archlinux集成dnscrypt-proxy+dnsmasq
安装 dnscrypt-proxy
sudo pacman -S dnscrypt-proxy
创建两个服务
国内
国内配置文件: /etc/dnscrypt-proxy/dnscrypt-proxy.toml
服务器地址从https://dnscrypt.info/map获取
增加以下内容
server_names = ['tuna-doh-ipv6', 'alidns-doh', 'dnscry.pt-hongkong-ipv4']
listen_addresses = ['127.0.0.1:5533', '[::1]:5533']
ipv4_servers = true #默認爲true
ipv6_servers = true #改爲true
国内服务文件:/usr/lib/systemd/system/dnscrypt-proxy.service
注意此处
ExecStart=/usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
国外
国外配置文件: /etc/dnscrypt-proxy/dnscrypt-proxy-foreign.toml
增加以下内容
server_names = ['cloudflare', 'cloudflare-ipv6', 'scaleway-fr', 'google']
listen_addresses = ['127.0.0.1:5534', '[::1]:5534']
ipv4_servers = true #默認爲true
ipv6_servers = true #改爲true
国外服务文件:/usr/lib/systemd/system/dnscrypt-proxy-foreign.service
注意此处
ExecStart=/usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy-foreign.toml
启动服务
sudo systemctl enable --now dnscrypt-proxy.service
sudo systemctl enable --now dnscrypt-proxy-foreign.service
sudo systemctl start dnscrypt-proxy.service
sudo systemctl start dnscrypt-proxy-foreign.service
测试
dig bilibili.com @127.0.0.1 -p 5533 +short
dig 测试地址.com @127.0.0.1 -p 5534 +short
安装dnsmasq
sudo pacman -S dnsmasq
下载dnsmasq-china-list项目
cd ~/Document/Files
git clone https://github.com/felixonmars/dnsmasq-china-list
cd dnsmasq-china-list
cp accelerated-domains.china.conf accelerated-domains.china-5533.conf #复制一份
# 建立软链接
sudo mkdir /etc/dnsmasq.d
ln -sf dnsmasq-china-list/accelerated-domains.china-5533.conf /etc/dnsmasq.d/accelerated-domains.china-5533.conf
ln -sf dnsmasq-china-list/google.china.conf /etc/dnsmasq.d/google.china.conf
ln -sf dnsmasq-china-list/apple.china.conf /etc/dnsmasq.d/apple.china.conf
ln -sf dnsmasq-china-list/bogus-nxdomain.china.conf /etc/dnsmasq.d/bogus-nxdomain.china.conf
修改accelerated-domains.china-5533.conf文件。5533为国内服务端口
sed -i 's|114.114.114.114|127.0.0.1#5533|g' accelerated-domains.china-5533.conf
修改配置文件/etc/dnsmasq.conf
默认不在accelerated-domains.china-5533.conf文件中的域名就是国外域名,
在dnsmasq配置文件中添加一个server 127.0.0.1#5534,处理国外域名
增加以下内容
log-queries
log-facility=/var/log/dnsmasq.log
no-resolv
server=::1#5534
server=127.0.0.1#5534
listen-address=::1,127.0.0.1
conf-dir=/etc/dnsmasq.d/,*.conf
启动服务
sudo systemctl enable --now dnsmasq.service
sudo systemctl restart dnsmasq.service
修改系统配置
less /etc/resolv.conf
nameserver ::1
nameserver 127.0.0.1
options edns0 single-request-reopen
#nameserver 223.5.5.5
#nameserver 223.6.6.6
#nameserver 8.8.8.8
#nameserver 8.8.4.4
#nameserver 2001:4860:4860::8888
#nameserver 2001:4860:4860::8844
查看日志
浏览器访问网站,打开日志查看是否正确
sudo tail -10f /var/log/dnsmasq.log
query[HTTPS] api.bilibili.com from ::1
Sep 16 10:41:41 dnsmasq[10275]: forwarded api.bilibili.com to 127.0.0.1#5533
维护
以后只需要更新dnsmasq-china-list,替换一下accelerated-domains.china-5533.conf文件即可
cd ~/Document/Files/dnsmasq-china-list
git pull
cp accelerated-domains.china.conf accelerated-domains.china-5533.conf
sed -i 's|114.114.114.114|127.0.0.1#5533|g' accelerated-domains.china-5533.conf
参考
配置dnsmasq使用DoH
dnscrypt-proxy + dnsmasq的高级应用 - 智能分流DoH/DoT
完整文件如下:
/usr/lib/systemd/system/dnscrypt-proxy.service
[Unit]
Description=DNSCrypt-proxy client
Documentation=https://github.com/DNSCrypt/dnscrypt-proxy/wiki
Wants=network-online.target nss-lookup.target
Before=nss-lookup.target
[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
CacheDirectory=dnscrypt-proxy
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
DynamicUser=yes
ExecStart=/usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
LockPersonality=yes
LogsDirectory=dnscrypt-proxy
MemoryDenyWriteExecute=true
NonBlocking=true
NoNewPrivileges=true
PrivateDevices=true
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
RuntimeDirectory=dnscrypt-proxy
StateDirectory=dnscrypt-proxy
SystemCallArchitectures=native
SystemCallFilter=@system-service
[Install]
WantedBy=multi-user.target
/usr/lib/systemd/system/dnscrypt-proxy.service
[Unit]
Description=DNSCrypt-proxy client
Documentation=https://github.com/DNSCrypt/dnscrypt-proxy/wiki
Wants=network-online.target nss-lookup.target
Before=nss-lookup.target
[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
CacheDirectory=dnscrypt-proxy
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
DynamicUser=yes
ExecStart=/usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy-foreign.toml
LockPersonality=yes
LogsDirectory=dnscrypt-proxy
MemoryDenyWriteExecute=true
NonBlocking=true
NoNewPrivileges=true
PrivateDevices=true
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
RuntimeDirectory=dnscrypt-proxy
StateDirectory=dnscrypt-proxy
SystemCallArchitectures=native
SystemCallFilter=@system-service
[Install]
WantedBy=multi-user.target
浙公网安备 33010602011771号