某套线下环境网络不稳定,有dns劫持的问题,对业务影响比较大,需要配置dns加密来对抗劫持,DNS加密方案有 DNS over HTTPS(DoH)以及DNS over TLS(DoT)两种,dnsmasq似乎是不支持这两种方式的,所以需要装一个dnscrypt-proxy,将查询请求通过DoH/DoT发出,将查询结果返回给dnsmasq。
1.安装
yum install dnscrypt-proxy2.配置
配置文件/etc/dnscrypt-proxy/dnscrypt-proxy.toml
修改dnscrypt-proxy监听的端口,因为53端口已经被dnsmasq占用,这里修改成5353
listen_addresses = ['127.0.0.1:5353']来到sources这一块,把自带的远程源全部注释掉,不然每次启动都要到远程源下载可用服务器列表,影响启动速度,自带源又都放在github上,下不到就会启动失败,用自己配的自定义服务器就行,下面会写
[sources]
## An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers
# [sources.'public-resolvers']
# urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://download.dnscrypt.net/resolvers-list/v3/public-resolvers.md']
# cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md'
# minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
# refresh_delay = 72
# prefix = ''
## Anonymized DNS relays
# [sources.'relays']
# urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/relays.md', 'https://download.dnscrypt.net/resolvers-list/v3/relays.md']
# cache_file = '/var/cache/dnscrypt-proxy/relays.md'
# minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
# refresh_delay = 72
# prefix = ''来到最底下,加上自定义服务器,可用的服务器可以在这里找到List
[static]
[static.'aliyun']
stamp = 'sdns://AgAAAAAAAAAACTIyMy41LjUuNSCY49XlNq8pWM0vfxT3BO9KJ20l4zzWXy5l9eTycnwTMA5kbnMuYWxpZG5zLmNvbQovZG5zLXF1ZXJ5'
[static.'txyun']
stamp = 'sdns://AgAAAAAAAAAACjEuMTIuMTIuMTIgj0tzmXxLBOpQ_q-pGiQx1CvKa1TCO8-du_VyJJOU4QwHZG9oLnB1YgovZG5zLXF1ZXJ5'来到这一块,配置使用自定义服务器
# server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']
server_names = ['aliyun', 'txyun']修改初始的dns,这个初始dns是用来解析DoH服务器的ip地址的,解析后就不再使用,配置文件里的注释有详细说明,这里不赘述了
# bootstrap_resolvers = ['9.9.9.9:53', '8.8.8.8:53']
bootstrap_resolvers = ['223.5.5.5:53', '114.114.114.114:53']修改检测网络是否连通的地址,可以是任意ip的任意端口,哪怕没有响应,只要端口是打开的,就认为网络连通
# netprobe_address = '9.9.9.9:53'
netprobe_address = '223.5.5.5:53'因为集群环境没有ipv6,顺便禁用ipv6的AAAA查询
# block_ipv6 = false
block_ipv6 = true启用dns查询日志(可选)
[query_log]
file = '/var/log/dnscrypt-proxy/query.log'3.启动服务&测试
启动服务
systemctl start dnscrypt-proxy
systemctl enable dnscrypt-proxy测试
dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml -resolve baidu.com打印出查询结果则服务正常
Resolving [baidu.com] using 127.0.0.1 port 5353
Resolver : 116.253.27.4
Canonical name: baidu.com.
IPv4 addresses: 39.156.66.10, 110.242.68.66
IPv6 addresses: -
Name servers : ns2.baidu.com., ns7.baidu.com., dns.baidu.com., ns3.baidu.com., ns4.baidu.com.
DNSSEC signed : no
Mail servers : 6 mail servers found也可以用nslookup查询,但nslookup似乎不能指定端口号,默认的53端口是dnsmasq占用,已经配置dnsmasq将dns查询转发给5353端口的dnscrypt-proxy
nslookup baidu.com 127.0.0.1查询结果可以看到ipv6的AAAA记录查询是被屏蔽的
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: baidu.com
Address: 110.242.68.66
Name: baidu.com
Address: 39.156.66.10
baidu.com hinfo = "AAAA queries have been locally blocked by dnscrypt-proxy" "Set block_ipv6 to false to disable that feature"补一个dnsmasq转发到5353端口的配置
server=127.0.0.1#5353