返回列表 發帖

使用DNSMASQ搭建清澈DNS系统

本帖最後由 moses 於 2018-12-29 19:31 編輯

抛砖引玉, 这里仅仅说下针对DNS污染的解决方法, 其中不包括隧道相关的问题(关于这点我想在座的各位都有自己的各种解决方案).

需求:
        1. 防止DNS污染
        2. 保留CDN加速
        3. 过滤广告与隐私追踪
        4. 针对性解析加速和优化
        5. DNS解析缓存
       
思路:
使用DNSMASQ分区域使用不同的上游服务器解析不同的域名.
        1. 如你身处大陆, 那么DNS污染的清单大致上可以参照一张"墙LIST", 使用BASE64解码后抓出合并域名生成需要额外照顾的污染清单, 让DNSMASQ对这份清单使用特别的上游DNS服务器做解析, DNSMASQ与这个服务器在第三层的封装保持加密或送入隧道, 保证此部分数据不被窥探且不被污染或篡改.
        2. DNSMASQ调用的第二组DNS服务器作为默认递归查询服务器用以查询非污染域名从而最大限度保证CDN优势, 可以采用本地运营商提供的DNS或公共DNS, 公共DNS大陆可以使用114或阿里的服务器.
        3. 使用相同的思路抓取adblockplus或yoyo之类的adblocking清单中的域名, 将其域名解析引导至127.0.0.1, 用以对抗广告或隐私跟踪.
        4. 对于一些使用运营商DNS并不能很好的解决问题, 如apple sppstore或apple wwdc视频直播之类访问下载速度慢的问题, 将其相关域名引导至具有优化解析方案的DNS服务器, 同时禁止掉这些公共服务器的域名劫持.
        5. DNSMASQ本身具有缓存能力, 用以本地解析加速.
       
搭建:
稍后吧, 我自己的配置有一些和上面需求并不完全符合的内容, 等我有空清理掉再码上来.

DNSMASQ基本配置包含第二部分:
  1. #接口侦听或者地址侦听任选
  2. #listen-address=127.0.0.1
  3. interface=eth0
  4. port=53
  5. no-poll
  6. no-resolv
  7. all-servers
  8. cache-size=5000
  9. neg-ttl=3600

  10. # 本地运营商DNS或者公共DNS, 这里为第二条对应的默认DNS
  11. server=A.B.C.D
  12. server=A.B.C.D

  13. #其余1, 3, 4的配置丢在下面的目录中
  14. conf-dir=/etc/dnsmasq.d
複製代碼
第一部分针对墙LIST解析(这里与A.B.C.D之间的流量如果使用ROS需要做mangle送进tun或其他解决方案):
glist.conf
  1. server=/.DOMAINNAME.XXX/A.B.C.D
複製代碼
第三部分针对广告或隐私追踪相关域名进行屏蔽:
adlist.conf
  1. address=/DOMAINNAME.XXX/127.0.0.1
複製代碼
第四部分特别清单与劫持处理
splist.conf
  1. server=/phobos-apple.com.akadns.net/114.114.114.114
複製代碼
劫持部分处理, 列表为大陆运营商的, 台湾与香港你们查到了也提交一份吧
bogus-nxdomain.china.conf
  1. ## Public DNS

  2. # DNSPai
  3. bogus-nxdomain=123.125.81.12
  4. bogus-nxdomain=101.226.10.8

  5. # Level3
  6. bogus-nxdomain=198.105.254.11
  7. bogus-nxdomain=104.239.213.7


  8. ## China Telecom

  9. # Anhui Telecom
  10. bogus-nxdomain=61.191.206.4

  11. # Beijing Telecom
  12. bogus-nxdomain=218.30.64.194

  13. # Chengdu Telecom
  14. bogus-nxdomain=61.139.8.101
  15. bogus-nxdomain=61.139.8.102
  16. bogus-nxdomain=61.139.8.103
  17. bogus-nxdomain=61.139.8.104

  18. # Fujian Telecom
  19. bogus-nxdomain=42.123.125.237

  20. # Gansu Telecom
  21. bogus-nxdomain=202.100.68.117

  22. # Guangxi Telecom
  23. bogus-nxdomain=113.12.83.4
  24. bogus-nxdomain=113.12.83.5

  25. # Hainan Telecom
  26. bogus-nxdomain=202.100.220.54

  27. # Hangzhou Telecom
  28. bogus-nxdomain=60.191.124.236
  29. bogus-nxdomain=60.191.124.252

  30. # Hebei Telecom
  31. bogus-nxdomain=222.221.5.204

  32. # Hunan Telecom
  33. bogus-nxdomain=124.232.132.94

  34. # Jiangsu Telecom
  35. bogus-nxdomain=202.102.110.204

  36. # Jiangxi Telecom
  37. bogus-nxdomain=61.131.208.210
  38. bogus-nxdomain=61.131.208.211

  39. # Nanjing Telecom
  40. bogus-nxdomain=202.102.110.203
  41. bogus-nxdomain=202.102.110.205

  42. # Shandong Telecom
  43. bogus-nxdomain=219.146.13.36

  44. # Shanghai Telecom
  45. bogus-nxdomain=180.168.41.175
  46. bogus-nxdomain=180.153.103.224

  47. # Wuhan Telecom
  48. bogus-nxdomain=111.175.221.58
  49. bogus-nxdomain=61.183.1.186

  50. # Xi'an Telecom
  51. bogus-nxdomain=125.76.239.244
  52. bogus-nxdomain=125.76.239.245

  53. # Yunnan Telecom
  54. bogus-nxdomain=222.221.5.252
  55. bogus-nxdomain=222.221.5.253
  56. bogus-nxdomain=220.165.8.172
  57. bogus-nxdomain=220.165.8.174


  58. ## China Unicom

  59. # Anhui Unicom
  60. bogus-nxdomain=112.132.230.179

  61. # Beijing Unicom (bjdnserror1.wo.com.cn ~ bjdnserror5.wo.com.cn)
  62. bogus-nxdomain=202.106.199.34
  63. bogus-nxdomain=202.106.199.35
  64. bogus-nxdomain=202.106.199.36
  65. bogus-nxdomain=202.106.199.37
  66. bogus-nxdomain=202.106.199.38

  67. # Hebei Unicom (hbdnserror1.wo.com.cn ~ hbdnserror7.wo.com.cn)
  68. bogus-nxdomain=221.192.153.41
  69. bogus-nxdomain=221.192.153.42
  70. bogus-nxdomain=221.192.153.43
  71. bogus-nxdomain=221.192.153.44
  72. bogus-nxdomain=221.192.153.45
  73. bogus-nxdomain=221.192.153.46
  74. bogus-nxdomain=221.192.153.49

  75. # Heilongjiang Unicom (hljdnserror1.wo.com.cn ~ hljdnserror5.wo.com.cn)
  76. bogus-nxdomain=125.211.213.130
  77. bogus-nxdomain=125.211.213.131
  78. bogus-nxdomain=125.211.213.132
  79. bogus-nxdomain=125.211.213.133
  80. bogus-nxdomain=125.211.213.134

  81. # Henan Unicom (hndnserror1.wo.com.cn ~ hndnserror7.wo.com.cn)
  82. bogus-nxdomain=218.28.144.36
  83. bogus-nxdomain=218.28.144.37
  84. bogus-nxdomain=218.28.144.38
  85. bogus-nxdomain=218.28.144.39
  86. bogus-nxdomain=218.28.144.40
  87. bogus-nxdomain=218.28.144.41
  88. bogus-nxdomain=218.28.144.42

  89. # Jilin Unicom (jldnserror1.wo.com.cn ~ jldnserror5.wo.com.cn)
  90. bogus-nxdomain=202.98.24.121
  91. bogus-nxdomain=202.98.24.122
  92. bogus-nxdomain=202.98.24.123
  93. bogus-nxdomain=202.98.24.124
  94. bogus-nxdomain=202.98.24.125

  95. # Liaoning Unicom (lndnserror1.wo.com.cn ~ lndnserror7.wo.com.cn)
  96. bogus-nxdomain=60.19.29.21
  97. bogus-nxdomain=60.19.29.22
  98. bogus-nxdomain=60.19.29.23
  99. bogus-nxdomain=60.19.29.24
  100. bogus-nxdomain=60.19.29.25
  101. bogus-nxdomain=60.19.29.26
  102. bogus-nxdomain=60.19.29.27

  103. # Nanfang Unicom (nfdnserror1.wo.com.cn ~ nfdnserror17.wo.com.cn)
  104. bogus-nxdomain=220.250.64.18
  105. bogus-nxdomain=220.250.64.19
  106. bogus-nxdomain=220.250.64.20
  107. bogus-nxdomain=220.250.64.21
  108. bogus-nxdomain=220.250.64.22
  109. bogus-nxdomain=220.250.64.23
  110. bogus-nxdomain=220.250.64.24
  111. bogus-nxdomain=220.250.64.25
  112. bogus-nxdomain=220.250.64.26
  113. bogus-nxdomain=220.250.64.27
  114. bogus-nxdomain=220.250.64.28
  115. bogus-nxdomain=220.250.64.29
  116. bogus-nxdomain=220.250.64.30
  117. bogus-nxdomain=220.250.64.225
  118. bogus-nxdomain=220.250.64.226
  119. bogus-nxdomain=220.250.64.227
  120. bogus-nxdomain=220.250.64.228

  121. # Neimenggu Unicom (nmdnserror2.wo.com.cn ~ nmdnserror4.wo.com.cn)
  122. bogus-nxdomain=202.99.254.231
  123. bogus-nxdomain=202.99.254.232
  124. bogus-nxdomain=202.99.254.230

  125. # Shandong Unicom (sddnserror1.wo.com.cn ~ sddnserror9.wo.com.cn)
  126. bogus-nxdomain=123.129.254.11
  127. bogus-nxdomain=123.129.254.12
  128. bogus-nxdomain=123.129.254.13
  129. bogus-nxdomain=123.129.254.14
  130. bogus-nxdomain=123.129.254.15
  131. bogus-nxdomain=123.129.254.16
  132. bogus-nxdomain=123.129.254.17
  133. bogus-nxdomain=123.129.254.18
  134. bogus-nxdomain=123.129.254.19

  135. # Shanxi Unicom (sxdnserror1.wo.com.cn ~ sxdnserror6.wo.com.cn)
  136. bogus-nxdomain=221.204.244.36
  137. bogus-nxdomain=221.204.244.37
  138. bogus-nxdomain=221.204.244.38
  139. bogus-nxdomain=221.204.244.39
  140. bogus-nxdomain=221.204.244.40
  141. bogus-nxdomain=221.204.244.41

  142. # Tianjin Unicom (tjdnserror1.wo.com.cn ~ tjdnserror5.wo.com.cn)
  143. bogus-nxdomain=218.68.250.117
  144. bogus-nxdomain=218.68.250.118
  145. bogus-nxdomain=218.68.250.119
  146. bogus-nxdomain=218.68.250.120
  147. bogus-nxdomain=218.68.250.121


  148. ## China Mobile

  149. # Anhui Mobile
  150. bogus-nxdomain=120.209.138.64

  151. # Guangdong Mobile
  152. bogus-nxdomain=211.139.136.73
  153. bogus-nxdomain=221.179.46.190
  154. bogus-nxdomain=221.179.46.194

  155. # Jiangsu Mobile
  156. bogus-nxdomain=183.207.232.253

  157. # Jiangxi Mobile
  158. bogus-nxdomain=223.82.248.117

  159. # Qinghai Mobile
  160. bogus-nxdomain=211.138.74.132

  161. # Shaanxi Mobile
  162. bogus-nxdomain=211.137.130.101

  163. # Shanghai Mobile
  164. bogus-nxdomain=211.136.113.1

  165. # Shanxi Mobile
  166. bogus-nxdomain=211.138.102.198

  167. # Shandong Mobile
  168. bogus-nxdomain=120.192.83.163

  169. # Sichuan Mobile
  170. bogus-nxdomain=183.221.242.172
  171. bogus-nxdomain=183.221.250.11

  172. # Xizang Mobile
  173. bogus-nxdomain=111.11.208.2

  174. # Yunnan Mobile
  175. bogus-nxdomain=183.224.40.24


  176. ## China Tie Tong

  177. # Shandong TieTong
  178. bogus-nxdomain=211.98.70.226
  179. bogus-nxdomain=211.98.70.227
  180. bogus-nxdomain=211.98.71.195


  181. ## GWBN

  182. # Wuhan GWBN
  183. bogus-nxdomain=114.112.163.232
  184. bogus-nxdomain=114.112.163.254
複製代碼

第一部分的列表获取:
  1. #!/usr/bin/env python  
  2. #coding=utf-8

  3. import urllib2
  4. import re
  5. import os
  6. import datetime
  7. import base64
  8. import shutil

  9. # 指定外部纯净DNS地址与端口, 此地址用香港或台湾任意无污染DNS即可, 与服务器之间通信确保加密或送入隧道
  10. mydnsip = 'A.B.C.D'
  11. mydnsport = '53'

  12. #墙LIST, 获取可能需要送入隧道, 大陆有可能访问不正常
  13. baseurl = 'https://raw.githubusercontent.com/gfwlist/gfwlist/master/gfwlist.txt'

  14. # match comments/title/whitelist/ip address
  15. comment_pattern = '^\!|\[|^@@|^\d+\.\d+\.\d+\.\d+'
  16. domain_pattern = '([\w\-\_]+\.[\w\.\-\_]+)[\/\*]*'
  17. tmpfile = 'glisttmp'

  18. # do not write to router internal flash directly
  19. outfile = 'glist.conf'
  20. rulesfile = '/etc/dnsmasq.d/glist.conf'

  21. fs =  file(outfile, 'w')
  22. fs.write('# glist ipset rules for dnsmasq\n')
  23. fs.write('# updated on ' + datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S") + '\n')
  24. fs.write('#\n')

  25. print 'fetching list...'
  26. content = urllib2.urlopen(baseurl, timeout=15).read().decode('base64')

  27. # write the decoded content to file then read line by line
  28. tfs = open(tmpfile, 'w')
  29. tfs.write(content)
  30. tfs.close()
  31. tfs = open(tmpfile, 'r')

  32. print 'page content fetched, analysis...'

  33. # remember all blocked domains, in case of duplicate records
  34. domainlist = []

  35. for line in tfs.readlines():       
  36.         if re.findall(comment_pattern, line):
  37.                 print 'this is a comment line: ' + line
  38.                 #fs.write('#' + line)
  39.         else:
  40.                 domain = re.findall(domain_pattern, line)
  41.                 if domain:
  42.                         try:
  43.                                 found = domainlist.index(domain[0])
  44.                                 print domain[0] + ' exists.'
  45.                         except ValueError:
  46.                                 print 'saving ' + domain[0]
  47.                                 domainlist.append(domain[0])
  48.                                 fs.write('server=/.%s/%s#%s\n'%(domain[0],mydnsip,mydnsport))
  49.                 else:
  50.                         print 'no valid domain in this line: ' + line
  51.                                        
  52. tfs.close()       
  53. fs.close();

  54. print 'moving generated file to dnsmasg directory'
  55. shutil.move(outfile, rulesfile)

  56. print 'restart dnsmasq...'
  57. print os.popen('/etc/init.d/dnsmasq restart').read()

  58. print 'done!'
複製代碼

TOP

第四部分苹果相关服务域名列表:
splist.conf
  1. server=/a1.mzstatic.com/114.114.114.114
  2. server=/a2.mzstatic.com/114.114.114.114
  3. server=/a3.mzstatic.com/114.114.114.114
  4. server=/a4.mzstatic.com/114.114.114.114
  5. server=/a5.mzstatic.com/114.114.114.114
  6. server=/adcdownload.apple.com/114.114.114.114
  7. server=/appldnld.apple.com/114.114.114.114
  8. server=/apps.mzstatic.com/114.114.114.114
  9. server=/cdn-cn1.apple-mapkit.com/114.114.114.114
  10. server=/cdn-cn2.apple-mapkit.com/114.114.114.114
  11. server=/cdn-cn3.apple-mapkit.com/114.114.114.114
  12. server=/cdn-cn4.apple-mapkit.com/114.114.114.114
  13. server=/cdn.apple-mapkit.com/114.114.114.114
  14. server=/cdn1.apple-mapkit.com/114.114.114.114
  15. server=/cdn2.apple-mapkit.com/114.114.114.114
  16. server=/cdn3.apple-mapkit.com/114.114.114.114
  17. server=/cdn4.apple-mapkit.com/114.114.114.114
  18. server=/cds.apple.com/114.114.114.114
  19. server=/cl1.apple.com/114.114.114.114
  20. server=/cl2.apple.com.edgekey.net.globalredir.akadns.net/114.114.114.114
  21. server=/cl2.apple.com/114.114.114.114
  22. server=/cl3.apple.com/114.114.114.114
  23. server=/cl4-cn.apple.com/114.114.114.114
  24. server=/cl4.apple.com/114.114.114.114
  25. server=/cl5.apple.com/114.114.114.114
  26. server=/configuration.apple.com/114.114.114.114
  27. server=/gs-loc.apple.com/114.114.114.114
  28. server=/gsp11-cn.ls.apple.com/114.114.114.114
  29. server=/gsp12-cn.ls.apple.com/114.114.114.114
  30. server=/gsp13-cn.ls.apple.com/114.114.114.114
  31. server=/gsp4-cn.ls.apple.com.edgekey.net.globalredir.akadns.net/114.114.114.114
  32. server=/gsp4-cn.ls.apple.com.edgekey.net/114.114.114.114
  33. server=/gsp4-cn.ls.apple.com/114.114.114.114
  34. server=/gsp5-cn.ls.apple.com/114.114.114.114
  35. server=/gspe19-cn.ls-apple.com.akadns.net/114.114.114.114
  36. server=/gspe19-cn.ls.apple.com/114.114.114.114
  37. server=/gspe21-ssl.ls.apple.com/114.114.114.114
  38. server=/gspe21.ls.apple.com/114.114.114.114
  39. server=/gspe35-ssl.ls.apple.com/114.114.114.114
  40. server=/icloud.cdn-apple.com/114.114.114.114
  41. server=/images.apple.com/114.114.114.114
  42. server=/init-p01md.apple.com/114.114.114.114
  43. server=/init-p01st.push.apple.com/114.114.114.114
  44. server=/iphone-ld.apple.com/114.114.114.114
  45. server=/is1-ssl.mzstatic.com/114.114.114.114
  46. server=/is1.mzstatic.com/114.114.114.114
  47. server=/is2-ssl.mzstatic.com/114.114.114.114
  48. server=/is2.mzstatic.com/114.114.114.114
  49. server=/is3-ssl.mzstatic.com/114.114.114.114
  50. server=/is3.mzstatic.com/114.114.114.114
  51. server=/is4-ssl.mzstatic.com/114.114.114.114
  52. server=/is4.mzstatic.com/114.114.114.114
  53. server=/is5-ssl.mzstatic.com/114.114.114.114
  54. server=/is5.mzstatic.com/114.114.114.114
  55. server=/itunes-apple.com.akadns.net/114.114.114.114
  56. server=/itunes.apple.com/114.114.114.114
  57. server=/itunesconnect.apple.com/114.114.114.114
  58. server=/mesu-cdn.apple.com.akadns.net/114.114.114.114
  59. server=/mesu-china.apple.com.akadns.net/114.114.114.114
  60. server=/mesu.apple.com/114.114.114.114
  61. server=/s.mzstatic.com/114.114.114.114
  62. server=/s2.mzstatic.com/114.114.114.114
  63. server=/s3.mzstatic.com/114.114.114.114
  64. server=/s4.mzstatic.com/114.114.114.114
  65. server=/s5.mzstatic.com/114.114.114.114
  66. server=/store.apple.com/114.114.114.114
  67. server=/store.storeimages.cdn-apple.com/114.114.114.114
  68. server=/support.apple.com/114.114.114.114
  69. server=/swcdn.apple.com/114.114.114.114
  70. server=/swdist.apple.com/114.114.114.114
  71. server=/updates-http.cdn-apple.com.akadns.net/114.114.114.114
  72. server=/updates-http.cdn-apple.com/114.114.114.114
  73. server=/www.apple.com.edgekey.net/114.114.114.114
  74. server=/www.apple.com/114.114.114.114
複製代碼
如果微软的某些云服务在大陆访问或同步不正常, 那么也可以在这里进行特殊照顾.

TOP

第三部的列表获取:
adlist.conf
  1. #!/bin/bash

  2. outlist='/etc/dnsmasq.d/adlist.conf'
  3. tempoutlist="$outlist.tmp"

  4. # 这里列表自行添加, 这里用了ADP的easylist
  5. echo "Getting adblockplus easylistchina + easylist..."
  6. curl -s https://easylist-downloads.adblockplus.org/easylistchina+easylist.txt | grep ^\|\|[^\*]*\^$ | sed 's/^||//' | cut -d'^' -f-1 >> $tempoutlist

  7. echo "Removing duplicates and formatting the list of domains..."

  8. cat $tempoutlist | sed s/\r$//' | sed '/thisisiafakedomain123\.com/d;/www\.anotherfakedomain123\.com/d' | sort -u | sed '/^$/d' | sed -e 's:^:address\=\/:' -e 's:$:/127\.0\.0\.1:'  > $outlist
  9. rm $tempoutlist

  10. numberOfAdsBlocked=$(cat $outlist | wc -l | sed 's/^[ \t]*//')
  11. echo "$numberOfAdsBlocked ad domains blocked."
複製代碼

TOP

本帖最後由 moses 於 2018-12-31 09:19 編輯

效果与后期处理:
  1. root@raspberrypi:~ $ dig google.com

  2. ; <<>> DiG 9.10.3-P4-Raspbian <<>> google.com
  3. ;; global options: +cmd
  4. ;; Got answer:
  5. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56412
  6. ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

  7. ;; OPT PSEUDOSECTION:
  8. ; EDNS: version: 0, flags:; udp: 4096
  9. ;; QUESTION SECTION:
  10. ;google.com.                        IN        A

  11. ;; ANSWER SECTION:
  12. google.com.                106        IN        A        A.B.C.D

  13. ;; Query time: 0 msec
  14. ;; SERVER: 127.0.0.1#53(127.0.0.1)
  15. ;; WHEN: Sun Dec 30 18:53:39 CST 2018
  16. ;; MSG SIZE  rcvd: 55
複製代碼
确认这里的A.B.C.D与你特殊指定的DNS解析得到的地址相同, 也就满足了无污染DNS的需求.

如果你使用RB, 那么取消自动从你的运营商获取DNS, 将RB的查询DNS指向这台DNSMASQ, 我这里是用了几台raspberrypi, 分别放在不同的子网. 后台用crontab每个月更新一次列表也就ok了.

至此纯净DNS系统搭建完毕, 如果你有多区域, 那么RB之间跑个隧道用OSPF处理下站点间子网路由, 将其他站点的DNS解析也指向这台PI, 有条件的话可以搭建多个, RB的DNS互指一下做个备份, 效果更棒.

TOP

真的要好好消化CHing的scripts。

TOP

返回列表