址。
在 Ubuntu 上修改 DNS
1
2
3
| sudo vi /etc/resolvconf/resolv.conf.d/base
sudo resolvconf -u
cat /etc/resolv.conf
|
参考