archlinux集成dnscrypt-proxy+dnsmasq

已于 2024-09-16 10:43:28 修改
阅读量1.2k 收藏 10
点赞数 14
文章标签: linux
于 2024-09-16 09:26:52 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/didayuye/article/details/142298711
版权

安装 dnscrypt-proxy

sudo pacman -S dnscrypt-proxy

创建两个服务

国内

国内配置文件: /etc/dnscrypt-proxy/dnscrypt-proxy.toml

服务器地址从https://dnscrypt.info/map获取
增加以下内容

server_names = ['tuna-doh-ipv6', 'alidns-doh', 'dnscry.pt-hongkong-ipv4']
listen_addresses = ['127.0.0.1:5533', '[::1]:5533']

国内服务文件:/usr/lib/systemd/system/dnscrypt-proxy.service
注意此处
ExecStart=/usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml

国外

国外配置文件: /etc/dnscrypt-proxy/dnscrypt-proxy-foreign.toml
增加以下内容

server_names = ['google', 'cloudflare']
listen_addresses = ['127.0.0.1:5534', '[::1]:5534']

国外服务文件:/usr/lib/systemd/system/dnscrypt-proxy-foreign.service
注意此处
ExecStart=/usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy-foreign.toml

启动服务
sudo systemctl enable --now dnscrypt-proxy.service
sudo systemctl enable --now dnscrypt-proxy-foreign.service
sudo systemctl start dnscrypt-proxy.service
sudo systemctl start dnscrypt-proxy-foreign.service
测试
dig bilibili.com @127.0.0.1 -p 5533 +short
dig 测试地址.com @127.0.0.1 -p 5534 +short

安装dnsmasq

sudo pacman -S dnsmasq
下载dnsmasq-china-list项目
cd ~/Document/Files
git clone https://github.com/felixonmars/dnsmasq-china-list
sudo mkdir /etc/dnsmasq.d
ln -sf dnsmasq-china-list/accelerated-domains.china.conf  /etc/dnsmasq.d/accelerated-domains.china.conf
ln -sf dnsmasq-china-list/google.china.conf /etc/dnsmasq.d/google.china.conf
ln -sf dnsmasq-china-list/apple.china.conf /etc/dnsmasq.d/apple.china.conf
ln -sf dnsmasq-china-list/bogus-nxdomain.china.conf /etc/dnsmasq.d/bogus-nxdomain.china.conf

修改accelerated-domains.china.conf文件,5533为国内服务端口

sed -i 's|114.114.114.114|127.0.0.1#5533|g' accelerated-domains.china.conf
修改配置文件/etc/dnsmasq.conf

默认不在accelerated-domains.china.conf文件中的域名就是国外域名,
在dnsmasq配置文件中添加一个server 127.0.0.1#5534,处理国外域名

增加以下内容

log-queries
log-facility=/var/log/dnsmasq.log
no-resolv
server=::1#5534
server=127.0.0.1#5534
listen-address=::1,127.0.0.1

conf-dir=/etc/dnsmasq.d/,*.conf
启动服务
sudo systemctl enable --now dnsmasq.service
sudo systemctl restart dnsmasq.service

修改系统配置

less /etc/resolv.conf

nameserver ::1
nameserver 127.0.0.1
options edns0 single-request-reopen

#nameserver 223.5.5.5
#nameserver 223.6.6.6
#nameserver 8.8.8.8
#nameserver 8.8.4.4
#nameserver 2001:4860:4860::8888
#nameserver 2001:4860:4860::8844

查看日志

浏览器访问网站,打开日志查看是否正确

sudo tail -10f dnsmasq.log

query[HTTPS] api.bilibili.com from ::1
Sep 16 10:41:41 dnsmasq[10275]: forwarded api.bilibili.com to 127.0.0.1#5533

参考

配置dnsmasq使用DoH
dnscrypt-proxy + dnsmasq的高级应用 - 智能分流DoH/DoT

完整文件如下:

/usr/lib/systemd/system/dnscrypt-proxy.service

[Unit]
Description=DNSCrypt-proxy client
Documentation=https://github.com/DNSCrypt/dnscrypt-proxy/wiki
Wants=network-online.target nss-lookup.target
Before=nss-lookup.target

[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
CacheDirectory=dnscrypt-proxy
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
DynamicUser=yes
ExecStart=/usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
LockPersonality=yes
LogsDirectory=dnscrypt-proxy
MemoryDenyWriteExecute=true
NonBlocking=true
NoNewPrivileges=true
PrivateDevices=true
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
RuntimeDirectory=dnscrypt-proxy
StateDirectory=dnscrypt-proxy
SystemCallArchitectures=native
SystemCallFilter=@system-service

[Install]
WantedBy=multi-user.target

/usr/lib/systemd/system/dnscrypt-proxy.service

[Unit]
Description=DNSCrypt-proxy client
Documentation=https://github.com/DNSCrypt/dnscrypt-proxy/wiki
Wants=network-online.target nss-lookup.target
Before=nss-lookup.target

[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
CacheDirectory=dnscrypt-proxy
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
DynamicUser=yes
ExecStart=/usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy-foreign.toml
LockPersonality=yes
LogsDirectory=dnscrypt-proxy
MemoryDenyWriteExecute=true
NonBlocking=true
NoNewPrivileges=true
PrivateDevices=true
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
RuntimeDirectory=dnscrypt-proxy
StateDirectory=dnscrypt-proxy
SystemCallArchitectures=native
SystemCallFilter=@system-service

[Install]
WantedBy=multi-user.target
疯子乱语
关注
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值