实验环境:
系统:CentOS6.9
软件:ChinaDNS1.3.2+Supervisor3.3.4+DNSMasq2.7.9
1.#安装make 和 gcc
yum -y install make gcc
2.# 安装wget
yum -y install wget
3.#安装DIG
yum -y install bind-utils
3.# 下载 ChinaDNS 源码并解压编译
cd /root
wget --no-check-certificate https://github.com/shadowsocks/ChinaDNS/releases/download/1.3.2/chinadns-1.3.2.tar.gz
tar -zxvf chinadns-1.3.2.tar.gz
mv chinadns-1.3.2 chinadns
cd chinadns
./configure && make
4.#更新 chnrouter 和污染 ip 列表
# cd /root/chinadns
curl 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | grep ipv4 | grep CN | awk -F\| '{ printf("%s/%d\n", $4, 32-log($5)/log(2)) }' > chnroute.txt
rm -f iplist.txt && wget --no-check-certificate https://raw.githubusercontent.com/YKilin/ChinaDNS/master/iplist.txt
5.#安装python-setuptools
yum install -y python-setuptools
6.#安装 supervisor
easy_install supervisor
7.#初始化并修改配置文件
echo_supervisord_conf > /etc/supervisord.conf
echo "[program:chinadns]
command=/root/chinadns/src/chinadns -p 8053 -m -l /root/chinadns/iplist.txt -c /root/chinadns/chnroute.txt -s 119.29.29.29,208.67.222.222:443
user = root
autostart = true
autorestart = true" >> /etc/supervisord.conf
8.#添加 supervisor 开机自启并检查/etc/rc.local文件,如果有exit 0这行,就把它移动到文件的最后一行,即保证我们上面添加的这句在exit 0前面
echo "supervisord -c /etc/supervisord.conf" >> /etc/rc.local
9.#启动 supervisor
supervisord -c /etc/supervisord.conf
#supervisor配置更新(重新加载)
supervisorctl reload
10.#查看程序运行状态,如果有输出 chinadns 的运行状态RUNNING就说明成功了
supervisorctl status
11.#dig命令检查一下看 ChinaDNS 是否有正常运作 ###
dig @127.0.0.1 -p 8053 www.google.com
12.安装DNSMasq
cd /root
wget http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.79.tar.gz
tar -zxvf dnsmasq-2.79.tar.gz
13.#编译,源码 make 不带 etc 等
cd dnsmasq-2.79
make V=s
14.#用 yum 安装 DNSmasq
yum -y install dnsmasq
15.#编译好的最新版本替换
yes | cp -f /root/dnsmasq-2.79/src/dnsmasq /usr/sbin/dnsmasq
16.# DNSmasq版本检验
dnsmasq -v
17.#配置将 ChinaDNS 作为上游 DNS
echo "server=127.0.0.1#8053" > /etc/dnsmasq.d/chinadns.conf
18.#编辑配置/etc/dnsmasq.conf文件
#定义dnsmasq从哪里获取上游DNS服务器的地址,默认是从/etc/resolv.conf获取
#resolv-file=/etc/dnsmasq.d/chinadns.conf
#严格按照resolv-file文件中的顺序从上到下进行DNS解析,直到第一个解析成功为止
strict-order
#缓存条数
cache-size=150
# 禁止 DNSMasq 使用 resolv.conf
no-resolv
no-poll
# 指定监听IP,将 x.x.x.x 换成你的 eth0 网卡IP(用 ifconfig 命令查看)
listen-address=127.0.0.1,0.0.0.0
# 指定额外配置文件夹
conf-dir=/etc/dnsmasq.d/
19.#重启 DNSMasq
/etc/init.d/dnsmasq restart
20.#赋予执行的权限
chmod +x /etc/init.d/dnsmasq
21.#将DNSMasq 服务加入启动项
chkconfig dnsmasq on
22.#测试-返回正确值表示成功
dig @127.0.0.1 www.google.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.5 <<>> @127.0.0.1 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31676
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.google.com. IN A
;; ANSWER SECTION:
www.google.com. 48 IN A 216.58.200.36 (返回正确值表示成功)
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Apr 18 17:02:21 2018
;; MSG SIZE rcvd: 48
www.google.com. 48 IN A 216.58.200.36 (返回正确值表示成功)
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Apr 18 17:02:21 2018
;; MSG SIZE rcvd: 48
23.#开启IPV4转发
vi /etc/sysctl.conf
# 找到下面的值并将0改成1
net.ipv4.ip_forward = 1
# sysctl -p(使之立即生效)
默认值0是禁止ip转发,修改为1即开启ip转发功能。
24.#查询转发状态
service iptables status或iptables -t nat -nL
24.#DNSMasq 非标准端口 iptables本机端口转发(针对特殊需求)
如果需要本机也可以访问,则需要配置OUTPUT链.
原因:外网访问需要经过PREROUTING链,但是localhost不经过该链,因此需要用OUTPUT。
把到5353端口的服务请求都转到53端口上
iptables -t nat -A OUTPUT -d localhost -p tcp --dport 5353 -j REDIRECT --to-ports 53
iptables -t nat -A OUTPUT -d localhost -p udp --dport 5353 -j REDIRECT --to-ports 53
开放防火墙TCP+UDP的53端口,以下为我本地防火墙配置情况
# Generated by iptables-save v1.4.7 on Tue Jun 5 19:50:50 2018
*nat
:PREROUTING ACCEPT [46:6268]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 5353 -j REDIRECT --to-ports 53
-A OUTPUT -d 127.0.0.1/32 -p udp -m udp --dport 5353 -j REDIRECT --to-ports 53
-A OUTPUT -d 10.14.0.252/32 -p tcp -m tcp --dport 5353 -j REDIRECT --to-ports 53
-A OUTPUT -d 10.14.0.252/32 -p udp -m udp --dport 5353 -j REDIRECT --to-ports 53
COMMIT
# Completed on Tue Jun 5 19:50:50 2018
# Generated by iptables-save v1.4.7 on Tue Jun 5 19:50:50 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5396:588736]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Jun 5 19:50:50 2018
"iptables" 32L, 1129C
25.保存防火墙策略
/sbin/service iptables save
26.Linux端测试
dig +tcp @10.14.0.252 -p 5353 www.google.com
27.Windows端测试
nslookup -vc www.google.com 10.14.0.252:5353
28.常见报错:
checking how to run the C preprocessor... /lib/cpp
configure: error: in `/root/chinadns-1.3.2':
configure: error: C preprocessor "/lib/cpp" fails sanity check
See `config.log' for more details
解决方案:
yum -y install glibc-kernheaders