- 开启ipv4转发
vi /etc/sysctl.conf
# 将net.ipv4.ip_forward=0更改为net.ipv4.ip_forward=1
sysctl -p
- 安装dnsmasq 和pdnsd解决dns污染
DNS的解析方案为 resolve.conf ==> dnsmasq ==> pdnsd dnsmasq只将被污染的域名请求发给pdnsd处理,其他的由于dnsmasq不转发请求,会被resolve.conf其他的国内DNS解析。
- 安装
pacman -S dnsmasq pdnsd
- pdnsd配置
#vi /etc/pdnsd.conf
#修改端口并指定google的DNS
global {
perm_cache=1024;
cache_dir="/var/cache";
# pid_file = /var/run/pdnsd.pid;
# run_as="lance";
server_port=1053;
server_ip = 127.0.0.1; # Use eth0 here if you want to allow other
# machines on your network to query pdnsd.
status_ctl = on;
# paranoid=on; # This option reduces the chance of cache poisoning
# but may make pdnsd less efficient, unfortunately.
query_method=tcp_only;
min_ttl=15m; # Retain cached entries at least 15 minutes.
max_ttl=1w; # One week.
timeout=10; # Global timeout option (10 seconds).
neg_domain_pol=on;
udpbufsize=1024; # Upper limit on the size of UDP messages.
}
server {
label="google-dns";
ip=8.8.8.8;
root_server=on;
uptest=none;
}
server {
label="korea";
ip=49.238.213.1;
root_server=on;
uptest=none;
}
配置完成之后通过命令行启动pdnsd --debug
进入调试模式,然后测试nslookup -port=1053 twitter.com 127.0.0.1
测试解析是否成功
- dnsmasq的配置
vi /etc/dhcpcd.conf
# 文件末尾加上两行(去掉注释)
# listen-address=127.0.0.1
# conf-dir=/etc/dnsmasq.d/,*.conf
# 最后一行指定dnsmasq的解析规则目录,这里只解析被墙的域名,
# 参考https://gist.github.com/lanceliao/85cd3fcf1303dba2498c的脚本生成一份污染域名列表放到该目录下,列表自带ipset规则
- resolve.conf的配置
vi /etc/resolv.conf
内容改成下面这样,由于dnsmas监听127.0.0.1的53端口,会先使用dnsmasq解析被污染域名,不在规则内的域名使用114解析
# Generated by resolvconf
domain lan
nameserver 127.0.0.1
nameserver 114.114.114.114
nameserver 114.114.115.115
nameserver 8.8.8.8
nameserver 8.8.4.4
这个文件可能被dhcpd改掉,所以保护一下
vi /etc/dhcpcd.conf
#最末尾加上下面这行
nohook resolv.conf
设成只读以防万一:chattr +i /etc/resolv.conf
- DNS整体测试
systemctl start dnsmasq
systemctl start pdnsd
ping一下facebook(这里测试的是dnsmasq的53标准端口),查一下结果的ip如果正常就没问题
-
编写shadowsocks启动和停止脚本
shadowsocks.sh
,这个脚本将gfwlist的列表域名使用shadowsocks转发。dnsmasq的配置在/etc/dnsmasq.d
目录下,由于gfwlist里面没有google的域名,我们另加一个配置文件:server=/.google.com.hk/127.0.0.1#1053 ipset=/.google.com.hk/gfwlist server=/.google.com/127.0.0.1#1053 ipset=/.google.com/gfwlist server=/.google.jp/127.0.0.1#1053 ipset=/.google.jp/gfwlist server=/.google.co.jp/127.0.0.1#1053 ipset=/.google.co.jp/gfwlist server=/.google.co.uk/127.0.0.1#1053 ipset=/.google.co.uk/gfwlist server=/.amazonaws.com/127.0.0.1#1053 ipset=/.amazonaws.com/gfwlist
-
编写和启动shadowsocks服务
shadowsocks.service
-
参考
/etc/resolv.conf 那里,似乎dnsmasq只认3条记录