archlinux整合dnscrypt-proxy+dnsmasq

jokerpoker發表於2024-09-16
LinuxDNS

安裝 dnscrypt-proxy

sudo pacman -S dnscrypt-proxy

建立兩個服務

國內

國內配置檔案: /etc/dnscrypt-proxy/dnscrypt-proxy.toml

伺服器地址從https://dnscrypt.info/map獲取
增加以下內容

server_names = ['tuna-doh-ipv6', 'alidns-doh', 'dnscry.pt-hongkong-ipv4']
listen_addresses = ['127.0.0.1:5533', '[::1]:5533']

國內服務檔案:/usr/lib/systemd/system/dnscrypt-proxy.service
注意此處
ExecStart=/usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml

國外

國外配置檔案: /etc/dnscrypt-proxy/dnscrypt-proxy-foreign.toml
增加以下內容

server_names = ['google', 'cloudflare']
listen_addresses = ['127.0.0.1:5534', '[::1]:5534']

國外服務檔案:/usr/lib/systemd/system/dnscrypt-proxy-foreign.service
注意此處
ExecStart=/usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy-foreign.toml

啟動服務

sudo systemctl enable --now dnscrypt-proxy.service
sudo systemctl enable --now dnscrypt-proxy-foreign.service
sudo systemctl start dnscrypt-proxy.service
sudo systemctl start dnscrypt-proxy-foreign.service

安裝dnsmasq

sudo pacman -S dnsmasq

下載dnsmasq-china-list專案

cd ~/Document/Files
git clone https://github.com/felixonmars/dnsmasq-china-list
sudo mkdir /etc/dnsmasq.d
ln -sf dnsmasq-china-list/accelerated-domains.china.conf  /etc/dnsmasq.d/accelerated-domains.china.conf
ln -sf dnsmasq-china-list/google.china.conf /etc/dnsmasq.d/google.china.conf
ln -sf dnsmasq-china-list/apple.china.conf /etc/dnsmasq.d/apple.china.conf
ln -sf dnsmasq-china-list/bogus-nxdomain.china.conf /etc/dnsmasq.d/bogus-nxdomain.china.conf

修改accelerated-domains.china.conf檔案,5533為國內服務埠

sed -i 's|114.114.114.114|127.0.0.1#5533|g' accelerated-domains.china.conf

修改配置檔案/etc/dnsmasq.conf

預設不在accelerated-domains.china.conf檔案中的域名就是國外域名,
在dnsmasq配置檔案中新增一個server 127.0.0.1#5534,處理國外域名

增加以下內容

log-queries
log-facility=/var/log/dnsmasq.log
no-resolv
server=::1#5534
server=127.0.0.1#5534
listen-address=::1,127.0.0.1

啟動服務

sudo systemctl enable --now dnsmasq.service
sudo systemctl restart dnsmasq.service

修改系統配置

less /etc/resolv.conf

nameserver ::1
nameserver 127.0.0.1
options edns0 single-request-reopen

#nameserver 223.5.5.5
#nameserver 223.6.6.6
#nameserver 8.8.8.8
#nameserver 8.8.4.4
#nameserver 2001:4860:4860::8888
#nameserver 2001:4860:4860::8844

參考

配置dnsmasq使用DoH
dnscrypt-proxy + dnsmasq的高階應用 - 智慧分流DoH/DoT

完整檔案如下:

/usr/lib/systemd/system/dnscrypt-proxy.service

[Unit]
Description=DNSCrypt-proxy client
Documentation=https://github.com/DNSCrypt/dnscrypt-proxy/wiki
Wants=network-online.target nss-lookup.target
Before=nss-lookup.target

[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
CacheDirectory=dnscrypt-proxy
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
DynamicUser=yes
ExecStart=/usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml
LockPersonality=yes
LogsDirectory=dnscrypt-proxy
MemoryDenyWriteExecute=true
NonBlocking=true
NoNewPrivileges=true
PrivateDevices=true
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
RuntimeDirectory=dnscrypt-proxy
StateDirectory=dnscrypt-proxy
SystemCallArchitectures=native
SystemCallFilter=@system-service

[Install]
WantedBy=multi-user.target

/usr/lib/systemd/system/dnscrypt-proxy.service

[Unit]
Description=DNSCrypt-proxy client
Documentation=https://github.com/DNSCrypt/dnscrypt-proxy/wiki
Wants=network-online.target nss-lookup.target
Before=nss-lookup.target

[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
CacheDirectory=dnscrypt-proxy
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
DynamicUser=yes
ExecStart=/usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy-foreign.toml
LockPersonality=yes
LogsDirectory=dnscrypt-proxy
MemoryDenyWriteExecute=true
NonBlocking=true
NoNewPrivileges=true
PrivateDevices=true
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
RuntimeDirectory=dnscrypt-proxy
StateDirectory=dnscrypt-proxy
SystemCallArchitectures=native
SystemCallFilter=@system-service

[Install]
WantedBy=multi-user.target

相關文章