Fan Zhen Coder & Teacher

dnscrypt+dnsmasq防止DNS劫持

2014-06-30

最近Dropbox不能用了,据说是 DNS 劫持造成的,于是在一台FreeBSD服务器(192.168.1.168)上配置了dnsmasq 和 dnscrypt-proxy。

> cat /etc/resolv.conf
nameserver  192.168.1.168


> cat /etc/rc.conf
……
dnsmasq_enable="YES"
dnscrypt_proxy_enable="YES"
dnscrypt_proxy_flags="-a 127.0.0.1:5533 -d"

这里下载两个conf文件,拷贝到 /etc/dnsmasq.d,如果没有这个目录,请先建立之。

> cat /usr/local/etc/dnsmasq.conf
……
server=127.0.0.1#5533
……
conf-dir=/etc/dnsmasq.d

另外,dns使用53端口,dnscrypt使用udp 443端口,需要防火墙添加相应规则,我用 ipfw

   # Allow DNSCrypt 443 udp
    ${fwcmd} add allow udp from any 443 to any
    ${fwcmd} add allow udp from me to any 443

    # Allow inbound DNS and NTP replies.  This is somewhat of a hole,
    # since we're looking at the incoming port number, which can be
    # faked, but that's just the way DNS and NTP work.
    ${fwcmd} add allow udp from any 53 to ${ip}
    ${fwcmd} add allow udp from any 53 to ${tunips}
    ${fwcmd} add allow udp from any 123 to ${ip}

    # Allow inbound DNS queries.
    ${fwcmd} add allow udp from any to ${ip} 53 keep-state
    ${fwcmd} add allow udp from any to ${tunips} 53 keep-state
    ${fwcmd} add allow udp from me to any 53 keep-state

Comments