DNS泄漏以及cloudflared和DNSCrypt-Proxy解决方案

1.什么是DNS泄漏

DNS泄漏顾名思义,你访问的域名没有交给你设置的公共DNS解析,而是直接发送到了本地ISP
在某些国家,本地ISP的DNS会收集用户信息,进行不可描述的事情
DNS泄漏检测网站地址
https://dnsleaktest.com/
https://ipleak.net/

2.DNS泄漏的原因

2.1客户端不支持远程DNS
2.2设置了第三方DNS,但是被DNS劫持,甚至ISP抢答DNS

3.如何防止DNS泄露

使用DoH或者DoT加密DNS,可以有效解决
由于大部分浏览器已经支持DoH,直接设置即可
https://www.livelu.com/201910367.html
对于其他软件,可以使用相关客户端解决

4. Windows使用cloudflared DoH客户端

4.1下载cloudflared daemon 客户端,并安装


默认配置文件地址:
C:\Windows\system32\config\systemprofile\.cloudflared\config.yml

4.2 输入命令查看是否安装了cloudflared daemon 客户端

cloudflared --version

4.3 启动cloudflared客户端,并且监听53端口

cloudflared proxy-dns
cloudflared proxy-dns --port 5553

4.4 将cloudflared客户端设置为服务,开机启动

cloudflared service install
sc start cloudflared

4.5 验证cloudflared客户端有效性

nslookup cloudflare.com 127.0.0.1

5.路由器使用DNSCrypt-Proxy客户端


5.1DNSCrypt-Proxy客户端安装和配置

根据你的路由器型号下载相关文件
cd /tmp/tmp
curl -k  -o  /tmp/tmp/dnscrypt-proxy-linux_arm-2.1.1.tar.gz  https://ghproxy.com/https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.1.1/dnscrypt-proxy-linux_arm-2.1.1.tar.gz
tar zxvf dnscrypt-proxy-linux_arm-2.1.1.tar.gz 
mv /tmp/tmp/linux-arm /etc/dnscrypt-proxy
cd /etc/dnscrypt-proxy
cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml
curl -k -o  /etc/dnscrypt-proxy/public-resolvers.md http://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md
curl -k -o /etc/dnscrypt-proxy/relays.md  http://download.dnscrypt.info/resolvers-list/v3/relays.md
sed -i 's/127.0.0.1:53/127.0.0.1:5335/g' /etc/dnscrypt-proxy/dnscrypt-proxy.toml
sed -i 's/9.9.9.9/208.67.222.222/g' /etc/dnscrypt-proxy/dnscrypt-proxy.toml
 sed -i 's/cache\s=\strue/cache = false/g' /etc/dnscrypt-proxy/dnscrypt-proxy.toml
sed -i 's/refresh_delay =.*/refresh_delay =99999/g' /etc/dnscrypt-proxy/dnscrypt-proxy.toml
sed -i "s@# server_names =.*@server_names =['cisco','cisco-doh','cisco-sandbox','cisco-familyshield']@g" /etc/dnscrypt-proxy/dnscrypt-proxy.toml
sed -i "s@.*/v3/public-resolvers.md.*@urls = ['http://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md']@g" /etc/dnscrypt-proxy/dnscrypt-proxy.toml
sed -i "s@.*/v3/relays.md.*@urls = ['http://download.dnscrypt.info/resolvers-list/v3/relays.md']@g" /etc/dnscrypt-proxy/dnscrypt-proxy.toml
/etc/dnscrypt-proxy/dnscrypt-proxy -service install
/etc/init.d/dnscrypt-proxy start
sed -i '1i\sleep 60\n/etc/init.d/dnscrypt-proxy start\n'  /etc/rc.local

5.2配置dnsmasq解析转发


sed -i '1i\server=127.0.0.1#5335\nno-resolv\nno-poll\ncache-size=300\nmax-cache-ttl=600\nmax-ttl=600\n'  /etc/dnsmasq.conf
/etc/init.d/dnsmasq restart

5.3 卸载dnscrypt-proxy(备用)


/etc/dnscrypt-proxy/dnscrypt-proxy -list
 /etc/dnscrypt-proxy/dnscrypt-proxy -resolve google.com
 /etc/dnscrypt-proxy/dnscrypt-proxy check
/etc/init.d/dnscrypt-proxy stop
/etc/init.d/dnscrypt-proxy uninstall
killall dnscrypt-proxy
rm -rf /etc/dnscrypt-proxy

5.4自定义DNS地址(可选)


CF的静态IP地址
[static.'cf-doh-a']
stamp = 'sdns://AgAAAAAAAAAADDE2Mi4xNTkuMzYuMQAMMTYyLjE1OS4zNi4xCi9kbnMtcXVlcnk'
[static.'cf-doh-b']
stamp = 'sdns://AgAAAAAAAAAADDE2Mi4xNTkuNDYuMQAMMTYyLjE1OS40Ni4xCi9kbnMtcXVlcnk'

5.5 手动升级(可选)


cd /tmp/tmp
curl -k  -o  /tmp/tmp/dnscrypt-proxy-linux_arm-2.1.2.tar.gz  https://ghproxy.com/https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.1.2/dnscrypt-proxy-linux_arm-2.1.2.tar.gz
tar zxvf dnscrypt-proxy-linux_arm-2.1.2.tar.gz 
cp -f /tmp/tmp/linux-arm/dnscrypt-proxy  /etc/dnscrypt-proxy/dnscrypt-proxy

参考文章:
https://developers.cloudflare.com/1.1.1.1/encrypted-dns/dns-over-https/dns-over-https-client
https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-on-OpenWrt
https://dnscrypt.info/stamps/

此处评论已关闭