Open xukecheng opened 1 year ago
感谢分享,但我发现v5配置似乎有一处错误
- tag: "primary_forward"
type: sequence
args:
- exec: $forward_local
- exec: ttl 60-3600
- matches:
- "!resp_ip $geoip-cn"
- "!has_resp"
exec: drop_resp
按照这个写法似乎不会丢弃 DNS 污染的返回结果,!has_resp
应该不需要取反,matches
条件多个时属于 AND 关系,即返回污染结果时应该是 (true AND false)
最终结果为 false ,不会丢弃结果
这个判断条件且取反真绕,想了好一会。
@antonchen 感谢分享,但我发现v5配置似乎有一处错误
- tag: "primary_forward" type: sequence args: - exec: $forward_local - exec: ttl 60-3600 - matches: - "!resp_ip $geoip-cn" - "!has_resp" exec: drop_resp
按照这个写法似乎不会丢弃 DNS 污染的返回结果,
!has_resp
应该不需要取反,matches
条件多个时属于 AND 关系,即返回污染结果时应该是(true AND false)
最终结果为 false ,不会丢弃结果 这个判断条件且取反真绕,想了好一会。
是的,这里确实是写错了,感谢。
按照格式添加广告屏蔽时又发现一处问题,sequence 部分需要添加:
- matches: has_resp
exec: accept
否则会一直执行下去,直至 - exec: $final_forward
所以前面的一系列判断没卵用,下面是我自己用的:
- exec: $hosts
- matches: has_resp
exec: accept
- exec: $reverse_lookup
- matches: has_resp
exec: accept
- exec: $cache
- matches: has_resp
exec: accept
- matches: qtype 65
exec: black_hole 127.0.0.1 ::1 0.0.0.0
- matches: has_resp
exec: accept
- matches: qname $adlist
exec: black_hole 127.0.0.1 ::1 0.0.0.0
- matches: has_resp
exec: accept
- matches: qname $force-cn
exec: $forward_local
- matches: has_resp
exec: accept
- matches: qname $force-nocn
exec: $forward_remote
- exec: prefer_ipv4
- matches: has_resp
exec: accept
@antonchen 按照格式添加广告屏蔽时又发现一处问题,sequence 部分需要添加:
- matches: has_resp exec: accept
否则会一直执行下去,直至
- exec: $final_forward
所以前面的一系列判断没卵用,下面是我自己用的:- exec: $hosts - matches: has_resp exec: accept - exec: $reverse_lookup - matches: has_resp exec: accept - exec: $cache - matches: has_resp exec: accept - matches: qtype 65 exec: black_hole 127.0.0.1 ::1 0.0.0.0 - matches: has_resp exec: accept - matches: qname $adlist exec: black_hole 127.0.0.1 ::1 0.0.0.0 - matches: has_resp exec: accept - matches: qname $force-cn exec: $forward_local - matches: has_resp exec: accept - matches: qname $force-nocn exec: $forward_remote - exec: prefer_ipv4 - matches: has_resp exec: accept
是的,之前主要是做了 dig 的 CDN 查询,发现能够根据是否 CN 去解析域名,就没有打 Log 看执行顺序了。刚刚测了下确实和你说的一样,现在改了一下,结果如下:
另外,感觉用 has_wanted_ans
可能会更准确些。
- matches: has_wanted_ans
exec: accept
同时,如果 v5 现在改成手动控制跳转操作的话,qtype 65 可能不适合用 black_hole 了,因为后续还会继续执行:
使用 reject
似乎更好?
- exec: query_summary qtype65
- matches:
- qtype 65
# exec: black_hole 127.0.0.1 ::1 0.0.0.0
exec: reject 0
大佬能问问关于SLA实现有啥思路嘛,不知道改怎么设置中转啥的
大佬能问问关于SLA实现有啥思路嘛,不知道改怎么设置中转啥的
SLA?这个主要取决于运行的服务器。
大佬force-nocn.txt和force-cn.txt这二文件怎么弄
大佬force-nocn.txt和force-cn.txt这二文件怎么弄
可以参考上面的脚本,上面有提到怎么创建。这两个文件一个是强制域名走国内 DNS,一个走国外。文件里的格式可以参考:https://irine-sistiana.gitbook.io/mosdns-wiki/mosdns-v5/ru-he-pei-zhi-mosdns/yu-ming-pi-pei-gui-ze
@xukecheng
大佬force-nocn.txt和force-cn.txt这二文件怎么弄
可以参考上面的脚本,上面有提到怎么创建。这两个文件一个是强制域名走国内 DNS,一个走国外。文件里的格式可以参考:https://irine-sistiana.gitbook.io/mosdns-wiki/mosdns-v5/ru-he-pei-zhi-mosdns/yu-ming-pi-pei-gui-ze 谢谢大佬的解惑,看到上边的的文件创建了,但文件里的具体内容有点头痛呀!
@JunShine
- exec: query_summary qtype65这句好像不太对,把所有type都记录下来了,是否应该加一个判断才对吧?: {matches: qtype 65,exec: query_summary qtype65 }
这个是我打印 Log 用的,观察数据流向,当时随手写了个,没想那么多。。。不过不影响功能。感觉奇怪的话可以删掉。
V5配置是是有bug的。替换成udp的服务器,www.youtube.com会dns污染:
log:
level: debug
production: true
# API 入口设置
api:
http: "0.0.0.0:9080" # 在该地址启动 api 接口。
# 从其他配置文件载入 plugins 插件设置。
# include 的插件会比本配置文件中的插件先初始化。
include: []
plugins:
- tag: "geosite-cn"
type: domain_set
args:
files:
- "./direct-list.txt"
- "./apple-cn.txt"
- "./google-cn.txt"
- tag: "geosite-nocn"
type: domain_set
args:
files:
- "./proxy-list.txt"
- "./gfw.txt"
- tag: "geoip-cn"
type: ip_set
args:
files: "./CN-ip-cidr.txt"
- tag: "force-cn"
type: domain_set
args:
files: "./force-cn.txt"
- tag: "force-nocn"
type: domain_set
args:
files: "./force-nocn.txt"
- tag: "hosts"
type: hosts
args:
files: "./hosts.txt"
- tag: "cache"
type: "cache"
args:
size: 1024
lazy_cache_ttl: 0
dump_file: ./cache.dump
dump_interval: 600
# 转发至本地服务器的插件
- tag: forward_local
type: forward
args:
concurrent: 3
upstreams:
- addr: "udp://223.5.5.5:53"
- addr: "udp://223.6.6.6:53"
- addr: "udp://1.12.12.12:53"
- addr: "udp://120.53.53.53:53"
# 转发至远程服务器的插件
- tag: forward_remote
type: forward
args:
concurrent: 3
upstreams:
- addr: "udp://1.1.1.1:53"
- addr: "udp://1.0.0.1:53"
- addr: "udp://8.8.8.8:53"
- addr: "udp://8.8.4.4:53"
- tag: "primary_forward"
type: sequence
args:
- exec: $forward_local
- exec: ttl 60-3600
- matches:
- "!resp_ip $geoip-cn"
- "has_resp"
exec: drop_resp
- tag: "secondary_forward"
type: sequence
args:
- exec: prefer_ipv4
- exec: $forward_remote
- matches:
- rcode 2
exec: $forward_local
- exec: ttl 300-3600
- tag: "final_forward"
type: fallback
args:
primary: primary_forward
secondary: secondary_forward
threshold: 150
always_standby: true
- tag: main_sequence
type: sequence
args:
- exec: $hosts
- exec: query_summary hosts
- matches: has_wanted_ans
exec: accept
- exec: $cache
- exec: query_summary cache
- matches: has_wanted_ans
exec: accept
- exec: query_summary qtype65
- matches:
- qtype 65
# exec: black_hole 127.0.0.1 ::1 0.0.0.0
exec: reject 0
- matches:
- qname $geosite-cn
exec: $forward_local
- exec: query_summary geosite-cn
- matches: has_wanted_ans
exec: accept
- matches:
- qname $force-cn
exec: $forward_local
- exec: query_summary force-cn
- matches: has_wanted_ans
exec: accept
- matches:
- qname $geosite-nocn
exec: $forward_remote
- exec: query_summary geosite-nocn
- matches: has_wanted_ans
exec: accept
- matches:
- qname $force-nocn
exec: $forward_remote
- exec: query_summary force-nocn
- matches: has_wanted_ans
exec: accept
- exec: $final_forward
- tag: "udp_server"
type: "udp_server"
args:
entry: main_sequence
listen: 0.0.0.0:53
- tag: "tcp_server"
type: "tcp_server"
args:
entry: main_sequence
listen: 0.0.0.0:53
/etc # nslookup www.youtube.com
Server: 127.28.0.2
Address: 127.28.0.2:53
Non-authoritative answer:
Name: www.youtube.com
Address: ::ffff:108.160.169.37
Non-authoritative answer:
Name: www.youtube.com
Address: 108.160.169.37
V5配置是是有bug的。替换成udp的服务器,www.youtube.com会dns污染:
log: level: debug production: true # API 入口设置 api: http: "0.0.0.0:9080" # 在该地址启动 api 接口。 # 从其他配置文件载入 plugins 插件设置。 # include 的插件会比本配置文件中的插件先初始化。 include: [] plugins: - tag: "geosite-cn" type: domain_set args: files: - "./direct-list.txt" - "./apple-cn.txt" - "./google-cn.txt" - tag: "geosite-nocn" type: domain_set args: files: - "./proxy-list.txt" - "./gfw.txt" - tag: "geoip-cn" type: ip_set args: files: "./CN-ip-cidr.txt" - tag: "force-cn" type: domain_set args: files: "./force-cn.txt" - tag: "force-nocn" type: domain_set args: files: "./force-nocn.txt" - tag: "hosts" type: hosts args: files: "./hosts.txt" - tag: "cache" type: "cache" args: size: 1024 lazy_cache_ttl: 0 dump_file: ./cache.dump dump_interval: 600 # 转发至本地服务器的插件 - tag: forward_local type: forward args: concurrent: 3 upstreams: - addr: "udp://223.5.5.5:53" - addr: "udp://223.6.6.6:53" - addr: "udp://1.12.12.12:53" - addr: "udp://120.53.53.53:53" # 转发至远程服务器的插件 - tag: forward_remote type: forward args: concurrent: 3 upstreams: - addr: "udp://1.1.1.1:53" - addr: "udp://1.0.0.1:53" - addr: "udp://8.8.8.8:53" - addr: "udp://8.8.4.4:53" - tag: "primary_forward" type: sequence args: - exec: $forward_local - exec: ttl 60-3600 - matches: - "!resp_ip $geoip-cn" - "has_resp" exec: drop_resp - tag: "secondary_forward" type: sequence args: - exec: prefer_ipv4 - exec: $forward_remote - matches: - rcode 2 exec: $forward_local - exec: ttl 300-3600 - tag: "final_forward" type: fallback args: primary: primary_forward secondary: secondary_forward threshold: 150 always_standby: true - tag: main_sequence type: sequence args: - exec: $hosts - exec: query_summary hosts - matches: has_wanted_ans exec: accept - exec: $cache - exec: query_summary cache - matches: has_wanted_ans exec: accept - exec: query_summary qtype65 - matches: - qtype 65 # exec: black_hole 127.0.0.1 ::1 0.0.0.0 exec: reject 0 - matches: - qname $geosite-cn exec: $forward_local - exec: query_summary geosite-cn - matches: has_wanted_ans exec: accept - matches: - qname $force-cn exec: $forward_local - exec: query_summary force-cn - matches: has_wanted_ans exec: accept - matches: - qname $geosite-nocn exec: $forward_remote - exec: query_summary geosite-nocn - matches: has_wanted_ans exec: accept - matches: - qname $force-nocn exec: $forward_remote - exec: query_summary force-nocn - matches: has_wanted_ans exec: accept - exec: $final_forward - tag: "udp_server" type: "udp_server" args: entry: main_sequence listen: 0.0.0.0:53 - tag: "tcp_server" type: "tcp_server" args: entry: main_sequence listen: 0.0.0.0:53
/etc # nslookup www.youtube.com Server: 127.28.0.2 Address: 127.28.0.2:53 Non-authoritative answer: Name: www.youtube.com Address: ::ffff:108.160.169.37 Non-authoritative answer: Name: www.youtube.com Address: 108.160.169.37
我只能保证我配置里的方式是正常的,而且使用国外 UDP DNS 对于网络环境的要求是比较高的。你的 UDP 请求是从本机或者路由器请求?那么 UDP 的 DNS 解析请求是直接发给 DNS 服务器还是走了代理? 另外我在这篇文章设定的场景是使用回国线路较好的香港服务器(也就是搭建一个公网可用的 DNS 测试服务器)。而且 UDP 服务器本身是不加密的,是污染还是劫持建议再研究一下。不过如果对于延迟没有那么在意的话,建议使用 HTTPS TLS QUIC 等协议。
https://www.xukecheng.tech/use-mosdns-and-adguardhome-to-build-your-own-dns
国内的 DNS 服务商一般有两个,网络运营商和部分商业公司。而由于种种原因,这些 DNS 都存在或多或少的问题,这里就不细说了。而部分玩家为了尽可能地规避其中的某些问题,因此必不可少地需要自建 DNS 服务。