openwrt上使用dnscrypt来处理dns污染
现在dns污染真的很烦人,总是会莫名其妙地遇到然后导致访问失败,折腾了相当久都没有什么好办法。dnsmasq上加上了chinalist,可以搞定国内的大部分域名,大部分CDN也能用,但是国外的地址解析一直都不是很稳定。
试过直接经梯子用国外的dns服务器,但是由于梯子本身的不稳定,上网的体验太差了,动不动就解析不了ip地址。然后经过一番搜索,得知了dnscrypt已经移植到了openwrt上,于是果断已看,还真有。
[email protected] ~ # opkg list | grep dnscrypt dnscrypt-proxy - 1.4.3-1 - dnscrypt-proxy provides local service which can be used directly as your local resolver or as a DNS forwarder, encrypting and authenticating requests using the DNSCrypt protocol and passing them to an upstream server. The DNSCrypt protocol uses high-speed high-security elliptic-curve cryptography and is very similar to DNSCurve, but focuses on securing communications between a client and its first-level resolver.
结果装上之后一试,哎呦,速度还可以,也比较稳定,没出现什么经常性的抽风。
安装的过程非常简单,opkg install dnscrypt-proxy之后修改/etc/config/dnscrypt-proxy,只需要取消注释一行就可以用了
config dnscrypt-proxy
option address '127.0.0.1'
option port '5353'
option resolver 'cisco'
# option resolvers_list '/usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv'
# option ephemeral_keys '1'至于可以用的公用解析器,可以参考public DNSCrypt resolvers。
dig了一下,查询时间大概在200-ms,效果良好~
[email protected] /etc/config # dig youtube.com -p 5353 127.0.0.1 ; <<>> DiG 9.9.8-P3 <<>> youtube.com -p 5353 127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40410 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;youtube.com. IN A ;; ANSWER SECTION: youtube.com. 300 IN A 216.58.203.14 ;; Query time: 194 msec ;; SERVER: 127.0.0.1#5353(127.0.0.1) ;; WHEN: Thu Jun 30 23:51:44 CST 2016 ;; MSG SIZE rcvd: 56 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6494 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;127.0.0.1. IN A ;; AUTHORITY SECTION: . 2158 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2016062901 1800 900 604800 86400 ;; Query time: 188 msec ;; SERVER: 127.0.0.1#5353(127.0.0.1) ;; WHEN: Thu Jun 30 23:51:44 CST 2016 ;; MSG SIZE rcvd: 113
然后配置dnsmasq,修改/etc/dnsmasq.conf,添加一行
conf-dir=/etc/dnsmasq.d
然后把https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/master/accelerated-domains.china.conf下载到/etc/dnsmasq.d/,再去修改dnsmasq的转发为127.0.0.1#5353
或者直接修改/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option localise_queries '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option rebind_protection '0'
list server '127.0.0.1#5353'