标签归档:dnscrypt

openwrt上使用dnscrypt来处理dns污染

发表评论

现在dns污染真的很烦人,总是会莫名其妙地遇到然后导致访问失败,折腾了相当久都没有什么好办法。dnsmasq上加上了chinalist,可以搞定国内的大部分域名,大部分CDN也能用,但是国外的地址解析一直都不是很稳定。

试过直接经梯子用国外的dns服务器,但是由于梯子本身的不稳定,上网的体验太差了,动不动就解析不了ip地址。然后经过一番搜索,得知了dnscrypt已经移植到了openwrt上,于是果断已看,还真有。

root@Belkin ~ # opkg list | grep dnscrypt
dnscrypt-proxy - 1.4.3-1 - dnscrypt-proxy provides local service which can be used directly as your local resolver or as a DNS forwarder, encrypting and authenticating requests using the DNSCrypt protocol and passing them to an upstream server. The DNSCrypt protocol uses high-speed high-security elliptic-curve cryptography and is very similar to DNSCurve, but focuses on securing communications between a client and its first-level resolver.

结果装上之后一试,哎呦,速度还可以,也比较稳定,没出现什么经常性的抽风。

安装的过程非常简单,opkg install dnscrypt-proxy之后修改/etc/config/dnscrypt-proxy,只需要取消注释一行就可以用了

config dnscrypt-proxy
    option address '127.0.0.1'
    option port '5353'
    option resolver 'cisco'
    # option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'
    # option ephemeral_keys '1'

至于可以用的公用解析器,可以参考public DNSCrypt resolvers。

dig了一下,查询时间大概在200-ms,效果良好~

root@Belkin /etc/config # dig youtube.com -p 5353 127.0.0.1

; <<>> DiG 9.9.8-P3 <<>> youtube.com -p 5353 127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40410
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;youtube.com.                   IN      A

;; ANSWER SECTION:
youtube.com.            300     IN      A       216.58.203.14

;; Query time: 194 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Thu Jun 30 23:51:44 CST 2016
;; MSG SIZE  rcvd: 56

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6494
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;127.0.0.1.                     IN      A

;; AUTHORITY SECTION:
.                       2158    IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2016062901 1800 900 604800 86400

;; Query time: 188 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Thu Jun 30 23:51:44 CST 2016
;; MSG SIZE  rcvd: 113

然后配置dnsmasq,修改/etc/dnsmasq.conf,添加一行

conf-dir=/etc/dnsmasq.d

然后把https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/master/accelerated-domains.china.conf下载到/etc/dnsmasq.d/,再去修改dnsmasq的转发为127.0.0.1#5353

dnsmasq转发

或者直接修改/etc/config/dhcp

config dnsmasq
    option domainneeded '1'
    option boguspriv '1'
    option localise_queries '1'
    option local '/lan/'
    option domain 'lan'
    option expandhosts '1'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
    option resolvfile '/tmp/resolv.conf.auto'
    option rebind_protection '0'
    list server '127.0.0.1#5353'