侧边栏壁纸
  • 累计撰写 17 篇文章
  • 累计创建 0 个标签
  • 累计收到 1 条评论

目 录CONTENT

文章目录

esir 编译版本 OpenWrt DNS解析的完整上下游链路(使用PassWall之后)

cosmosbreak
2022-05-12 / 0 评论 / 0 点赞 / 430 阅读 / 1,061 字

固件

esir R22.1.1 SPP Winter[2022] https://www.youtube.com/c/eSirPlayGround

image-1652330326846

DNS链路

DNS解析请求首先从本机的53端口出发,dnsmasq->chinadns-ng->pdnsd。
其中,chinadns-ng分流国内外域名,国内的直接交给指定的国内DNS解析完毕,国外的交给上游的pdnsd。
pdnsd负责解析国外域名。

本机的DNS进程

有两个dnsmasq的进程,而且配置都一样,只是执行的用户不同,一个是dnsmasq,一个是root。重复了,没必要。

root@OpenWrt:~# ps | grep dns
 3411 root      1332 S    /tmp/etc/passwall/bin/pdnsd --daemon -c /tmp/etc/passwall/pdnsd/pdnsd.conf -d
 3459 root      7600 S    /tmp/etc/passwall/bin/chinadns-ng -v -b 0.0.0.0 -l 7914 -c 192.168.5.202,192.168.5.202 -m /tmp/etc/passwall/chinadns_chnlist -M -t 127.0.0.1#7913 -g /tmp/etc/passwall/chinadns_gfwlist -f
 4475 dnsmasq  11484 S    /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/dnsmasq.cfg01411c.pid
 4576 root     11472 S    /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/dnsmasq.cfg01411c.pid
 7747 root      1104 R    grep dns

dnsmasq

/usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/dnsmasq.cfg01411c.pid

配置文件/var/etc/dnsmasq.conf.cfg01411c,跑在53端口。

# auto-generated config file from /etc/config/dhcp
conf-file=/etc/dnsmasq.conf
dhcp-authoritative
domain-needed
localise-queries
read-ethers
enable-ubus=dnsmasq
expand-hosts
bind-dynamic
local-service
filter-aaaa
port=53
domain=lan
local=/lan/
addn-hosts=/tmp/hosts
dhcp-leasefile=/tmp/dhcp.leases
dhcp-script=/usr/lib/dnsmasq/dhcp-script.sh
script-arp
resolv-file=/tmp/resolv.conf.d/resolv.conf.auto
stop-dns-rebind
rebind-localhost-ok
dhcp-broadcast=tag:needs-broadcast
conf-dir=/tmp/dnsmasq.d
user=dnsmasq
group=dnsmasq


dhcp-ignore-names=tag:dhcp_bogus_hostname
conf-file=/usr/share/dnsmasq/dhcpbogushostname.conf

srv-host=_vlmcs._tcp,OpenWrt,1688,0,100

bogus-priv
conf-file=/usr/share/dnsmasq/rfc6761.conf
no-dhcp-interface=br-lan

指定配置文件夹/tmp/dnsmasq.d,里面有好几个配置文件

root@OpenWrt:~# ls /tmp/dnsmasq.d
dnsmasq-passwall.conf  dnsmasq-ssrplus.conf   dnsmasq-ssrplus.d      passwall

里面的dnsmasq-passwall.conf指定了上游为7914端口

root@OpenWrt:/tmp/dnsmasq.d# cat dnsmasq-passwall.conf
conf-dir=/tmp/dnsmasq.d/passwall
server=127.0.0.1#7914
all-servers
no-poll
no-resolv

chinadns-ng

chinadns-ng跑在7914端口

/tmp/etc/passwall/bin/chinadns-ng -v -b 0.0.0.0 -l 7914 -c 192.168.5.202,192.168.5.202 -m /tmp/etc/passwall/chinadns_chnlist -M -t 127.0.0.1#7913 -g /tmp/etc/passwall/chinadns_gfwlist -f

参数详细:

$ chinadns-ng --help
usage: chinadns-ng <options...>. the existing options are as follows:
 -b, --bind-addr <ip-address>         listen address, default: 127.0.0.1
 -l, --bind-port <port-number>        listen port number, default: 65353
 -c, --china-dns <ip[#port],...>      china dns server, default: <114DNS>
 -t, --trust-dns <ip[#port],...>      trust dns server, default: <GoogleDNS>
 -4, --ipset-name4 <ipv4-setname>     ipset ipv4 set name, default: chnroute
 -6, --ipset-name6 <ipv6-setname>     ipset ipv6 set name, default: chnroute6
 -g, --gfwlist-file <file-path>       filepath of gfwlist, '-' indicate stdin
 -m, --chnlist-file <file-path>       filepath of chnlist, '-' indicate stdin
 -o, --timeout-sec <query-timeout>    timeout of the upstream dns, default: 5
 -p, --repeat-times <repeat-times>    it is only used for trustdns, default: 1
 -M, --chnlist-first                  match chnlist first, default: <disabled>
 -N, --no-ipv6                        disable ipv6-address query (qtype: AAAA)
 -f, --fair-mode                      enable `fair` mode, default: <fast-mode>
 -r, --reuse-port                     enable SO_REUSEPORT, default: <disabled>
 -n, --noip-as-chnip                  accept reply without ipaddr (A/AAAA query)
 -v, --verbose                        print the verbose log, default: <disabled>
 -V, --version                        print `chinadns-ng` version number and exit
 -h, --help                           print `chinadns-ng` help information and exit
bug report: https://github.com/zfl9/chinadns-ng. email: zfl9.com@gmail.com (Otokaze)

-m /tmp/etc/passwall/chinadns_chnlist -M筛选出国内域名,只用国内DNS解析。
-g /tmp/etc/passwall/chinadns_gfwlist 这里面的域名走国外DNS

-c 192.168.5.202,192.168.5.202,指定国内DNS。由于我是ikuai+op,这两个是ikuai的DHCP指定的DNS,首选和备选我都写的是192.168.5.202这个DNS。
如果不是没有DHCP下发DNS,这里的国内DNS就是LAN口选择静态地址时,自定义的DNS服务器。

-t 127.0.0.1#7913指定7913端口的pdnsd为上游,解析国外域名。

pdnsd配置文件

端口7913

global {
perm_cache = 2048;
cache_dir = "/tmp/etc/passwall/pdnsd";
run_as = "root";
server_ip = 127.0.0.1;
server_port = 7913;
status_ctl = on;
query_method = tcp_only;
min_ttl = 1h;
max_ttl = 1w;
timeout = 10;
par_queries = 2;
neg_domain_pol = on;
udpbufsize = 1024;
proc_limit = 2;
procq_limit = 8;
}

server {
label = "node-8.8.8.8_53";
ip = 8.8.8.8;
edns_query = on;
port = 53;
timeout = 4;
interval = 10m;
uptest = none;
purge_cache = off;
proxy_only = on;
caching = on;
reject = ::/0;
reject_policy = negate;
}
0

评论区