CentOS6.9+ChinaDNS+Supervisor+DNSMasq+TCP/UDP协议特殊端口开放 部署实验

实验环境：

系统：CentOS6.9

软件：ChinaDNS1.3.2+Supervisor3.3.4+DNSMasq2.7.9

1.#安装make 和 gcc

yum -y install make gcc

2.# 安装wget

yum -y install wget

3.#安装DIG

yum -y install bind-utils

3.# 下载 ChinaDNS 源码并解压编译

cd /root
wget --no-check-certificate  https://github.com/shadowsocks/ChinaDNS/releases/download/1.3.2/chinadns-1.3.2.tar.gz
tar -zxvf chinadns-1.3.2.tar.gz
mv chinadns-1.3.2 chinadns
cd chinadns
./configure && make

4.#更新 chnrouter 和污染 ip 列表

# cd /root/chinadns
curl 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | grep ipv4 | grep CN | awk -F\| '{ printf("%s/%d\n", $4, 32-log($5)/log(2)) }' > chnroute.txt
rm -f iplist.txt && wget --no-check-certificate  https://raw.githubusercontent.com/YKilin/ChinaDNS/master/iplist.txt

5.#安装python-setuptools

yum install -y python-setuptools

6.#安装 supervisor

easy_install supervisor

7.#初始化并修改配置文件

echo_supervisord_conf > /etc/supervisord.conf
echo "[program:chinadns]
command=/root/chinadns/src/chinadns -p 8053 -m -l /root/chinadns/iplist.txt -c /root/chinadns/chnroute.txt -s 119.29.29.29,208.67.222.222:443
user = root
autostart = true
autorestart = true" >> /etc/supervisord.conf

8.#添加 supervisor 开机自启并检查/etc/rc.local文件，如果有exit 0这行，就把它移动到文件的最后一行，即保证我们上面添加的这句在exit 0前面

echo "supervisord -c /etc/supervisord.conf" >> /etc/rc.local

9.#启动 supervisor 

supervisord -c /etc/supervisord.conf

   #supervisor配置更新(重新加载)

supervisorctl reload 

10.#查看程序运行状态,如果有输出 chinadns 的运行状态RUNNING就说明成功了

supervisorctl status

11.#dig命令检查一下看 ChinaDNS 是否有正常运作 ###

dig @127.0.0.1 -p 8053 www.google.com

12.安装DNSMasq

cd /root
wget http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.79.tar.gz
tar -zxvf dnsmasq-2.79.tar.gz

13.#编译，源码 make 不带 etc 等

cd dnsmasq-2.79
make V=s

14.#用 yum 安装 DNSmasq

yum -y install dnsmasq

15.#编译好的最新版本替换

 yes | cp -f /root/dnsmasq-2.79/src/dnsmasq /usr/sbin/dnsmasq

16.# DNSmasq版本检验

dnsmasq -v

17.#配置将 ChinaDNS 作为上游 DNS

echo "server=127.0.0.1#8053" > /etc/dnsmasq.d/chinadns.conf

18.#编辑配置/etc/dnsmasq.conf文件

#定义dnsmasq从哪里获取上游DNS服务器的地址，默认是从/etc/resolv.conf获取
#resolv-file=/etc/dnsmasq.d/chinadns.conf

#严格按照resolv-file文件中的顺序从上到下进行DNS解析，直到第一个解析成功为止
strict-order

#缓存条数
cache-size=150

# 禁止 DNSMasq 使用 resolv.conf
no-resolv
no-poll

# 指定监听IP，将 x.x.x.x 换成你的 eth0 网卡IP（用 ifconfig 命令查看）
listen-address=127.0.0.1,0.0.0.0

# 指定额外配置文件夹
conf-dir=/etc/dnsmasq.d/

19.#重启 DNSMasq

/etc/init.d/dnsmasq restart

20.#赋予执行的权限

chmod +x /etc/init.d/dnsmasq

21.#将DNSMasq 服务加入启动项

chkconfig dnsmasq on

22.#测试-返回正确值表示成功

dig @127.0.0.1 www.google.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.5 <<>> @127.0.0.1 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31676
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         48      IN      A       216.58.200.36 (返回正确值表示成功)

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Apr 18 17:02:21 2018
;; MSG SIZE  rcvd: 48www.google.com.         48      IN      A       216.58.200.36 (返回正确值表示成功)

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Apr 18 17:02:21 2018
;; MSG SIZE  rcvd: 48

23.#开启IPV4转发

vi /etc/sysctl.conf

# 找到下面的值并将0改成1

net.ipv4.ip_forward = 1

# sysctl -p（使之立即生效）

默认值0是禁止ip转发，修改为1即开启ip转发功能。

24.#查询转发状态

service iptables status或iptables  -t  nat  -nL

24.#DNSMasq 非标准端口 iptables本机端口转发（针对特殊需求）

如果需要本机也可以访问，则需要配置OUTPUT链.

原因：外网访问需要经过PREROUTING链，但是localhost不经过该链，因此需要用OUTPUT。

把到5353端口的服务请求都转到53端口上

iptables -t nat -A OUTPUT -d localhost -p tcp --dport 5353 -j REDIRECT --to-ports 53
iptables -t nat -A OUTPUT -d localhost -p udp --dport 5353 -j REDIRECT --to-ports 53

开放防火墙TCP+UDP的53端口，以下为我本地防火墙配置情况

# Generated by iptables-save v1.4.7 on Tue Jun  5 19:50:50 2018
*nat
:PREROUTING ACCEPT [46:6268]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 5353 -j REDIRECT --to-ports 53
-A OUTPUT -d 127.0.0.1/32 -p udp -m udp --dport 5353 -j REDIRECT --to-ports 53

-A OUTPUT -d 10.14.0.252/32 -p tcp -m tcp --dport 5353 -j REDIRECT --to-ports 53
-A OUTPUT -d 10.14.0.252/32 -p udp -m udp --dport 5353 -j REDIRECT --to-ports 53

COMMIT
# Completed on Tue Jun  5 19:50:50 2018
# Generated by iptables-save v1.4.7 on Tue Jun  5 19:50:50 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5396:588736]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Jun  5 19:50:50 2018

"iptables" 32L, 1129C                                                                           

25.保存防火墙策略

/sbin/service iptables save

26.Linux端测试

dig +tcp @10.14.0.252 -p 5353 www.google.com

27.Windows端测试

nslookup -vc www.google.com 10.14.0.252:5353

28.常见报错：

checking how to run the C preprocessor... /lib/cpp
configure: error: in `/root/chinadns-1.3.2':
configure: error: C preprocessor "/lib/cpp" fails sanity check
See `config.log' for more details

解决方案： 

yum -y install glibc-kernheaders