A flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2, DNS-over-HTTPS, Anonymized DNSCrypt and ODoH (Oblivious DoH).
# dnscrypt-proxy 是用來透過它轉傳 dns 查詢給外面的解析器,如 8.8.8.8 或是 1.1.1.1 ,再回傳結果給我
# 而連線的過程是要加密的,以防被竊取或修改
# 安裝
dns install -y dnscrypt-proxy
# 啟動
systemctl start dnscrypt-proxy
# 預設 listen localhost 53 port
netstat -ntulp
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 24528/dnscrypt-prox udp 0 0 127.0.0.1:53 0.0.0.0:* 24528/dnscrypt-prox
# 所以查詢皆透過 localhost
# 或可透過設定檔 /etc/dnscrypt-proxy/dnscrypt-proxy.toml 作調整
listen_addresses = ['127.0.0.1:53']
# 驗證查詢
dig ssorc.tw @localhost
# 抓 lo 的封包
# tshark 是 wireshark-cli 套件
tshark -i lo port 53 or port 443
Running as user "root" and group "root". This could be dangerous. Capturing on 'Loopback: lo' 1 0.000000000 127.0.0.1 → 127.0.0.1 DNS 93 Standard query 0x7f7e A google.com OPT 2 0.022658737 127.0.0.1 → 127.0.0.1 DNS 97 Standard query response 0x7f7e A google.com A 172.217.163.46 OPT
# 抓 eth0 封包
tshark -i eth0 port 53 or port 443
Running as user "root" and group "root". This could be dangerous. Capturing on 'eth0' 1 0.000000000 10.10.10.137 → 45.90.30.0 TCP 74 55292 → 443 [SYN] Seq=0 Win=32120 Len=0 MSS=1460 SACK_PERM=1 TSval=659590153 TSecr=0 WS=128 2 0.006832121 45.90.30.0 → 10.10.10.137 TCP 74 443 → 55292 [SYN, ACK] Seq=0 Ack=1 Win=1448 Len=0 MSS=1460 SACK_PERM=1 TSval=2313303019 TSecr=659590153 WS=4 3 0.006855821 10.10.10.137 → 45.90.30.0 TCP 66 55292 → 443 [ACK] Seq=1 Ack=1 Win=32128 Len=0 TSval=659590160 TSecr=2313303019 4 0.007052918 10.10.10.137 → 45.90.30.0 TLSv1 354 Client Hello 5 0.010887074 45.90.30.0 → 10.10.10.137 TCP 66 443 → 55292 [ACK] Seq=1 Ack=289 Win=1160 Len=0 TSval=2313303024 TSecr=659590160 6 0.011880262 45.90.30.0 → 10.10.10.137 TLSv1.3 3712 Server Hello, Change Cipher Spec, Application Data, Application Data, Application Data, Application Data 7 0.011898762 10.10.10.137 → 45.90.30.0 TCP 66 55292 → 443 [ACK] Seq=289 Ack=3647 Win=31872 Len=0 TSval=659590165 TSecr=2313303024 8 0.023288430 10.10.10.137 → 45.90.30.0 TLSv1.3 130 Change Cipher Spec, Application Data 9 0.023373829 10.10.10.137 → 45.90.30.0 TLSv1.3 152 Application Data 10 0.023805524 10.10.10.137 → 45.90.30.0 TLSv1.3 342 Application Data, Application Data 11 0.029459558 45.90.30.0 → 10.10.10.137 TCP 66 443 → 55292 [ACK] Seq=3647 Ack=715 Win=1448 Len=0 TSval=2313303042 TSecr=659590177 12 0.029459758 45.90.30.0 → 10.10.10.137 TLSv1.3 127 Application Data 13 0.029459858 45.90.30.0 → 10.10.10.137 TLSv1.3 97 Application Data 14 0.029539557 10.10.10.137 → 45.90.30.0 TCP 66 55292 → 443 [ACK] Seq=715 Ack=3739 Win=31872 Len=0 TSval=659590183 TSecr=2313303042 15 0.029563657 10.10.10.137 → 45.90.30.0 TLSv1.3 97 Application Data 16 0.030033351 45.90.30.0 → 10.10.10.137 TLSv1.3 178 Application Data 17 0.030033551 45.90.30.0 → 10.10.10.137 TLSv1.3 152 Application Data 18 0.030083151 10.10.10.137 → 45.90.30.0 TCP 66 55292 → 443 [ACK] Seq=746 Ack=3937 Win=31872 Len=0 TSval=659590183 TSecr=2313303043 19 0.030813742 10.10.10.137 → 45.90.30.0 TLSv1.3 101 Application Data 20 0.036452177 45.90.30.0 → 10.10.10.137 TCP 66 443 → 55292 [ACK] Seq=3937 Ack=781 Win=1448 Len=0 TSval=2313303049 TSecr=659590183 20 packets captured
# 可以看到我的查詢,在 localhost 直接是 DNS 協定,而對外的是 TLS 加密在溝通
# 這 ip 45.90.30.0 是這裡 https://dnscrypt.info/public-servers/ 看到的清單中的其中一台 dns 解析器
# 也可以調整
# 來指定以上幾台來查詢就好
server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']
# 解析器可以有很多台,那保存這些清單的來源呢,是可以在 ↓ 裡定義不同的來源作備援
[sources.'public-resolvers']
urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://download.dnscrypt.net/resolvers-list/v3/public-resolvers.md']
# dnscrypt-proxy 可以裝在 linux 也可以裝在 windows 上
# 可以每台 linux 或 windows 自架一套,自己指定 DNS 伺服器為 127.0.0.1 (linux 則是 /etc/resolv.conf)
# 也可以大家去指定其中一台作中央控管
留言