自建基于DNS over HTTPS的无污染本地dns服务器
防污染DNS,去广告,缓存根服务器
内部DOH,内部分流,内部缓存
系统:debian10本地服务器(已经选择ssh服务器)
软件:dnscrypt-proxy,ChinaDNS-ng,unbound,cloudflared,AdGuardHome,supervisord,git
请确保您的本地服务器具有必要的最低要求
sudo apt-get install wget sudo nano dnsutils bind9-host supervisor git dnscrypt-proxy unbound
先把Debian10网络设置静态IP
(本地服务器上是默认没有root,需要sudo su进行设置)
nano etc/network/interfaces
iface ens33 inet staticaddress *.*.*.*netmask 255.255.255.0gateway *.*.*.*(本地网关)dns-nameservers 127.0.0.1(本地DNS)
禁用DHCP分配的dns
nano etc/dhcp/dhclient.conf
supersede domain-name-servers 127.0.0.1;
然后重启本地服务器
sudo reboot
AdGuardHome安装和使用:
以AdGuardHome root身份安装(端口:53)
项目地址 https://github.com/AdguardTeam/AdGuardHome/
要下载AdGuard Home并解压缩它,请执行以下命令:
wget https://static.adguard.com/adguardhome/beta/AdGuardHome_linux_amd64.tar.gztar xvf AdGuardHome_linux_amd64.tar.gz
运行sudo ./AdGuardHome -s install
以将AdGuard Home安装为系统服务。
sudo ./AdGuardHome -s install
需要控制服务的其他命令。
./AdGuardHome -s uninstall -卸载AdGuard Home服务。./AdGuardHome -s start -启动服务。./AdGuardHome -s stop -停止服务。./AdGuardHome -s restart -重新启动服务。./AdGuardHome -s status -显示当前服务状态。
cloudflared安装和使用:
以cloudflared root身份安装(端口:54)
项目地址 https://developers.cloudflare.com/argo-tunnel/downloads/
wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.debsudo apt-get install ./cloudflared-stable-linux-amd64.debcloudflared -v
继续为cloudflared中的/etc/cloudflared命名配置文件config.yml:
sudo mkdir etc/cloudflared/sudo nano etc/cloudflared/config.yml
复制以下配置:
proxy-dns: trueproxy-dns-port: 54proxy-dns-upstream:- https://1dot1dot1dot1.cloudflare-dns.com/dns-query- https://dns.google/dns-query
现在通过cloudflared的service命令安装该服务:
sudo cloudflared service install
启动systemd服务并检查其状态:
sudo systemctl start cloudflaredsudo systemctl status cloudflared
unbound安装和使用:
以unbound root身份安装(端口:55)
设置为递归DNS服务器解决方案
我们将使用unbound主要由NLnet Labs,VeriSign Inc.,Nominet和Kirei开发的安全的开源递归DNS服务器。
重要说明:下载当前的根目录提示文件(服务于域“。”-根域的主根服务器列表)。大约每六个月更新一次。请注意,此文件很少更改。
wget -O root.hints https://www.internic.net/domain/named.rootsudo mv root.hints var/lib/unbound/
配置 unbound
强调:
仅侦听来自本地安装的查询(端口55)
侦听UDP和TCP请求
验证DNSSEC签名,丢弃BOGUS域
应用一些安全和隐私技巧
nano /etc/unbound/unbound.conf.d/unbound.conf
server:# If no logfile is specified, syslog is used# logfile: "/var/log/unbound/unbound.log"verbosity: 0interface: 127.0.0.1port: 55do-ip4: yesdo-udp: yesdo-tcp: yes# May be set to yes if you have IPv6 connectivitydo-ip6: no# You want to leave this to no unless you have *native* IPv6. With 6to4 and# Terredo tunnels your web browser should favor IPv4 for the same reasonsprefer-ip6: no# Use this only when you downloaded the list of primary root servers!root-hints: "/var/lib/unbound/root.hints"# Trust glue only if it is within the server's authorityharden-glue: yes# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUSharden-dnssec-stripped: yes# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further detailsuse-caps-for-id: no# Reduce EDNS reassembly buffer size.# Suggested by the unbound man page to reduce fragmentation reassembly problemsedns-buffer-size: 1472# Perform prefetching of close to expired message cache entries# This only applies to domains that have been frequently queriedprefetch: yes# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.num-threads: 1# Ensure kernel buffer is large enough to not lose messages in traffic spikesso-rcvbuf: 1m# Ensure privacy of local IP rangesprivate-address: 192.168.0.0/16private-address: 169.254.0.0/16private-address: 172.16.0.0/12private-address: 10.0.0.0/8private-address: fd00::/8private-address: fe80::/10
启动本地递归服务器
sudo service unbound start
dnscrypt-proxy安装和使用:
项目地址 https://github.com/dnscrypt/dnscrypt-proxy
示例配置文件为example-dnscrypt-proxy.toml。把这个文件复制一份,重命名为dnscrypt-proxy.toml。以下为配置文件前面部分修改样例。
nano /etc/dnscrypt-proxy/dnscrypt-proxy.toml
#这个列表用于指定将要使用的服务器。有ipv6网络时建议优先使用ipv6服务器。#服务器名称能在 https://dnscrypt.info/public-servers 找到。#server_names = ['dnswarden-doh2-ipv6','cloudflare-ipv6','gridns-jp-ipv6','jp.tiar.app-doh-ipv6']server_names = ['dnswarden-doh2','cloudflare','doh-jp-blahdns','jp.tiarap.org']#程序监听地址。如果要对所有地址服务,可以监听'0.0.0.0:53'或'[::]:53'.#也可以监听多个地址,例如 listen_addresses = ['127.0.0.1:53', '192.168.1.2:53']listen_addresses = ['127.0.0.1:53','127.0.0.1:54','127.0.0.1:55']max_clients = 250# Use servers reachable over IPv4ipv4_servers = true# Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivityipv6_servers = false# Use servers implementing the DNSCrypt protocoldnscrypt_servers = true# Use servers implementing the DNS-over-HTTPS protocoldoh_servers = true## Require servers defined by remote sources to satisfy specific properties# Server must support DNS security extensions (DNSSEC)#服务器支持DNSSECrequire_dnssec = true# Server must not log user queries (declarative)#服务器不会记录查询require_nolog = true# Server must not enforce its own blacklist (for parental control, ads blocking...)#服务器不会过滤结果require_nofilter = true# Server names to avoid even if they match all criteria#服务器黑名单disabled_server_names = []
DNSCrypt-proxy 运行命令(管理员身份)
dnscrypt-proxy -service install #安装dnscrypt-proxy服务dnscrypt-proxy -service start #启动dnscrypt-proxy服务dnscrypt-proxy -service stop #停止dnscrypt-proxy服务dnscrypt-proxy -service restart #重启dnscrypt-proxy服务dnscrypt-proxy -service uninstall #卸载dnscrypt-proxy服务
该dnscrypt-proxy.socket文件(例如,更改本地端口)
PPA的程序包使用不受支持的systemd套接字来接受连接。为了配置本地端口,dnscrypt-proxy.socket需要编辑dnscrypt-proxy.toml文件而不是标准文件:
nano lib/systemd/system/dnscrypt-proxy.socket
[Unit]Description=dnscrypt-proxy listening socketDocumentation=https://github.com/DNSCrypt/dnscrypt-proxy/wikiBefore=nss-lookup.targetWants=nss-lookup.targetWants=dnscrypt-proxy-resolvconf.service[Socket]ListenStream=127.0.0.1:53ListenDatagram=127.0.0.1:53NoDelay=trueDeferAcceptSec=1[Install]WantedBy=sockets.target
全部配置完重启本地服务器
sudo reboot
把unbound,cloudflared的都设置AdGuardHome DNS的上游DNS
第一次查询可能会很慢,但是随后的查询(以及对同一TLD下的其他域的查询)也应该会很快。测试其是否正常运行!
AdGuardHome:
lsof -i:53dig baidu.com @127.0.0.1 -p 53
cloudflared:
lsof -i:54dig baidu.com @127.0.0.1 -p 54
unbound:
lsof -i:55dig baidu.com @127.0.0.1 -p 55
