dnscrypt-proxy

A flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2, DNS-over-HTTPS, Anonymized DNSCrypt and ODoH (Oblivious DoH).

# dnscrypt-proxy 是用來透過它轉傳 dns 查詢給外面的解析器,如 8.8.8.8 或是 1.1.1.1 ,再回傳結果給我
# 而連線的過程是要加密的,以防被竊取或修改

# 安裝

dns install -y dnscrypt-proxy

# 啟動

systemctl start dnscrypt-proxy

# 預設 listen localhost 53 port

netstat -ntulp
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name 
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 24528/dnscrypt-prox 
udp 0 0 127.0.0.1:53 0.0.0.0:* 24528/dnscrypt-prox

# 所以查詢皆透過 localhost
# 或可透過設定檔 /etc/dnscrypt-proxy/dnscrypt-proxy.toml 作調整

listen_addresses = ['127.0.0.1:53']

# 驗證查詢

dig ssorc.tw @localhost

# 抓 lo 的封包

# tshark 是 wireshark-cli 套件

tshark -i lo port 53 or port 443
Running as user "root" and group "root". This could be dangerous.
Capturing on 'Loopback: lo'
1 0.000000000 127.0.0.1 → 127.0.0.1 DNS 93 Standard query 0x7f7e A google.com OPT
2 0.022658737 127.0.0.1 → 127.0.0.1 DNS 97 Standard query response 0x7f7e A google.com A 172.217.163.46 OPT

# 抓 eth0 封包

tshark -i eth0 port 53 or port 443
Running as user "root" and group "root". This could be dangerous.
Capturing on 'eth0'
1 0.000000000 10.10.10.137 → 45.90.30.0 TCP 74 55292 → 443 [SYN] Seq=0 Win=32120 Len=0 MSS=1460 SACK_PERM=1 TSval=659590153 TSecr=0 WS=128
2 0.006832121 45.90.30.0 → 10.10.10.137 TCP 74 443 → 55292 [SYN, ACK] Seq=0 Ack=1 Win=1448 Len=0 MSS=1460 SACK_PERM=1 TSval=2313303019 TSecr=659590153 WS=4
3 0.006855821 10.10.10.137 → 45.90.30.0 TCP 66 55292 → 443 [ACK] Seq=1 Ack=1 Win=32128 Len=0 TSval=659590160 TSecr=2313303019
4 0.007052918 10.10.10.137 → 45.90.30.0 TLSv1 354 Client Hello
5 0.010887074 45.90.30.0 → 10.10.10.137 TCP 66 443 → 55292 [ACK] Seq=1 Ack=289 Win=1160 Len=0 TSval=2313303024 TSecr=659590160
6 0.011880262 45.90.30.0 → 10.10.10.137 TLSv1.3 3712 Server Hello, Change Cipher Spec, Application Data, Application Data, Application Data, Application Data
7 0.011898762 10.10.10.137 → 45.90.30.0 TCP 66 55292 → 443 [ACK] Seq=289 Ack=3647 Win=31872 Len=0 TSval=659590165 TSecr=2313303024
8 0.023288430 10.10.10.137 → 45.90.30.0 TLSv1.3 130 Change Cipher Spec, Application Data
9 0.023373829 10.10.10.137 → 45.90.30.0 TLSv1.3 152 Application Data
10 0.023805524 10.10.10.137 → 45.90.30.0 TLSv1.3 342 Application Data, Application Data
11 0.029459558 45.90.30.0 → 10.10.10.137 TCP 66 443 → 55292 [ACK] Seq=3647 Ack=715 Win=1448 Len=0 TSval=2313303042 TSecr=659590177
12 0.029459758 45.90.30.0 → 10.10.10.137 TLSv1.3 127 Application Data
13 0.029459858 45.90.30.0 → 10.10.10.137 TLSv1.3 97 Application Data
14 0.029539557 10.10.10.137 → 45.90.30.0 TCP 66 55292 → 443 [ACK] Seq=715 Ack=3739 Win=31872 Len=0 TSval=659590183 TSecr=2313303042
15 0.029563657 10.10.10.137 → 45.90.30.0 TLSv1.3 97 Application Data
16 0.030033351 45.90.30.0 → 10.10.10.137 TLSv1.3 178 Application Data
17 0.030033551 45.90.30.0 → 10.10.10.137 TLSv1.3 152 Application Data
18 0.030083151 10.10.10.137 → 45.90.30.0 TCP 66 55292 → 443 [ACK] Seq=746 Ack=3937 Win=31872 Len=0 TSval=659590183 TSecr=2313303043
19 0.030813742 10.10.10.137 → 45.90.30.0 TLSv1.3 101 Application Data
20 0.036452177 45.90.30.0 → 10.10.10.137 TCP 66 443 → 55292 [ACK] Seq=3937 Ack=781 Win=1448 Len=0 TSval=2313303049 TSecr=659590183
20 packets captured

# 可以看到我的查詢,在 localhost 直接是 DNS 協定,而對外的是 TLS 加密在溝通

# 這 ip 45.90.30.0 是這裡 https://dnscrypt.info/public-servers/ 看到的清單中的其中一台 dns 解析器

# 也可以調整
# 來指定以上幾台來查詢就好

server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare']

# 解析器可以有很多台,那保存這些清單的來源呢,是可以在 ↓ 裡定義不同的來源作備援

[sources.'public-resolvers']
    urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://ipv6.download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 'https://download.dnscrypt.net/resolvers-list/v3/public-resolvers.md']

 

# dnscrypt-proxy 可以裝在 linux 也可以裝在 windows 上

# 可以每台 linux 或 windows 自架一套,自己指定 DNS 伺服器為 127.0.0.1 (linux 則是 /etc/resolv.conf)

# 也可以大家去指定其中一台作中央控管