使用DNSMASQ搭建清澈DNS系统
[i=s] 本帖最後由 moses 於 2018-12-29 19:31 編輯 [/i]抛砖引玉, 这里仅仅说下针对DNS污染的解决方法, 其中不包括隧道相关的问题(关于这点我想在座的各位都有自己的各种解决方案).
需求:
1. 防止DNS污染
2. 保留CDN加速
3. 过滤广告与隐私追踪
4. 针对性解析加速和优化
5. DNS解析缓存
思路:
使用DNSMASQ分区域使用不同的上游服务器解析不同的域名.
1. 如你身处大陆, 那么DNS污染的清单大致上可以参照一张"墙LIST", 使用BASE64解码后抓出合并域名生成需要额外照顾的污染清单, 让DNSMASQ对这份清单使用特别的上游DNS服务器做解析, DNSMASQ与这个服务器在第三层的封装保持加密或送入隧道, 保证此部分数据不被窥探且不被污染或篡改.
2. DNSMASQ调用的第二组DNS服务器作为默认递归查询服务器用以查询非污染域名从而最大限度保证CDN优势, 可以采用本地运营商提供的DNS或公共DNS, 公共DNS大陆可以使用114或阿里的服务器.
3. 使用相同的思路抓取adblockplus或yoyo之类的adblocking清单中的域名, 将其域名解析引导至127.0.0.1, 用以对抗广告或隐私跟踪.
4. 对于一些使用运营商DNS并不能很好的解决问题, 如apple sppstore或apple wwdc视频直播之类访问下载速度慢的问题, 将其相关域名引导至具有优化解析方案的DNS服务器, 同时禁止掉这些公共服务器的域名劫持.
5. DNSMASQ本身具有缓存能力, 用以本地解析加速.
搭建:
稍后吧, 我自己的配置有一些和上面需求并不完全符合的内容, 等我有空清理掉再码上来.
DNSMASQ基本配置包含第二部分:[code]
#接口侦听或者地址侦听任选
#listen-address=127.0.0.1
interface=eth0
port=53
no-poll
no-resolv
all-servers
cache-size=5000
neg-ttl=3600
# 本地运营商DNS或者公共DNS, 这里为第二条对应的默认DNS
server=A.B.C.D
server=A.B.C.D
#其余1, 3, 4的配置丢在下面的目录中
conf-dir=/etc/dnsmasq.d
[/code]第一部分针对墙LIST解析(这里与A.B.C.D之间的流量如果使用ROS需要做mangle送进tun或其他解决方案):
glist.conf[code]
server=/.DOMAINNAME.XXX/A.B.C.D
[/code]第三部分针对广告或隐私追踪相关域名进行屏蔽:
adlist.conf[code]
address=/DOMAINNAME.XXX/127.0.0.1
[/code]第四部分特别清单与劫持处理
splist.conf[code]
server=/phobos-apple.com.akadns.net/114.114.114.114
[/code]劫持部分处理, 列表为大陆运营商的, 台湾与香港你们查到了也提交一份吧
bogus-nxdomain.china.conf[code]
## Public DNS
# DNSPai
bogus-nxdomain=123.125.81.12
bogus-nxdomain=101.226.10.8
# Level3
bogus-nxdomain=198.105.254.11
bogus-nxdomain=104.239.213.7
## China Telecom
# Anhui Telecom
bogus-nxdomain=61.191.206.4
# Beijing Telecom
bogus-nxdomain=218.30.64.194
# Chengdu Telecom
bogus-nxdomain=61.139.8.101
bogus-nxdomain=61.139.8.102
bogus-nxdomain=61.139.8.103
bogus-nxdomain=61.139.8.104
# Fujian Telecom
bogus-nxdomain=42.123.125.237
# Gansu Telecom
bogus-nxdomain=202.100.68.117
# Guangxi Telecom
bogus-nxdomain=113.12.83.4
bogus-nxdomain=113.12.83.5
# Hainan Telecom
bogus-nxdomain=202.100.220.54
# Hangzhou Telecom
bogus-nxdomain=60.191.124.236
bogus-nxdomain=60.191.124.252
# Hebei Telecom
bogus-nxdomain=222.221.5.204
# Hunan Telecom
bogus-nxdomain=124.232.132.94
# Jiangsu Telecom
bogus-nxdomain=202.102.110.204
# Jiangxi Telecom
bogus-nxdomain=61.131.208.210
bogus-nxdomain=61.131.208.211
# Nanjing Telecom
bogus-nxdomain=202.102.110.203
bogus-nxdomain=202.102.110.205
# Shandong Telecom
bogus-nxdomain=219.146.13.36
# Shanghai Telecom
bogus-nxdomain=180.168.41.175
bogus-nxdomain=180.153.103.224
# Wuhan Telecom
bogus-nxdomain=111.175.221.58
bogus-nxdomain=61.183.1.186
# Xi'an Telecom
bogus-nxdomain=125.76.239.244
bogus-nxdomain=125.76.239.245
# Yunnan Telecom
bogus-nxdomain=222.221.5.252
bogus-nxdomain=222.221.5.253
bogus-nxdomain=220.165.8.172
bogus-nxdomain=220.165.8.174
## China Unicom
# Anhui Unicom
bogus-nxdomain=112.132.230.179
# Beijing Unicom (bjdnserror1.wo.com.cn ~ bjdnserror5.wo.com.cn)
bogus-nxdomain=202.106.199.34
bogus-nxdomain=202.106.199.35
bogus-nxdomain=202.106.199.36
bogus-nxdomain=202.106.199.37
bogus-nxdomain=202.106.199.38
# Hebei Unicom (hbdnserror1.wo.com.cn ~ hbdnserror7.wo.com.cn)
bogus-nxdomain=221.192.153.41
bogus-nxdomain=221.192.153.42
bogus-nxdomain=221.192.153.43
bogus-nxdomain=221.192.153.44
bogus-nxdomain=221.192.153.45
bogus-nxdomain=221.192.153.46
bogus-nxdomain=221.192.153.49
# Heilongjiang Unicom (hljdnserror1.wo.com.cn ~ hljdnserror5.wo.com.cn)
bogus-nxdomain=125.211.213.130
bogus-nxdomain=125.211.213.131
bogus-nxdomain=125.211.213.132
bogus-nxdomain=125.211.213.133
bogus-nxdomain=125.211.213.134
# Henan Unicom (hndnserror1.wo.com.cn ~ hndnserror7.wo.com.cn)
bogus-nxdomain=218.28.144.36
bogus-nxdomain=218.28.144.37
bogus-nxdomain=218.28.144.38
bogus-nxdomain=218.28.144.39
bogus-nxdomain=218.28.144.40
bogus-nxdomain=218.28.144.41
bogus-nxdomain=218.28.144.42
# Jilin Unicom (jldnserror1.wo.com.cn ~ jldnserror5.wo.com.cn)
bogus-nxdomain=202.98.24.121
bogus-nxdomain=202.98.24.122
bogus-nxdomain=202.98.24.123
bogus-nxdomain=202.98.24.124
bogus-nxdomain=202.98.24.125
# Liaoning Unicom (lndnserror1.wo.com.cn ~ lndnserror7.wo.com.cn)
bogus-nxdomain=60.19.29.21
bogus-nxdomain=60.19.29.22
bogus-nxdomain=60.19.29.23
bogus-nxdomain=60.19.29.24
bogus-nxdomain=60.19.29.25
bogus-nxdomain=60.19.29.26
bogus-nxdomain=60.19.29.27
# Nanfang Unicom (nfdnserror1.wo.com.cn ~ nfdnserror17.wo.com.cn)
bogus-nxdomain=220.250.64.18
bogus-nxdomain=220.250.64.19
bogus-nxdomain=220.250.64.20
bogus-nxdomain=220.250.64.21
bogus-nxdomain=220.250.64.22
bogus-nxdomain=220.250.64.23
bogus-nxdomain=220.250.64.24
bogus-nxdomain=220.250.64.25
bogus-nxdomain=220.250.64.26
bogus-nxdomain=220.250.64.27
bogus-nxdomain=220.250.64.28
bogus-nxdomain=220.250.64.29
bogus-nxdomain=220.250.64.30
bogus-nxdomain=220.250.64.225
bogus-nxdomain=220.250.64.226
bogus-nxdomain=220.250.64.227
bogus-nxdomain=220.250.64.228
# Neimenggu Unicom (nmdnserror2.wo.com.cn ~ nmdnserror4.wo.com.cn)
bogus-nxdomain=202.99.254.231
bogus-nxdomain=202.99.254.232
bogus-nxdomain=202.99.254.230
# Shandong Unicom (sddnserror1.wo.com.cn ~ sddnserror9.wo.com.cn)
bogus-nxdomain=123.129.254.11
bogus-nxdomain=123.129.254.12
bogus-nxdomain=123.129.254.13
bogus-nxdomain=123.129.254.14
bogus-nxdomain=123.129.254.15
bogus-nxdomain=123.129.254.16
bogus-nxdomain=123.129.254.17
bogus-nxdomain=123.129.254.18
bogus-nxdomain=123.129.254.19
# Shanxi Unicom (sxdnserror1.wo.com.cn ~ sxdnserror6.wo.com.cn)
bogus-nxdomain=221.204.244.36
bogus-nxdomain=221.204.244.37
bogus-nxdomain=221.204.244.38
bogus-nxdomain=221.204.244.39
bogus-nxdomain=221.204.244.40
bogus-nxdomain=221.204.244.41
# Tianjin Unicom (tjdnserror1.wo.com.cn ~ tjdnserror5.wo.com.cn)
bogus-nxdomain=218.68.250.117
bogus-nxdomain=218.68.250.118
bogus-nxdomain=218.68.250.119
bogus-nxdomain=218.68.250.120
bogus-nxdomain=218.68.250.121
## China Mobile
# Anhui Mobile
bogus-nxdomain=120.209.138.64
# Guangdong Mobile
bogus-nxdomain=211.139.136.73
bogus-nxdomain=221.179.46.190
bogus-nxdomain=221.179.46.194
# Jiangsu Mobile
bogus-nxdomain=183.207.232.253
# Jiangxi Mobile
bogus-nxdomain=223.82.248.117
# Qinghai Mobile
bogus-nxdomain=211.138.74.132
# Shaanxi Mobile
bogus-nxdomain=211.137.130.101
# Shanghai Mobile
bogus-nxdomain=211.136.113.1
# Shanxi Mobile
bogus-nxdomain=211.138.102.198
# Shandong Mobile
bogus-nxdomain=120.192.83.163
# Sichuan Mobile
bogus-nxdomain=183.221.242.172
bogus-nxdomain=183.221.250.11
# Xizang Mobile
bogus-nxdomain=111.11.208.2
# Yunnan Mobile
bogus-nxdomain=183.224.40.24
## China Tie Tong
# Shandong TieTong
bogus-nxdomain=211.98.70.226
bogus-nxdomain=211.98.70.227
bogus-nxdomain=211.98.71.195
## GWBN
# Wuhan GWBN
bogus-nxdomain=114.112.163.232
bogus-nxdomain=114.112.163.254
[/code] 第一部分的列表获取:[code]
#!/usr/bin/env python
#coding=utf-8
import urllib2
import re
import os
import datetime
import base64
import shutil
# 指定外部纯净DNS地址与端口, 此地址用香港或台湾任意无污染DNS即可, 与服务器之间通信确保加密或送入隧道
mydnsip = 'A.B.C.D'
mydnsport = '53'
#墙LIST, 获取可能需要送入隧道, 大陆有可能访问不正常
baseurl = 'https://raw.githubusercontent.com/gfwlist/gfwlist/master/gfwlist.txt'
# match comments/title/whitelist/ip address
comment_pattern = '^\!|\[|^@@|^\d+\.\d+\.\d+\.\d+'
domain_pattern = '([\w\-\_]+\.[\w\.\-\_]+)[\/\*]*'
tmpfile = 'glisttmp'
# do not write to router internal flash directly
outfile = 'glist.conf'
rulesfile = '/etc/dnsmasq.d/glist.conf'
fs = file(outfile, 'w')
fs.write('# glist ipset rules for dnsmasq\n')
fs.write('# updated on ' + datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S") + '\n')
fs.write('#\n')
print 'fetching list...'
content = urllib2.urlopen(baseurl, timeout=15).read().decode('base64')
# write the decoded content to file then read line by line
tfs = open(tmpfile, 'w')
tfs.write(content)
tfs.close()
tfs = open(tmpfile, 'r')
print 'page content fetched, analysis...'
# remember all blocked domains, in case of duplicate records
domainlist = []
for line in tfs.readlines():
if re.findall(comment_pattern, line):
print 'this is a comment line: ' + line
#fs.write('#' + line)
else:
domain = re.findall(domain_pattern, line)
if domain:
try:
found = domainlist.index(domain[0])
print domain[0] + ' exists.'
except ValueError:
print 'saving ' + domain[0]
domainlist.append(domain[0])
fs.write('server=/.%s/%s#%s\n'%(domain[0],mydnsip,mydnsport))
else:
print 'no valid domain in this line: ' + line
tfs.close()
fs.close();
print 'moving generated file to dnsmasg directory'
shutil.move(outfile, rulesfile)
print 'restart dnsmasq...'
print os.popen('/etc/init.d/dnsmasq restart').read()
print 'done!'
[/code] 第四部分苹果相关服务域名列表:
splist.conf[code]
server=/a1.mzstatic.com/114.114.114.114
server=/a2.mzstatic.com/114.114.114.114
server=/a3.mzstatic.com/114.114.114.114
server=/a4.mzstatic.com/114.114.114.114
server=/a5.mzstatic.com/114.114.114.114
server=/adcdownload.apple.com/114.114.114.114
server=/appldnld.apple.com/114.114.114.114
server=/apps.mzstatic.com/114.114.114.114
server=/cdn-cn1.apple-mapkit.com/114.114.114.114
server=/cdn-cn2.apple-mapkit.com/114.114.114.114
server=/cdn-cn3.apple-mapkit.com/114.114.114.114
server=/cdn-cn4.apple-mapkit.com/114.114.114.114
server=/cdn.apple-mapkit.com/114.114.114.114
server=/cdn1.apple-mapkit.com/114.114.114.114
server=/cdn2.apple-mapkit.com/114.114.114.114
server=/cdn3.apple-mapkit.com/114.114.114.114
server=/cdn4.apple-mapkit.com/114.114.114.114
server=/cds.apple.com/114.114.114.114
server=/cl1.apple.com/114.114.114.114
server=/cl2.apple.com.edgekey.net.globalredir.akadns.net/114.114.114.114
server=/cl2.apple.com/114.114.114.114
server=/cl3.apple.com/114.114.114.114
server=/cl4-cn.apple.com/114.114.114.114
server=/cl4.apple.com/114.114.114.114
server=/cl5.apple.com/114.114.114.114
server=/configuration.apple.com/114.114.114.114
server=/gs-loc.apple.com/114.114.114.114
server=/gsp11-cn.ls.apple.com/114.114.114.114
server=/gsp12-cn.ls.apple.com/114.114.114.114
server=/gsp13-cn.ls.apple.com/114.114.114.114
server=/gsp4-cn.ls.apple.com.edgekey.net.globalredir.akadns.net/114.114.114.114
server=/gsp4-cn.ls.apple.com.edgekey.net/114.114.114.114
server=/gsp4-cn.ls.apple.com/114.114.114.114
server=/gsp5-cn.ls.apple.com/114.114.114.114
server=/gspe19-cn.ls-apple.com.akadns.net/114.114.114.114
server=/gspe19-cn.ls.apple.com/114.114.114.114
server=/gspe21-ssl.ls.apple.com/114.114.114.114
server=/gspe21.ls.apple.com/114.114.114.114
server=/gspe35-ssl.ls.apple.com/114.114.114.114
server=/icloud.cdn-apple.com/114.114.114.114
server=/images.apple.com/114.114.114.114
server=/init-p01md.apple.com/114.114.114.114
server=/init-p01st.push.apple.com/114.114.114.114
server=/iphone-ld.apple.com/114.114.114.114
server=/is1-ssl.mzstatic.com/114.114.114.114
server=/is1.mzstatic.com/114.114.114.114
server=/is2-ssl.mzstatic.com/114.114.114.114
server=/is2.mzstatic.com/114.114.114.114
server=/is3-ssl.mzstatic.com/114.114.114.114
server=/is3.mzstatic.com/114.114.114.114
server=/is4-ssl.mzstatic.com/114.114.114.114
server=/is4.mzstatic.com/114.114.114.114
server=/is5-ssl.mzstatic.com/114.114.114.114
server=/is5.mzstatic.com/114.114.114.114
server=/itunes-apple.com.akadns.net/114.114.114.114
server=/itunes.apple.com/114.114.114.114
server=/itunesconnect.apple.com/114.114.114.114
server=/mesu-cdn.apple.com.akadns.net/114.114.114.114
server=/mesu-china.apple.com.akadns.net/114.114.114.114
server=/mesu.apple.com/114.114.114.114
server=/s.mzstatic.com/114.114.114.114
server=/s2.mzstatic.com/114.114.114.114
server=/s3.mzstatic.com/114.114.114.114
server=/s4.mzstatic.com/114.114.114.114
server=/s5.mzstatic.com/114.114.114.114
server=/store.apple.com/114.114.114.114
server=/store.storeimages.cdn-apple.com/114.114.114.114
server=/support.apple.com/114.114.114.114
server=/swcdn.apple.com/114.114.114.114
server=/swdist.apple.com/114.114.114.114
server=/updates-http.cdn-apple.com.akadns.net/114.114.114.114
server=/updates-http.cdn-apple.com/114.114.114.114
server=/www.apple.com.edgekey.net/114.114.114.114
server=/www.apple.com/114.114.114.114
[/code]如果微软的某些云服务在大陆访问或同步不正常, 那么也可以在这里进行特殊照顾. 第三部的列表获取:
adlist.conf[code]
#!/bin/bash
outlist='/etc/dnsmasq.d/adlist.conf'
tempoutlist="$outlist.tmp"
# 这里列表自行添加, 这里用了ADP的easylist
echo "Getting adblockplus easylistchina + easylist..."
curl -s https://easylist-downloads.adblockplus.org/easylistchina+easylist.txt | grep ^\|\|[^\*]*\^$ | sed 's/^||//' | cut -d'^' -f-1 >> $tempoutlist
echo "Removing duplicates and formatting the list of domains..."
cat $tempoutlist | sed s/\r$//' | sed '/thisisiafakedomain123\.com/d;/www\.anotherfakedomain123\.com/d' | sort -u | sed '/^$/d' | sed -e 's:^:address\=\/:' -e 's:$:/127\.0\.0\.1:' > $outlist
rm $tempoutlist
numberOfAdsBlocked=$(cat $outlist | wc -l | sed 's/^[ \t]*//')
echo "$numberOfAdsBlocked ad domains blocked."
[/code] [i=s] 本帖最後由 moses 於 2018-12-31 09:19 編輯 [/i]
效果与后期处理:[code]
root@raspberrypi:~ $ dig google.com
; <<>> DiG 9.10.3-P4-Raspbian <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56412
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 106 IN A A.B.C.D
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Dec 30 18:53:39 CST 2018
;; MSG SIZE rcvd: 55
[/code]确认这里的A.B.C.D与你特殊指定的DNS解析得到的地址相同, 也就满足了无污染DNS的需求.
如果你使用RB, 那么取消自动从你的运营商获取DNS, 将RB的查询DNS指向这台DNSMASQ, 我这里是用了几台raspberrypi, 分别放在不同的子网. 后台用crontab每个月更新一次列表也就ok了.
至此纯净DNS系统搭建完毕, 如果你有多区域, 那么RB之间跑个隧道用OSPF处理下站点间子网路由, 将其他站点的DNS解析也指向这台PI, 有条件的话可以搭建多个, RB的DNS互指一下做个备份, 效果更棒. 真的要好好消化CHing的scripts。
頁:
[1]