OpenWrt使用dnscrypt-proxy去除dns污染

luobo

来自FooTech 的视频教程，这里纯属搬运

安装

opkg update && opkg install luci-app-dnscrypt-proxy

配置

仅需luci操作，详见视频

测试

openwrt本机

dig @127.0.0.1 -p 5353 medium.com

; <<>> DiG 9.11.2-P1 <<>> @127.0.0.1 -p 5353 medium.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26072
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;medium.com.            IN    A

;; ANSWER SECTION:
medium.com.        150    IN    A    104.16.124.127
medium.com.        150    IN    A    104.16.122.127
medium.com.        150    IN    A    104.16.120.127
medium.com.        150    IN    A    104.16.123.127
medium.com.        150    IN    A    104.16.121.127

;; Query time: 32 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Wed Oct 10 22:20:49 CST 2018
;; MSG SIZE  rcvd: 119

dnsmasq_gfwlist

对仅被墙的域名的dns查询进行代理，用以下命令。

# 安装dnsmasq-full
opkg update
opkg remove dnsmasq
opkg install dnsmasq-full

# 安装curl
opkg install ca-bundle curl
curl https://cokebar.github.io/gfwlist2dnsmasq/dnsmasq_gfwlist.conf -o /tmp/dnsmasq.d/dnsmasq_gfwlist_ipset.conf

# 重启dnsmasq即可
/etc/init.d/dnsmasq restart

安装libustream-openssl

更新解析列表要安装libustream-openssl而不是libustream-ssl，luci上的提示不是十分准确！

opkg install libustream-openssl

监听地址改为0.0.0.0

在路由器下的终端要dig，地址是路由器的lan的ip，dnscrypt-proxy的监听地址要改为0.0.0.0

在下级客户端dig测试

dig @192.168.1.1 -p 5353 medium.com

; <<>> DiG 9.10.3-P4-Debian <<>> @192.168.1.1 -p 5353 medium.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11346
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;medium.com.            IN    A

;; ANSWER SECTION:
medium.com.        185    IN    A    104.16.124.127
medium.com.        185    IN    A    104.16.123.127
medium.com.        185    IN    A    104.16.120.127
medium.com.        185    IN    A    104.16.122.127
medium.com.        185    IN    A    104.16.121.127

;; Query time: 19 msec
;; SERVER: 192.168.1.1#5353(192.168.1.1)
;; WHEN: Wed Oct 10 22:48:51 CST 2018
;; MSG SIZE  rcvd: 119

注意事项

改成0.0.0.0后，如果用全局模式，DHCP/DNS的DNS 转发处依旧要写127.0.0.1#5353，不能是0.0.0.0，否则不能解析

dnsmasq all-servers

添加多个实例，监听在5353，5354，5355…

配置dnsmasq的—all-servers选项，同时向多个服务器查询，采用最快的查询结果。避免单个服务器不稳定或失效带来的问题。

—all-servers
By default, when dnsmasq has more than one upstream server available, it will send queries to just one server. Setting this flag forces dnsmasq to send all queries to all available servers. The reply from the server which answers first will be returned to the original requester.

luci配置DHCP/DNS-高级-所有服务器-打勾