使用DNSMASQ搭建清澈DNS系统 DNSMASQ, DNS污染, 对抗

moses

抛砖引玉, 这里仅仅说下针对DNS污染的解决方法, 其中不包括隧道相关的问题(关于这点我想在座的各位都有自己的各种解决方案).

需求:
        1. 防止DNS污染
        2. 保留CDN加速
        3. 过滤广告与隐私追踪
        4. 针对性解析加速和优化
        5. DNS解析缓存
       
思路:
使用DNSMASQ分区域使用不同的上游服务器解析不同的域名.
        1. 如你身处大陆, 那么DNS污染的清单大致上可以参照一张"墙LIST", 使用BASE64解码后抓出合并域名生成需要额外照顾的污染清单, 让DNSMASQ对这份清单使用特别的上游DNS服务器做解析, DNSMASQ与这个服务器在第三层的封装保持加密或送入隧道, 保证此部分数据不被窥探且不被污染或篡改.
        2. DNSMASQ调用的第二组DNS服务器作为默认递归查询服务器用以查询非污染域名从而最大限度保证CDN优势, 可以采用本地运营商提供的DNS或公共DNS, 公共DNS大陆可以使用114或阿里的服务器.
        3. 使用相同的思路抓取adblockplus或yoyo之类的adblocking清单中的域名, 将其域名解析引导至127.0.0.1, 用以对抗广告或隐私跟踪.
        4. 对于一些使用运营商DNS并不能很好的解决问题, 如apple sppstore或apple wwdc视频直播之类访问下载速度慢的问题, 将其相关域名引导至具有优化解析方案的DNS服务器, 同时禁止掉这些公共服务器的域名劫持.
        5. DNSMASQ本身具有缓存能力, 用以本地解析加速.
       
搭建:
稍后吧, 我自己的配置有一些和上面需求并不完全符合的内容, 等我有空清理掉再码上来.

DNSMASQ基本配置包含第二部分:

1. #接口侦听或者地址侦听任选
   
2. #listen-address=127.0.0.1
   
3. interface=eth0
   
4. port=53
   
5. no-poll
   
6. no-resolv
   
7. all-servers
   
8. cache-size=5000
   
9. neg-ttl=3600
   
10. 
    
11. # 本地运营商DNS或者公共DNS, 这里为第二条对应的默认DNS
    
12. server=A.B.C.D
    
13. server=A.B.C.D
    
14. 
    
15. #其余1, 3, 4的配置丢在下面的目录中
    
16. conf-dir=/etc/dnsmasq.d

複製代碼

第一部分针对墙LIST解析(这里与A.B.C.D之间的流量如果使用ROS需要做mangle送进tun或其他解决方案):
glist.conf

1. server=/.DOMAINNAME.XXX/A.B.C.D

複製代碼

第三部分针对广告或隐私追踪相关域名进行屏蔽:
adlist.conf

1. address=/DOMAINNAME.XXX/127.0.0.1

複製代碼

第四部分特别清单与劫持处理
splist.conf

1. server=/phobos-apple.com.akadns.net/114.114.114.114

複製代碼

劫持部分处理, 列表为大陆运营商的, 台湾与香港你们查到了也提交一份吧
bogus-nxdomain.china.conf

1. ## Public DNS
   
2. 
   
3. # DNSPai
   
4. bogus-nxdomain=123.125.81.12
   
5. bogus-nxdomain=101.226.10.8
   
6. 
   
7. # Level3
   
8. bogus-nxdomain=198.105.254.11
   
9. bogus-nxdomain=104.239.213.7
   
10. 
    
11. 
    
12. ## China Telecom
    
13. 
    
14. # Anhui Telecom
    
15. bogus-nxdomain=61.191.206.4
    
16. 
    
17. # Beijing Telecom
    
18. bogus-nxdomain=218.30.64.194
    
19. 
    
20. # Chengdu Telecom
    
21. bogus-nxdomain=61.139.8.101
    
22. bogus-nxdomain=61.139.8.102
    
23. bogus-nxdomain=61.139.8.103
    
24. bogus-nxdomain=61.139.8.104
    
25. 
    
26. # Fujian Telecom
    
27. bogus-nxdomain=42.123.125.237
    
28. 
    
29. # Gansu Telecom
    
30. bogus-nxdomain=202.100.68.117
    
31. 
    
32. # Guangxi Telecom
    
33. bogus-nxdomain=113.12.83.4
    
34. bogus-nxdomain=113.12.83.5
    
35. 
    
36. # Hainan Telecom
    
37. bogus-nxdomain=202.100.220.54
    
38. 
    
39. # Hangzhou Telecom
    
40. bogus-nxdomain=60.191.124.236
    
41. bogus-nxdomain=60.191.124.252
    
42. 
    
43. # Hebei Telecom
    
44. bogus-nxdomain=222.221.5.204
    
45. 
    
46. # Hunan Telecom
    
47. bogus-nxdomain=124.232.132.94
    
48. 
    
49. # Jiangsu Telecom
    
50. bogus-nxdomain=202.102.110.204
    
51. 
    
52. # Jiangxi Telecom
    
53. bogus-nxdomain=61.131.208.210
    
54. bogus-nxdomain=61.131.208.211
    
55. 
    
56. # Nanjing Telecom
    
57. bogus-nxdomain=202.102.110.203
    
58. bogus-nxdomain=202.102.110.205
    
59. 
    
60. # Shandong Telecom
    
61. bogus-nxdomain=219.146.13.36
    
62. 
    
63. # Shanghai Telecom
    
64. bogus-nxdomain=180.168.41.175
    
65. bogus-nxdomain=180.153.103.224
    
66. 
    
67. # Wuhan Telecom
    
68. bogus-nxdomain=111.175.221.58
    
69. bogus-nxdomain=61.183.1.186
    
70. 
    
71. # Xi'an Telecom
    
72. bogus-nxdomain=125.76.239.244
    
73. bogus-nxdomain=125.76.239.245
    
74. 
    
75. # Yunnan Telecom
    
76. bogus-nxdomain=222.221.5.252
    
77. bogus-nxdomain=222.221.5.253
    
78. bogus-nxdomain=220.165.8.172
    
79. bogus-nxdomain=220.165.8.174
    
80. 
    
81. 
    
82. ## China Unicom
    
83. 
    
84. # Anhui Unicom
    
85. bogus-nxdomain=112.132.230.179
    
86. 
    
87. # Beijing Unicom (bjdnserror1.wo.com.cn ~ bjdnserror5.wo.com.cn)
    
88. bogus-nxdomain=202.106.199.34
    
89. bogus-nxdomain=202.106.199.35
    
90. bogus-nxdomain=202.106.199.36
    
91. bogus-nxdomain=202.106.199.37
    
92. bogus-nxdomain=202.106.199.38
    
93. 
    
94. # Hebei Unicom (hbdnserror1.wo.com.cn ~ hbdnserror7.wo.com.cn)
    
95. bogus-nxdomain=221.192.153.41
    
96. bogus-nxdomain=221.192.153.42
    
97. bogus-nxdomain=221.192.153.43
    
98. bogus-nxdomain=221.192.153.44
    
99. bogus-nxdomain=221.192.153.45
    
100. bogus-nxdomain=221.192.153.46
     
101. bogus-nxdomain=221.192.153.49
     
102. 
     
103. # Heilongjiang Unicom (hljdnserror1.wo.com.cn ~ hljdnserror5.wo.com.cn)
     
104. bogus-nxdomain=125.211.213.130
     
105. bogus-nxdomain=125.211.213.131
     
106. bogus-nxdomain=125.211.213.132
     
107. bogus-nxdomain=125.211.213.133
     
108. bogus-nxdomain=125.211.213.134
     
109. 
     
110. # Henan Unicom (hndnserror1.wo.com.cn ~ hndnserror7.wo.com.cn)
     
111. bogus-nxdomain=218.28.144.36
     
112. bogus-nxdomain=218.28.144.37
     
113. bogus-nxdomain=218.28.144.38
     
114. bogus-nxdomain=218.28.144.39
     
115. bogus-nxdomain=218.28.144.40
     
116. bogus-nxdomain=218.28.144.41
     
117. bogus-nxdomain=218.28.144.42
     
118. 
     
119. # Jilin Unicom (jldnserror1.wo.com.cn ~ jldnserror5.wo.com.cn)
     
120. bogus-nxdomain=202.98.24.121
     
121. bogus-nxdomain=202.98.24.122
     
122. bogus-nxdomain=202.98.24.123
     
123. bogus-nxdomain=202.98.24.124
     
124. bogus-nxdomain=202.98.24.125
     
125. 
     
126. # Liaoning Unicom (lndnserror1.wo.com.cn ~ lndnserror7.wo.com.cn)
     
127. bogus-nxdomain=60.19.29.21
     
128. bogus-nxdomain=60.19.29.22
     
129. bogus-nxdomain=60.19.29.23
     
130. bogus-nxdomain=60.19.29.24
     
131. bogus-nxdomain=60.19.29.25
     
132. bogus-nxdomain=60.19.29.26
     
133. bogus-nxdomain=60.19.29.27
     
134. 
     
135. # Nanfang Unicom (nfdnserror1.wo.com.cn ~ nfdnserror17.wo.com.cn)
     
136. bogus-nxdomain=220.250.64.18
     
137. bogus-nxdomain=220.250.64.19
     
138. bogus-nxdomain=220.250.64.20
     
139. bogus-nxdomain=220.250.64.21
     
140. bogus-nxdomain=220.250.64.22
     
141. bogus-nxdomain=220.250.64.23
     
142. bogus-nxdomain=220.250.64.24
     
143. bogus-nxdomain=220.250.64.25
     
144. bogus-nxdomain=220.250.64.26
     
145. bogus-nxdomain=220.250.64.27
     
146. bogus-nxdomain=220.250.64.28
     
147. bogus-nxdomain=220.250.64.29
     
148. bogus-nxdomain=220.250.64.30
     
149. bogus-nxdomain=220.250.64.225
     
150. bogus-nxdomain=220.250.64.226
     
151. bogus-nxdomain=220.250.64.227
     
152. bogus-nxdomain=220.250.64.228
     
153. 
     
154. # Neimenggu Unicom (nmdnserror2.wo.com.cn ~ nmdnserror4.wo.com.cn)
     
155. bogus-nxdomain=202.99.254.231
     
156. bogus-nxdomain=202.99.254.232
     
157. bogus-nxdomain=202.99.254.230
     
158. 
     
159. # Shandong Unicom (sddnserror1.wo.com.cn ~ sddnserror9.wo.com.cn)
     
160. bogus-nxdomain=123.129.254.11
     
161. bogus-nxdomain=123.129.254.12
     
162. bogus-nxdomain=123.129.254.13
     
163. bogus-nxdomain=123.129.254.14
     
164. bogus-nxdomain=123.129.254.15
     
165. bogus-nxdomain=123.129.254.16
     
166. bogus-nxdomain=123.129.254.17
     
167. bogus-nxdomain=123.129.254.18
     
168. bogus-nxdomain=123.129.254.19
     
169. 
     
170. # Shanxi Unicom (sxdnserror1.wo.com.cn ~ sxdnserror6.wo.com.cn)
     
171. bogus-nxdomain=221.204.244.36
     
172. bogus-nxdomain=221.204.244.37
     
173. bogus-nxdomain=221.204.244.38
     
174. bogus-nxdomain=221.204.244.39
     
175. bogus-nxdomain=221.204.244.40
     
176. bogus-nxdomain=221.204.244.41
     
177. 
     
178. # Tianjin Unicom (tjdnserror1.wo.com.cn ~ tjdnserror5.wo.com.cn)
     
179. bogus-nxdomain=218.68.250.117
     
180. bogus-nxdomain=218.68.250.118
     
181. bogus-nxdomain=218.68.250.119
     
182. bogus-nxdomain=218.68.250.120
     
183. bogus-nxdomain=218.68.250.121
     
184. 
     
185. 
     
186. ## China Mobile
     
187. 
     
188. # Anhui Mobile
     
189. bogus-nxdomain=120.209.138.64
     
190. 
     
191. # Guangdong Mobile
     
192. bogus-nxdomain=211.139.136.73
     
193. bogus-nxdomain=221.179.46.190
     
194. bogus-nxdomain=221.179.46.194
     
195. 
     
196. # Jiangsu Mobile
     
197. bogus-nxdomain=183.207.232.253
     
198. 
     
199. # Jiangxi Mobile
     
200. bogus-nxdomain=223.82.248.117
     
201. 
     
202. # Qinghai Mobile
     
203. bogus-nxdomain=211.138.74.132
     
204. 
     
205. # Shaanxi Mobile
     
206. bogus-nxdomain=211.137.130.101
     
207. 
     
208. # Shanghai Mobile
     
209. bogus-nxdomain=211.136.113.1
     
210. 
     
211. # Shanxi Mobile
     
212. bogus-nxdomain=211.138.102.198
     
213. 
     
214. # Shandong Mobile
     
215. bogus-nxdomain=120.192.83.163
     
216. 
     
217. # Sichuan Mobile
     
218. bogus-nxdomain=183.221.242.172
     
219. bogus-nxdomain=183.221.250.11
     
220. 
     
221. # Xizang Mobile
     
222. bogus-nxdomain=111.11.208.2
     
223. 
     
224. # Yunnan Mobile
     
225. bogus-nxdomain=183.224.40.24
     
226. 
     
227. 
     
228. ## China Tie Tong
     
229. 
     
230. # Shandong TieTong
     
231. bogus-nxdomain=211.98.70.226
     
232. bogus-nxdomain=211.98.70.227
     
233. bogus-nxdomain=211.98.71.195
     
234. 
     
235. 
     
236. ## GWBN
     
237. 
     
238. # Wuhan GWBN
     
239. bogus-nxdomain=114.112.163.232
     
240. bogus-nxdomain=114.112.163.254

複製代碼

moses

第一部分的列表获取:

1. #!/usr/bin/env python  
   
2. #coding=utf-8
   
3. 
   
4. import urllib2
   
5. import re
   
6. import os
   
7. import datetime
   
8. import base64
   
9. import shutil
   
10. 
    
11. # 指定外部纯净DNS地址与端口, 此地址用香港或台湾任意无污染DNS即可, 与服务器之间通信确保加密或送入隧道
    
12. mydnsip = 'A.B.C.D'
    
13. mydnsport = '53'
    
14. 
    
15. #墙LIST, 获取可能需要送入隧道, 大陆有可能访问不正常
    
16. baseurl = 'https://raw.githubusercontent.com/gfwlist/gfwlist/master/gfwlist.txt'
    
17. 
    
18. # match comments/title/whitelist/ip address
    
19. comment_pattern = '^\!|\[|^@@|^\d+\.\d+\.\d+\.\d+'
    
20. domain_pattern = '([\w\-\_]+\.[\w\.\-\_]+)[\/\*]*'
    
21. tmpfile = 'glisttmp'
    
22. 
    
23. # do not write to router internal flash directly
    
24. outfile = 'glist.conf'
    
25. rulesfile = '/etc/dnsmasq.d/glist.conf'
    
26. 
    
27. fs =  file(outfile, 'w')
    
28. fs.write('# glist ipset rules for dnsmasq\n')
    
29. fs.write('# updated on ' + datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S") + '\n')
    
30. fs.write('#\n')
    
31. 
    
32. print 'fetching list...'
    
33. content = urllib2.urlopen(baseurl, timeout=15).read().decode('base64')
    
34. 
    
35. # write the decoded content to file then read line by line
    
36. tfs = open(tmpfile, 'w')
    
37. tfs.write(content)
    
38. tfs.close()
    
39. tfs = open(tmpfile, 'r')
    
40. 
    
41. print 'page content fetched, analysis...'
    
42. 
    
43. # remember all blocked domains, in case of duplicate records
    
44. domainlist = []
    
45. 
    
46. for line in tfs.readlines():       
    
47.         if re.findall(comment_pattern, line):
    
48.                 print 'this is a comment line: ' + line
    
49.                 #fs.write('#' + line)
    
50.         else:
    
51.                 domain = re.findall(domain_pattern, line)
    
52.                 if domain:
    
53.                         try:
    
54.                                 found = domainlist.index(domain[0])
    
55.                                 print domain[0] + ' exists.'
    
56.                         except ValueError:
    
57.                                 print 'saving ' + domain[0]
    
58.                                 domainlist.append(domain[0])
    
59.                                 fs.write('server=/.%s/%s#%s\n'%(domain[0],mydnsip,mydnsport))
    
60.                 else:
    
61.                         print 'no valid domain in this line: ' + line
    
62.                                        
    
63. tfs.close()       
    
64. fs.close();
    
65. 
    
66. print 'moving generated file to dnsmasg directory'
    
67. shutil.move(outfile, rulesfile)
    
68. 
    
69. print 'restart dnsmasq...'
    
70. print os.popen('/etc/init.d/dnsmasq restart').read()
    
71. 
    
72. print 'done!'

複製代碼

moses

第四部分苹果相关服务域名列表:
splist.conf

1. server=/a1.mzstatic.com/114.114.114.114
   
2. server=/a2.mzstatic.com/114.114.114.114
   
3. server=/a3.mzstatic.com/114.114.114.114
   
4. server=/a4.mzstatic.com/114.114.114.114
   
5. server=/a5.mzstatic.com/114.114.114.114
   
6. server=/adcdownload.apple.com/114.114.114.114
   
7. server=/appldnld.apple.com/114.114.114.114
   
8. server=/apps.mzstatic.com/114.114.114.114
   
9. server=/cdn-cn1.apple-mapkit.com/114.114.114.114
   
10. server=/cdn-cn2.apple-mapkit.com/114.114.114.114
    
11. server=/cdn-cn3.apple-mapkit.com/114.114.114.114
    
12. server=/cdn-cn4.apple-mapkit.com/114.114.114.114
    
13. server=/cdn.apple-mapkit.com/114.114.114.114
    
14. server=/cdn1.apple-mapkit.com/114.114.114.114
    
15. server=/cdn2.apple-mapkit.com/114.114.114.114
    
16. server=/cdn3.apple-mapkit.com/114.114.114.114
    
17. server=/cdn4.apple-mapkit.com/114.114.114.114
    
18. server=/cds.apple.com/114.114.114.114
    
19. server=/cl1.apple.com/114.114.114.114
    
20. server=/cl2.apple.com.edgekey.net.globalredir.akadns.net/114.114.114.114
    
21. server=/cl2.apple.com/114.114.114.114
    
22. server=/cl3.apple.com/114.114.114.114
    
23. server=/cl4-cn.apple.com/114.114.114.114
    
24. server=/cl4.apple.com/114.114.114.114
    
25. server=/cl5.apple.com/114.114.114.114
    
26. server=/configuration.apple.com/114.114.114.114
    
27. server=/gs-loc.apple.com/114.114.114.114
    
28. server=/gsp11-cn.ls.apple.com/114.114.114.114
    
29. server=/gsp12-cn.ls.apple.com/114.114.114.114
    
30. server=/gsp13-cn.ls.apple.com/114.114.114.114
    
31. server=/gsp4-cn.ls.apple.com.edgekey.net.globalredir.akadns.net/114.114.114.114
    
32. server=/gsp4-cn.ls.apple.com.edgekey.net/114.114.114.114
    
33. server=/gsp4-cn.ls.apple.com/114.114.114.114
    
34. server=/gsp5-cn.ls.apple.com/114.114.114.114
    
35. server=/gspe19-cn.ls-apple.com.akadns.net/114.114.114.114
    
36. server=/gspe19-cn.ls.apple.com/114.114.114.114
    
37. server=/gspe21-ssl.ls.apple.com/114.114.114.114
    
38. server=/gspe21.ls.apple.com/114.114.114.114
    
39. server=/gspe35-ssl.ls.apple.com/114.114.114.114
    
40. server=/icloud.cdn-apple.com/114.114.114.114
    
41. server=/images.apple.com/114.114.114.114
    
42. server=/init-p01md.apple.com/114.114.114.114
    
43. server=/init-p01st.push.apple.com/114.114.114.114
    
44. server=/iphone-ld.apple.com/114.114.114.114
    
45. server=/is1-ssl.mzstatic.com/114.114.114.114
    
46. server=/is1.mzstatic.com/114.114.114.114
    
47. server=/is2-ssl.mzstatic.com/114.114.114.114
    
48. server=/is2.mzstatic.com/114.114.114.114
    
49. server=/is3-ssl.mzstatic.com/114.114.114.114
    
50. server=/is3.mzstatic.com/114.114.114.114
    
51. server=/is4-ssl.mzstatic.com/114.114.114.114
    
52. server=/is4.mzstatic.com/114.114.114.114
    
53. server=/is5-ssl.mzstatic.com/114.114.114.114
    
54. server=/is5.mzstatic.com/114.114.114.114
    
55. server=/itunes-apple.com.akadns.net/114.114.114.114
    
56. server=/itunes.apple.com/114.114.114.114
    
57. server=/itunesconnect.apple.com/114.114.114.114
    
58. server=/mesu-cdn.apple.com.akadns.net/114.114.114.114
    
59. server=/mesu-china.apple.com.akadns.net/114.114.114.114
    
60. server=/mesu.apple.com/114.114.114.114
    
61. server=/s.mzstatic.com/114.114.114.114
    
62. server=/s2.mzstatic.com/114.114.114.114
    
63. server=/s3.mzstatic.com/114.114.114.114
    
64. server=/s4.mzstatic.com/114.114.114.114
    
65. server=/s5.mzstatic.com/114.114.114.114
    
66. server=/store.apple.com/114.114.114.114
    
67. server=/store.storeimages.cdn-apple.com/114.114.114.114
    
68. server=/support.apple.com/114.114.114.114
    
69. server=/swcdn.apple.com/114.114.114.114
    
70. server=/swdist.apple.com/114.114.114.114
    
71. server=/updates-http.cdn-apple.com.akadns.net/114.114.114.114
    
72. server=/updates-http.cdn-apple.com/114.114.114.114
    
73. server=/www.apple.com.edgekey.net/114.114.114.114
    
74. server=/www.apple.com/114.114.114.114

複製代碼

如果微软的某些云服务在大陆访问或同步不正常, 那么也可以在这里进行特殊照顾.

moses

第三部的列表获取:
adlist.conf

1. #!/bin/bash
   
2. 
   
3. outlist='/etc/dnsmasq.d/adlist.conf'
   
4. tempoutlist="$outlist.tmp"
   
5. 
   
6. # 这里列表自行添加, 这里用了ADP的easylist
   
7. echo "Getting adblockplus easylistchina + easylist..."
   
8. curl -s https://easylist-downloads.adblockplus.org/easylistchina+easylist.txt | grep ^\|\|[^\*]*\^$ | sed 's/^||//' | cut -d'^' -f-1 >> $tempoutlist
   
9. 
   
10. echo "Removing duplicates and formatting the list of domains..."
    
11. 
    
12. cat $tempoutlist | sed s/\r$//' | sed '/thisisiafakedomain123\.com/d;/www\.anotherfakedomain123\.com/d' | sort -u | sed '/^$/d' | sed -e 's:^:address\=\/:' -e 's:$:/127\.0\.0\.1:'  > $outlist
    
13. rm $tempoutlist
    
14. 
    
15. numberOfAdsBlocked=$(cat $outlist | wc -l | sed 's/^[ \t]*//')
    
16. echo "$numberOfAdsBlocked ad domains blocked."

複製代碼

moses

效果与后期处理:

1. root@raspberrypi:~ $ dig google.com
   
2. 
   
3. ; <<>> DiG 9.10.3-P4-Raspbian <<>> google.com
   
4. ;; global options: +cmd
   
5. ;; Got answer:
   
6. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56412
   
7. ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
   
8. 
   
9. ;; OPT PSEUDOSECTION:
   
10. ; EDNS: version: 0, flags:; udp: 4096
    
11. ;; QUESTION SECTION:
    
12. ;google.com.                        IN        A
    
13. 
    
14. ;; ANSWER SECTION:
    
15. google.com.                106        IN        A        A.B.C.D
    
16. 
    
17. ;; Query time: 0 msec
    
18. ;; SERVER: 127.0.0.1#53(127.0.0.1)
    
19. ;; WHEN: Sun Dec 30 18:53:39 CST 2018
    
20. ;; MSG SIZE  rcvd: 55

複製代碼

确认这里的A.B.C.D与你特殊指定的DNS解析得到的地址相同, 也就满足了无污染DNS的需求.

如果你使用RB, 那么取消自动从你的运营商获取DNS, 将RB的查询DNS指向这台DNSMASQ, 我这里是用了几台raspberrypi, 分别放在不同的子网. 后台用crontab每个月更新一次列表也就ok了.

至此纯净DNS系统搭建完毕, 如果你有多区域, 那么RB之间跑个隧道用OSPF处理下站点间子网路由, 将其他站点的DNS解析也指向这台PI, 有条件的话可以搭建多个, RB的DNS互指一下做个备份, 效果更棒.

角色

真的要好好消化CHing的scripts。