All to known,I want to get them abroad towards LAN DNS information,Will certainly suffer keywordPollution。to this end,Some people thinkUse exception port,For example, instead of using 5353 as the current DNS dedicated port 53-- Girl Friend Wall Only 53 pollution;It was also thought of using a TCP connection request,Because DNS response mechanism(参考 DHCP)I decided itResponse to accept a return of,Behind will be discarded,The use of TCP is forced to accept the selected data packets;Some people even thought of the IP addresses that send packets collected pollution,Then filtered at the client - blacklist,So that the final will receive the correct response packet。
In short,These are not what long-term solution,use OpenDNS Exhibition basis dnscrypt It is a good choice,It adds encryption options on the basis of the DNS,Let your DNS request can be like using ssl Like the server requests encryption,Thus begins fundamentally eliminate the pollution problem DNS。
So the question is,Even if you are using a dnscrypt,But the server IP has been certified it? The answer is - this isNot to force more and more recently dnscrypts reason。Other,OpenDNS Although fiddle out of such stuff to the force,But they did not disclose the service side - that means you have to use a limited number of overseas server,Fast speed absolutely no where to go。
so,I gave a big God according to dnscrypt Client server write Niubi shining -dnscrypt-wrapper!
We can now build a server outside your own dnscrypt server,Local to connect just fine - you can choose a speed faster vps。
Start Tutorial
As a demonstration,Here is my server ubuntu 14.04.
Compile and install dependent library files
dnscrypt-wrapper rely libsodium and libevent2;The former general has no source,The latter is generally the default version 2 but not older 1,We have to comeManually compileBoth libraries。
WeHereDownload libsodium The latest version ,As of this complete,The latest version1.0.2 1.0.10:
1 2 3 4 5 6 7 8 |
cd ~ wget https://download.libsodium.org/libsodium/releases/libsodium-1.0.10.tar.gz tar xf libsodium-1.0.10.tar.gz cd libsodium-1.0.10 CFLAGS="-O3 -fPIC" ./configure make make install ldconfig |
Then weHereDownload libevent2 ,Here we choose 2.0.22 Stable edition:
1 2 3 4 5 6 7 8 9 |
cd ~ wget https://github.com/libevent/libevent/releases/download/release-2.0.22-stable/libevent-2.0.22-stable.tar.gz tar xf libevent-2.0.22-stable.tar.gz cd libevent-2.0.22-stable ./configure --prefix=/usr make make install echo /usr/local/lib > /etc/ld.so.conf.d/usr_local_lib.conf ldconfig |
Compile dnscrypt-wrapper
Get after two dependent libraries,You can start to compile dnscrypt-wrapper Now:
1 2 3 4 5 6 7 |
apt-get update && apt-get upgrade apt-get install git cd ~ git clone --recursive git://github.com/Cofyc/dnscrypt-wrapper.git cd dnscrypt-wrapper make configure ./configure |
This step if you fail to make configure,You may need to install the autoconfig:
1 |
apt-get install autoconfig |
If no problem,Then you can begin to build and install a:
1 2 3 4 5 6 7 |
make make install //安装完成会出现如下提示: # make install install -d -m 755 ‘/usr/local/bin’ install -p dnscrypt-wrapper ‘/usr/local/bin’ |
So far compiled。
Configuration and use of dnscrypt-wrapper
1 2 3 4 5 6 |
cd ~ mkdir dnskey //新建一个目录来存放证书 cd dnskey dnscrypt-wrapper --gen-provider-keypair //生成提供商密钥对 |
Here a fingerprint information feedback system,This information is the client configuration when needed. "provider_public_key"! So be sure to keep。
Similar like this:
1 |
4298:5F65:C295:DFAE:2BFB:20AD:5C47:F565:78EB:2404:EF83:198C:85DB:68F1:3E33:E952 |
then,We use the command to generate a time-limited encryption key and generating the pre-signed certificate:
1 2 |
dnscrypt-wrapper --gen-crypt-keypair --crypt-secretkey-file=1.key dnscrypt-wrapper --gen-cert-file --crypt-secretkey-file=1.key --provider-cert-file=1.cert |
Such,dnscrypt-wrapper It ready。
Use the command to run dnscrypt-wrapper,use"-VV"To display more detailed debug information:
1 2 3 4 |
cd ~/dnskey dnscrypt-wrapper --resolver-address=114.114.114.114:53 --listen-address=0.0.0.0:443 \ --provider-name=2.dnscrypt-cert.logcg.com \ --crypt-secretkey-file=1.key --provider-cert-file=1.cert -VV |
one of them --provider-name= And unnecessary,You can easily fill,But attention must be based on 2.dnscrypt-cert. beginning:)
Then go home to install the client vps:
1 2 3 4 5 |
apt-get install python-software-properties add-apt-repository ppa:anton+/dnscrypt //安装 dnscrypt 客户端的 ppa apt-get update apt-get install dnscrypt-proxy |
After installation configure the look:
1 2 3 4 5 6 7 8 9 |
vi /etc/default/dnscrypt-proxy #要修改的就只有如下几处,其他注释和配置已略去。 local-address=127.0.0.1:5301 #本地监听地址和端口 resolver-address=128.199.131.196:5353 #远端的服务器地址和端口 provider-name=2.dnscrypt-cert.logcg.com provider-key=4298:5F65:C295:DFAE:2BFB:20AD:5C47:F565:78EB:2404:EF83:198C:85DB:68F1:3E33:E952 #先前使用dnscrypt-wrapper --gen-provider-keypair命令时候生成的指纹信息。 |
After you save using the following commands to restart the client service,If your port is not out of line and firewall,The server side should be able to see the debug information,Clients have access to representation。
1 |
service dnscrypt-proxy restart |
Use command to test:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
root@MyServer:~# dig -p 5301 twitter.com @127.0.0.1 ; <<>> DiG 9.8.1-P1 <<>> -p 5301 twitter.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45379 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;twitter.com. IN A ;; ANSWER SECTION: twitter.com. 5 IN A 199.16.158.179 twitter.com. 5 IN A 199.16.158.168 ;; Query time: 273 msec ;; SERVER: 127.0.0.1#5301(127.0.0.1) ;; WHEN: Wed May 6 19:51:42 2015 ;; MSG SIZE rcvd: 72 |
Repeated command,They are found to have the same IP and is truly the correct IP address,Your services。
Create script
Each time the command is somewhat inconvenient to directly run,Even using the "-d" to the background,Like people feel unwell,We use the shell to create one dnscrypt-wrapper script。
1 2 3 4 5 6 7 8 9 10 11 |
cd ~/dnskey vi start-dnscrypt-wrapper.sh #加入以下内容 #!/bin/bash dnscrypt-wrapper --resolver-address=127.0.0.1:5333 --listen-address=0.0.0.0:5355 \ --provider-name=2.dnscrypt-cert.logcg.com \ --crypt-secretkey-file=1.key --provider-cert-file=1.cert -d \ --logfile=/var/log/dnscrypt-wraper.log |
After only need to use sh start-dnscrypt-wrapper.sh You can be started。
- Close As Well,Use the command "killall dnscrypt-wrapper”。
Further reading:
https://github.com/Cofyc/dnscrypt-wrapper
http://03k.org/dnscrypt-wrapper-usage.html
Original article written by LogStudio:R0uter's Blog » Compile and install anti-pollution dnscrypt-wrapper build DNS server
Reproduced Please keep the source and description link:https://www.logcg.com/archives/981.html
“Domestic vps to install the client”What means? Do you need a domestic vps? The client is not installed on the local machine it
Really need a domestic vps as DNS 53 Port Server,I am here primarily to give any equipment (especially mobile end),If you only use one computer on your own,Since then the local client and then set the DNS address for the loopback can。In fact, you can refer to my latest articles,DoT DoH addition DNSCrypt,You can also learn more about the DNS encryption scheme These are a good solution for DNS,Any device can be implemented using DNS (or according to your needs as described herein architecture,In the local computer directly from the client,Convenient ~)