私人DNS && DNS OVER HTTPS && DNS OVER TLS 搭建教程

admin 4月前 2615

之前写的教程有点老旧这次更新下教程内容

安装依赖

Centos7
yum install -y wget gcc tar zip redhat-lsb gawk unzip net-tools psmisc glibc-static expect telnet
yum install -y openssl openssl-devel lzo lzo-devel pam pam-devel 
yum install -y  automake autoconf libtool make build-essential curl curl-devel zlib-devel perl perl-devel cpio expat-devel gettext-devel git asciidoc xmlto
yum -y install epel-release
yum -y install bind-util libevent libevent-devel
yum install perl-core zlib-devel -y
yum group install 'Development Tools' -y
Ubuntu
apt-get install libevent-dev libexpat1-dev libexpat1 expat openssl cmake make gcc git curl libssl-dev libunbound-dev

安装加密库

如果不开启DNSCrypt,可以跳过该步骤

cd /root
wget -N --no-check-certificate https://github.com/jedisct1/libsodium/releases/download/1.0.18-RELEASE/libsodium-1.0.18.tar.gz
tar xf libsodium-1.0.18.tar.gz && cd libsodium-1.0.18
./configure && make -j2 && make install
echo /usr/local/lib > /etc/ld.so.conf.d/usr_local_lib.conf
ldconfig
cd /root
rm -rf /root/libsodium-1.0.18*

安装Go

wget https://studygolang.com/dl/golang/go1.12.1.linux-amd64.tar.gz
tar -C /usr/local -xzf go1.12.1.linux-amd64.tar.gz
mkdir -p /root/go

安装Go 配置运行环境

echo 'export GOROOT=/usr/local/go
export PATH=$PATH:$GOROOT/bin
export GOPATH=/root/go' >> /etc/profile
source /etc/profile

运行完成后可以使用go version查看当前GO版本

安装DOH Server

cd /root
git clone https://github.com/m13253/dns-over-https.git
cd dns-over-https
make
sudo make install
sudo systemctl start doh-server.service
sudo systemctl enable doh-server.service

配置文件为: /etc/dns-over-https/doh-server.conf

安装Unbound

wget https://nlnetlabs.nl/downloads/unbound/unbound-1.9.4.tar.gz
tar -zxvf unbound-1.9.4.tar.gz
cd unbound-1.9.4
./configure --enable-subnet --with-libevent --with-pthreads 
make && sudo make install
cd /usr/local/etc/unbound
wget ftp://ftp.internic.net/domain/named.cache

参数 说明
--enable-subnet 开启ECS
--with-ssl 开启DOT需要 ,此处我们采用DNSDIST做DOT服务端所以不需要此参数
--enable-dnscrypt 开启DNSCRypt,由于采用DNSDIST所以此处不需要

生成DNSSEC需要的密钥【不推荐开启DNSSEC】

unbound-anchor

此时会报错:
error while loading shared libraries: libunbound.so.8: cannot open shared object file: No such file or director
解决方法:

sudo /sbin/ldconfig -v

再次运行命令即可,生成的文件/usr/local/etc/unbound/root.key

配置Unbound

删除旧配置文件

rm -rf /usr/local/etc/unbound/unbound.conf

编辑配置文件修改内容如下

vi /usr/local/etc/unbound/unbound.conf
server:
    verbosity: 1
    interface: 0.0.0.0@50
    interface: ::0@50
    username: "root"
    access-control: 0.0.0.0/0 allow
    access-control: ::1 allow
    do-ip4: yes
    do-ip6: no
    do-udp: yes
    do-tcp: yes

    num-threads: 1
    msg-cache-slabs: 1
    rrset-cache-slabs: 1
    key-cache-slabs: 1
    infra-cache-slabs: 1

    log-servfail: yes
    aggressive-nsec: yes
    hide-trustanchor: yes
    hide-version: yes
    hide-identity: yes
    qname-minimisation: yes
    qname-minimisation-strict: no
    minimal-responses: yes
    rrset-roundrobin: yes

    do-not-query-localhost: yes
    infra-cache-numhosts: 50000

    so-rcvbuf: 8m
    so-sndbuf: 8m
    neg-cache-size: 25m
    msg-cache-size: 64m
    key-cache-size: 64m
    neg-cache-size: 32m
    rrset-cache-size: 128m

    outgoing-range: 8192
    num-queries-per-thread: 4096
    outgoing-num-tcp: 200
    incoming-num-tcp: 200
    jostle-timeout: 300

    cache-min-ttl: 120
    cache-max-ttl: 86400
    infra-host-ttl: 3600
    serve-expired-ttl: 86400
    cache-max-negative-ttl: 360

    serve-expired: yes
    prefetch: yes
    prefetch-key: yes
    max-udp-size: 4096

    edns-buffer-size: 4096
    edns-tcp-keepalive: yes
    edns-tcp-keepalive-timeout: 120000

    send-client-subnet: 0.0.0.0/0
    send-client-subnet: ::0/64
    max-client-subnet-ipv6: 56
    max-client-subnet-ipv4: 24

    module-config: "subnetcache validator iterator"
    root-hints: "root.hints"
    auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
    tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
    unwanted-reply-threshold: 10000000
    include: "/etc/unbound/domain.conf"

上面内容是Ubuntu 的,Centos 修改下证书存放位置即可
Ubuntu配置和Centos7 的主要区别在于证书存放位置的区别
Centos 7存放于:/etc/pki/tls/certs/ca-bundle.crt
Ubuntu存放于:/etc/ssl/certs/ca-certificates.crt

安装DNSDISt

Centos7
yum install epel-release yum-plugin-priorities &&
curl -o /etc/yum.repos.d/powerdns-dnsdist-14.repo https://repo.powerdns.com/repo-files/centos-dnsdist-14.repo &&
yum install dnsdist
Ubuntu

Ubuntu 16.04 "Xenial Xerus"

echo 'deb [arch=amd64] http://repo.powerdns.com/ubuntu xenial-rec-master main' > /etc/apt/sources.list.d/pdns.list
echo 'Package: dnsdist*
Pin: origin repo.powerdns.com
Pin-Priority: 600' > /etc/apt/preferences.d/dnsdist
curl https://repo.powerdns.com/FD380FBB-pub.asc | sudo apt-key add - &&
sudo apt-get update &&
sudo apt-get install dnsdist

Ubuntu 18.04 "Bionic Beaver"

echo 'deb [arch=amd64] http://repo.powerdns.com/ubuntu bionic-dnsdist-14 main' > /etc/apt/sources.list.d/pdns.list
echo 'Package: dnsdist*
Pin: origin repo.powerdns.com
Pin-Priority: 600' > /etc/apt/preferences.d/dnsdist
curl https://repo.powerdns.com/FD380FBB-pub.asc | sudo apt-key add - &&
sudo apt-get update &&
sudo apt-get install dnsdist

配置文件:/etc/dnsdist/dnsdist.conf
修改DNSDIST配置文件如下:

newServer({address="127.0.0.1:50", useClientSubnet=true, checkType="A", checkType=DNSClass.CHAOS, checkName="www.baidu.com", mustResolve=false})

addDNSCryptBind("0.0.0.0:22", "2.dnscrypt-cert.233py.com", "/usr/local/etc/unbound/dns.cert", "/usr/local/etc/unbound/dns.key")
addDNSCryptBind("[::]:22", "2.dnscrypt-cert.233py.com", "/usr/local/etc/unbound/dns.cert", "/usr/local/etc/unbound/dns.key")

addLocal('0.0.0.0:53', { doTCP=true, reusePort=true})
addLocal('[::]:53', { doTCP=true, reusePort=true})

addTLSLocal('0.0.0.0', '/etc/letsencrypt/live/dns.233py.com/fullchain.pem', '/etc/letsencrypt/live/dns.233py.com/privkey.pem')
addTLSLocal('[::]', '/etc/letsencrypt/live/dns.233py.com/fullchain.pem', '/etc/letsencrypt/live/dns.233py.com/privkey.pem')

addLocal('0.0.0.0:9090', { doTCP=true, reusePort=true})
addLocal('[::]:9090', { doTCP=true, reusePort=true})

setACL({'0.0.0.0/0', '::/0' })

setServerPolicy(firstAvailable)
setECSSourcePrefixV4(24)
setECSSourcePrefixV6(56)

请注意修改上面的内容,

参数 说明
newServer 上游地址,useClientSubnet使用ECS
addDNSCryptBind DNSCrypt 需要的可以配置,需要配置证书密钥地址,和域名
addLocal 监听普通UDP DNS查询
addTLSLocal DNS OVER TLS 服务
setACL '0.0.0.0/0', '::/0' 放行

其他参考DNSDIST官网

配置进程守护

pip install supervisor
rm -rf /etc/supervisord.conf
echo '[unix_http_server]
file=/tmp/supervisor.sock   ; the path to the socket file
[supervisord]
logfile=/tmp/supervisord.log ; main log file; default $CWD/supervisord.log
logfile_maxbytes=50MB        ; max main logfile bytes b4 rotation; default 50MB
logfile_backups=10           ; # of main logfile backups; 0 means none, default 10
loglevel=info                ; log level; default info; others: debug,warn,trace
pidfile=/tmp/supervisord.pid ; supervisord pidfile; default supervisord.pid
nodaemon=false               ; start in foreground if true; default false
minfds=1024                  ; min. avail startup file descriptors; default 1024
minprocs=200                 ; min. avail process descriptors;default 200
[rpcinterface:supervisor]
supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
[supervisorctl]
serverurl=unix:///tmp/supervisor.sock ; use a unix:// URL  for a unix socket
[program:dnsdist]
command=dnsdist --supervised -C /etc/dnsdist/dnsdist.conf
autorestart=true
user=root' > /etc/supervisord.conf

放行防火墙端口

Centos 7
firewall-cmd --permanent --zone=public --add-port=853/tcp
firewall-cmd --permanent --zone=public --add-port=22/tcp
firewall-cmd --permanent --zone=public --add-port=22/udp
firewall-cmd --permanent --zone=public --add-port=443/tcp
firewall-cmd --permanent --zone=public --add-port=80/tcp
firewall-cmd --permanent --zone=public --add-port=9090/udp
firewall-cmd --reload
Ubuntu
sudo ufw allow 853
sudo ufw allow 22
sudo ufw allow 443
sudo ufw allow 80

配置DNS-OVER-HTTPS

编辑配置文件:vi /etc/dns-over-https/doh-server.conf 修改内容为

listen = [
    "127.0.0.1:8053"
]

local_addr = ""
cert = ""
key = ""
path = "/dns-query"
upstream = [
    "127.0.0.1:50"
]
timeout = 10
tries = 3
tcp_only = false
verbose = false
log_guessed_client_ip = true
配置Nginx

在网站配置文件中添加

 location /dns-query {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_set_header X-NginX-Proxy true;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_redirect off;
    proxy_set_header        X-Forwarded-Proto $scheme;
    proxy_read_timeout 86400;
    proxy_pass http://127.0.0.1:8053/dns-query ;
}

注意开启SSL,不然DNS-OVER-HTTPS就没必要了

重启服务

sudo systemctl restart doh-server.service
killall unbound && unbound -v
killall supervisord
supervisord -c /etc/supervisord.conf

国内配置文件更新Python脚本

#!/usr/bin/env python  
#coding=utf-8

import urllib2
import re
import os
import datetime
import ssl

baseurl = 'https://api.nextrt.com'

forwardfile = '/etc/unbound/forward.conf'
domesticfile = '/etc/unbound/domestic.conf'
insecurefile = '/etc/unbound/insecure.conf'

if hasattr(ssl, '_create_unverified_context'):
        ssl._create_default_https_context = ssl._create_unverified_context
content = urllib2.urlopen(baseurl + '/api/dns/forward', timeout=35).read()

tfs = open(forwardfile, 'w')
tfs.write(content)
tfs.close()

if hasattr(ssl, '_create_unverified_context'):
        ssl._create_default_https_context = ssl._create_unverified_context
content = urllib2.urlopen(baseurl + '/api/dns/domestic', timeout=35).read()

tfs = open(domesticfile, 'w')
tfs.write(content)
tfs.close()

if hasattr(ssl, '_create_unverified_context'):
        ssl._create_default_https_context = ssl._create_unverified_context
content = urllib2.urlopen(baseurl + '/api/dns/insecure', timeout=35).read()

tfs = open(insecurefile, 'w')
tfs.write(content)
tfs.close()

待续

最后于 2月前 被admin编辑 ,原因:
最新回复 (0)
全部楼主
返回
发新帖