树莓派搭建无污染DNS服务器
- 修改
etc/bind/named.conf.options文件
+ tls dot-local-tls {
+ key-file "/etc/crt/dot.key";
+ cert-file "/etc/crt/dot.pem";
+ };
+ tls doh-local-tls {
+ key-file "/etc/crt/doh.key";
+ cert-file "/etc/crt/doh.pem";
+ };
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
- forward only;
forwarders { 127.0.0.1 port 54;
};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation yes;
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
recursion yes;
- allow-query { 0.0.0.0/0; };
+ allow-query { any; };
- allow-recursion { any; };
+ listen-on port 853 tls dot-local-tls { any; };
+ listen-on port 443 tls doh-local-tls http default {any;};
};- 配置
/etc/apparmor.d/local/usr.sbin.named,允许证书访问
{% note modern info %}这里的路径是你自己证书放的地方{% endnote %}
/etc/crt/** r,- 重新加载apparmor配置文件
apparmor_parser -r /etc/apparmor.d/usr.sbin.named4.重启bind9的named服务
service.named restart{% endtimenode %}
{% timenode 2021-07-28 %}
增加bind9和dnsproxy,加上AdGuardHome实现三者内部分流。
{% endtimenode %}
{% timenode 2021-07-13 %}
完成AdGuardHome的搭建与配置。
{% endtimenode %}
{% endtimeline %}
{% endfolding %}
0x00 前言
前几天在树莓派上ubuntu server,没错我又又又又又换系统了,生命不息,折腾不止嘛(就是手痒),按照流程我先后撞上了docker和AdGuardHome,并作为家庭路由器的DNS私服使用,感觉还可以,但还是有时候会加载比较慢,后来我看到了@冷莫大大的文章,发现国内的DNS还好,国外有可能会污染,所以按照他的文章来整了一下活。别说,还针不戳。
0x01 介绍
{% note modern info %}
冷莫大大的教程是基于Debian 10来操作的,我树莓派是Ubuntu server 20.04LTS,其实别的系统都差不多,只是包管理器和需要用到的文件的路径有些许不一样。然后准好双爪和一颗敢于折腾的心就好。(冰阔落、卫龙、瓜子、薯片:那我们走?)
{% endnote %}
本项目是基于bind9和dnsproxy来进行防污染DNS,缓存根服务器。内部DOH,内部分流,内部缓存,并且实现分流加速的功能。
0x02 干!
1、准备工作
{% note modern warning %}
本流程是根据我自己的调整来改写了一部分内容,大家可以酌情对比
{% endnote %}
{% folding yellow, 首先准备好基础环境(如果没有权限请在最前面加上sudo) %}
apt-get -y install wget nano dnsutils bind9-host apt-transport-https lsb-release ca-certificates curl
wget -O /etc/apt/trusted.gpg.d/bind-dev.gpg https://packages.sury.org/bind-dev/apt.gpg
sh -c 'echo "deb https://packages.sury.org/bind-dev/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/bind-dev.list
apt-get update{% endfolding %}
2、bind9的安装与使用
以bind9 root身份安装 (端口:53)项目地址:https://www.isc.org/bind/
一、添加源
我们进入官网,找到BIND 9项目,点击Learn more进入详情:
上面的介绍大家有兴趣的可以自行查阅,然后我们向下翻,找到Installation框框,里面有几种linux发行版的下载方式,还有docker,我选择Unubtu:
进来之后找到Personal package archives这一栏,没错,这就是ubuntu大名鼎鼎的ppa源,把它整合到系统的软件源之后,更新列表就能找到这个软件有关的包了,这里我选的是开发版(BIND 9 Dev):
我们会看到加入ppa源有两种方式:
这里大家就可以凭喜好了,效果是一样的,都是把bind9-dev有关的软件加入软件仓库。
二、安装
好啦,这些步骤完成后就可以刷新我们的软件仓库并下载bind9啦:
sudo apt update
sudo apt install bind9三、配置
设置bind9的自身服务监听端口和端口转发:
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders { 127.0.0.1 port 54;
};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//=======================================================================
dnssec-validation yes;
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
recursion yes;
allow-query { any; };
};设置bind9正解和反解zone的值(我不懂,别问我:x):
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
zone "in-addr.arpa" {
type master;
file "/etc/bind/in-addr.arpa";
};
zone "root.zone" {
type master;
file "/etc/bind/root.zone";
};3、dnsproxy的安装与使用
以dnsproxy root身份安装(端口:54 cpu型号arm64)项目地址 https://github.com/adguardTeam/dnsproxy
wget https://github.com/AdguardTeam/dnsproxy/releases/download/v0.39.0/dnsproxy-linux-arm64-v0.39.0.tar.gz
tar zxf dnsproxy-linux-arm64-v0.39.0.tar.gz
cd linux-arm64
mv linux-arm64 dnsproxy # 重命名文件夹
sudo chmod +x dnsproxy # 给予可执行权限设置dnsproxy服务开机启动,并读取domain_full.txt的分流规则,编辑文件 /etc/ec.local:
{% note modern info %}命令中的可执行文件dnsproxy和分流规则文件domain_full.txt的路径是我自己的,均可以自定义{% endnote %}
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
/home/ubuntu/dnsproxy/dnsproxy -l 0.0.0.0 -p 54 --upstream /home/ubuntu/dnsproxy/domain_full.txt --all-servers &
exit 04、DNS分流文件的安装和使用
编写一个更新规则的脚本autoupdate.sh:
#!/bin/bash
echo -e "in-addr.arpa"
rm /etc/bind/in-addr.arpa
curl -o /etc/bind/in-addr.arpa http://file.trli.club/dns/in-addr.arpa
echo -e "root.zone"
rm /etc/bind/root.zone
curl -o /etc/bind/root.zone http://file.trli.club/dns/root.zone
echo -e "update hosts"
rm /home/ubuntu/dnsproxy/domain_full.txt
curl -o /home/ubuntu/dnsproxy/domain_full.txt http://file.trli.club/dns/dns-txt/gfwlist2adguardhome/blacklist_domain_full.txt
exit 0;基于该文件可执行权限
chmod +x autoupdate.sh运行它,更新一下规则
sudo bash autoupdate.sh下载完分流规则文件后即可启动服务了:
{% note modern warning %}注意这里有坑(都是我的血泪史我们之前安装的bind9的服务名不叫bind或是bind9,而是named){% endnote %}
chmod +x /etc/rc.local
sudo systemctl start rc-local.service
sudo systemctl enable named.service
sudo systemctl start named.service重启系统,查看服务是否都启动了,没有的话手动运行开机自启
sudo systemctl status rc-local.service
sudo systemctl status named.service0x03 测试
最后我们来使用bind9和dnsproxy分别来测试域名查询的速度,第一次可能有点慢,但是后来就会很快乐:
{% tabs 域名查询 %}
<!-- tab bind9 -->
dig bing.com @127.0.0.1 -p 53<!-- endtab -->
<!-- tab dnsproxy -->
dig bing.com @127.0.0.1 -p 54<!-- endtab -->
{% endtabs %} {% folding yellow, 另一种思路 %} 本文的思路是让dnsproxy作为bind9的上游服务,所以在bind9的配置文件中有forwards dnsproxy的端口这一个字段,那么如果我们加上了大名鼎鼎的AdGuardHome并作为主DNS服务器呢,那么我们可以让AdGuardHome监听53端口,然后让bind9作为AdGuardHome的上游服务器即可,就能很好的把这三个服务有机的串联在了一起。 {% endfolding %}
感谢?冷莫大大的文章和思路,没有他的文章也就不会有我的这片微调和补充。当然大佬们有更好的项目欢迎滴滴我哦?
腾讯云开发者
