Skip to content

Instantly share code, notes, and snippets.

@missdeer
Last active April 12, 2024 10:08
Show Gist options
  • Save missdeer/5c7c82b5b67f8afb41cfd43d51b82c2d to your computer and use it in GitHub Desktop.
Save missdeer/5c7c82b5b67f8afb41cfd43d51b82c2d to your computer and use it in GitHub Desktop.
generate Corefile which uses your ISP's DNS servers to resolve domain names in China and uses OpenDNS/Cloudflare/Google DNS servers to resolve domain names outside China for CoreDNS. You should change 119.29.29.29/223.5.5.5 to your ISP's DNS server address or use public DNS server such as 114/DNSPod etc. directly.
#!/bin/sh
echo 'use "curl -sSL git.io/corefile | bash" to update Corefile'
echo "remember to change 192.168.1.1 to your ISP's DNS server address or use public DNS server such as 114/DNSPod etc. directly"
china=`curl -sSL https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/master/accelerated-domains.china.conf | while read line; do awk -F '/' '{print $2}' | grep -v '#' ; done | paste -sd " " -`
apple=`curl -sSL https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/master/apple.china.conf | while read line; do awk -F '/' '{print $2}' | grep -v '#' ; done | paste -sd " " -`
google=`curl -sSL https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/master/google.china.conf | while read line; do awk -F '/' '{print $2}' | grep -v '#' ; done | paste -sd " " -`
bogus=`curl -sSL https://raw.githubusercontent.com/felixonmars/dnsmasq-china-list/master/bogus-nxdomain.china.conf | grep "=" | while read line; do awk -F '=' '{print $2}' | grep -v '#' ; done | paste -sd " " -`
cat>Corefile<<EOF
. {
# comment below lines to disable ads plugin
ads {
blacklist https://anti-ad.net/domains.txt
blacklist https://raw.githubusercontent.com/missdeer/blocklist/master/convert/AdguardMobileAds.txt
blacklist https://raw.githubusercontent.com/missdeer/blocklist/master/convert/AdguardMobileSpyware.txt
blacklist https://raw.githubusercontent.com/missdeer/blocklist/master/convert/AdguardTracking.txt
blacklist https://raw.githubusercontent.com/missdeer/blocklist/master/convert/AdguardCNAMEAds.txt
blacklist https://raw.githubusercontent.com/missdeer/blocklist/master/convert/AdguardCNAMEClickthroughs.txt
blacklist https://raw.githubusercontent.com/missdeer/blocklist/master/convert/AdguardCNAMEMicrosites.txt
blacklist https://raw.githubusercontent.com/missdeer/blocklist/master/convert/AdguardCNAME.txt
blacklist https://raw.githubusercontent.com/missdeer/blocklist/master/convert/AdguardDNS.txt
blacklist https://raw.githubusercontent.com/missdeer/blocklist/master/convert/EasyPrivacyCNAME.txt
blacklist https://raw.githubusercontent.com/missdeer/blocklist/master/convert/EasyPrivacySpecific.txt
blacklist https://raw.githubusercontent.com/missdeer/blocklist/master/convert/EasyPrivacy3rdParty.txt
nxdomain
log
auto-update-interval 24h
list-store ads-cache
}
hosts {
fallthrough
}
# choose your favourite DNS servers below
forward . 127.0.0.1:5300 127.0.0.1:5301 127.0.0.1:5302 127.0.0.1:5303 127.0.0.1:5304 {
except $china $apple $google dns.quad9.net cloudflare-dns.com dns.google dns.opendns.com
}
proxy . 119.29.29.29 223.5.5.5
bogus $bogus
log
cache
# uncomment lines below to enable redis plugin
#redisc {
# endpoint 127.0.0.1:6379
#}
health
reload
}
.:5300 {
bind 127.0.0.1
forward . tls://208.67.222.222 tls://208.67.220.220 {
tls_servername dns.opendns.com
health_check 60s
}
cache
}
.:5301 {
bind 127.0.0.1
forward . tls://9.9.9.9 tls://9.9.9.10 {
tls_servername dns.quad9.net
health_check 60s
}
cache
}
.:5302 {
bind 127.0.0.1
forward . tls://1.1.1.1 tls://1.0.0.1 {
tls_servername cloudflare-dns.com
health_check 60s
}
cache
}
.:5303 {
bind 127.0.0.1
forward . tls://8.8.8.8 tls://8.8.4.4 {
tls_servername dns.google
health_check 60s
}
cache
}
EOF
@yangchuansheng
Copy link

问下 ipset 插件是怎么用的

@missdeer
Copy link
Author

missdeer commented Mar 7, 2020

问下 ipset 插件是怎么用的

会把所在区段里解析出来的ip全都加到插件指定名字的ipset里,比如:

cisco.com, webexconnect.com, webex.com, wbx2.com, ciscospark.com {
    forward . 192.168.1.1
    ipset ciscolist
}

这样会把所有cisco相关的域名解析出来的ip都加到ciscolist这个ipset里,iptables里就可以单独设一个转发

@yangchuansheng
Copy link

yangchuansheng commented Mar 7, 2020 via email

@Bowser1704
Copy link

运行的时候,ad,bogus,都是Unknown directive, 是什么问题?
连个插件都装上去了,block,proxy。

@missdeer
Copy link
Author

运行的时候,ad,bogus,都是Unknown directive, 是什么问题?
连个插件都装上去了,block,proxy。

大概是因为你用的不是我修改编译的CoreDNS版本

@snakwu
Copy link

snakwu commented Mar 31, 2020

运行的时候,ad,bogus,都是Unknown directive, 是什么问题?
连个插件都装上去了,block,proxy。

大概是因为你用的不是我修改编译的CoreDNS版本

那个bogus作用是什么,我看那个bogus的ip库都有两年不更新了
另个,bind 127.0.0.1这个是什么意思?起什么效果的?
谢谢。。。

@missdeer
Copy link
Author

那个bogus作用是什么,我看那个bogus的ip库都有两年不更新了
另个,bind 127.0.0.1这个是什么意思?起什么效果的?
谢谢。。。

bogus 可以看一下这个issue: felixonmars/dnsmasq-china-list#2 ,大体就是某些ISP提供的DNS server在解析没记录的域名时会返回bogus IP,从而引流到某些网页上,比如114啥的,有些人不喜欢看这个网页,直接报NXDOMAIN更好

没有bind 127.0.0.1就会监听在0.0.0.0上,有则监听在127.0.0.1上

@snakwu
Copy link

snakwu commented Mar 31, 2020

那个bogus作用是什么,我看那个bogus的ip库都有两年不更新了
另个,bind 127.0.0.1这个是什么意思?起什么效果的?
谢谢。。。

bogus 可以看一下这个issue: felixonmars/dnsmasq-china-list#2 ,大体就是某些ISP提供的DNS server在解析没记录的域名时会返回bogus IP,从而引流到某些网页上,比如114啥的,有些人不喜欢看这个网页,直接报NXDOMAIN更好

没有bind 127.0.0.1就会监听在0.0.0.0上,有则监听在127.0.0.1上

但我看你开始的那个区域没有加bind 127.0.0.1,不是应该加了更好?

@missdeer
Copy link
Author

没有bind 127.0.0.1就会监听在0.0.0.0上,有则监听在127.0.0.1上

但我看你开始的那个区域没有加bind 127.0.0.1,不是应该加了更好?

因为我是在路由器上用,所以要监听在0.0.0.0

@snakwu
Copy link

snakwu commented Mar 31, 2020

没有bind 127.0.0.1就会监听在0.0.0.0上,有则监听在127.0.0.1上

但我看你开始的那个区域没有加bind 127.0.0.1,不是应该加了更好?

因为我是在路由器上用,所以要监听在0.0.0.0

按理说,只监听127.0.0.1的话,来自其他设备的访问应该是不通的吧?

@missdeer
Copy link
Author

missdeer commented Apr 1, 2020

按理说,只监听127.0.0.1的话,来自其他设备的访问应该是不通的吧?

是的,所以我监听在0.0.0.0

@snakwu
Copy link

snakwu commented Apr 18, 2020

按理说,只监听127.0.0.1的话,来自其他设备的访问应该是不通的吧?

是的,所以我监听在0.0.0.0

加进ads插件后,日志显不不断的在重读文件,引起dns非常慢,这个怎么破?谢谢
Apr 18 08:30:21 dns_server rc.local[1012]: [INFO] plugin/ads: Updating lists from Local files...
Apr 18 08:30:21 dns_server rc.local[1012]: [INFO] plugin/ads: [File Update] Loaded 0 entries into Blacklist and 1 entries into whitelist
Apr 18 08:31:21 dns_server rc.local[1012]: [INFO] plugin/ads: Updating lists from Local files...
Apr 18 08:31:21 dns_server rc.local[1012]: [INFO] plugin/ads: [File Update] Loaded 0 entries into Blacklist and 1 entries into whitelist

@missdeer
Copy link
Author

加进ads插件后,日志显不不断的在重读文件,引起dns非常慢,这个怎么破?谢谢
Apr 18 08:30:21 dns_server rc.local[1012]: [INFO] plugin/ads: Updating lists from Local files...
Apr 18 08:30:21 dns_server rc.local[1012]: [INFO] plugin/ads: [File Update] Loaded 0 entries into Blacklist and 1 entries into whitelist
Apr 18 08:31:21 dns_server rc.local[1012]: [INFO] plugin/ads: Updating lists from Local files...
Apr 18 08:31:21 dns_server rc.local[1012]: [INFO] plugin/ads: [File Update] Loaded 0 entries into Blacklist and 1 entries into whitelist

貌似写死了1分钟更新一次,除非改代码。不过我这里倒没引起dns慢,你那也许是其他问题引起的慢。

@snakwu
Copy link

snakwu commented Apr 18, 2020

加进ads插件后,日志显不不断的在重读文件,引起dns非常慢,这个怎么破?谢谢
Apr 18 08:30:21 dns_server rc.local[1012]: [INFO] plugin/ads: Updating lists from Local files...
Apr 18 08:30:21 dns_server rc.local[1012]: [INFO] plugin/ads: [File Update] Loaded 0 entries into Blacklist and 1 entries into whitelist
Apr 18 08:31:21 dns_server rc.local[1012]: [INFO] plugin/ads: Updating lists from Local files...
Apr 18 08:31:21 dns_server rc.local[1012]: [INFO] plugin/ads: [File Update] Loaded 0 entries into Blacklist and 1 entries into whitelist

貌似写死了1分钟更新一次,除非改代码。不过我这里倒没引起dns慢,你那也许是其他问题引起的慢。

我只要把ads去掉就正常了,所以不明白,程度配置基本上是按你的来的,加上ads不但不能去广告打开网页非常慢

@missdeer
Copy link
Author

貌似写死了1分钟更新一次,除非改代码。不过我这里倒没引起dns慢,你那也许是其他问题引起的慢。

我只要把ads去掉就正常了,所以不明白,程度配置基本上是按你的来的,加上ads不但不能去广告打开网页非常慢

你先确定下是不是DNS解析慢,Windows下nslookup www.taobao.com,其他平台dig www.taobao.com看看延迟

@snakwu
Copy link

snakwu commented Apr 18, 2020

貌似写死了1分钟更新一次,除非改代码。不过我这里倒没引起dns慢,你那也许是其他问题引起的慢。

我只要把ads去掉就正常了,所以不明白,程度配置基本上是按你的来的,加上ads不但不能去广告打开网页非常慢

你先确定下是不是DNS解析慢,Windows下nslookup www.taobao.com,其他平台dig www.taobao.com看看延迟

ns的结果正常,就是打开网页非常慢!

@snakwu
Copy link

snakwu commented Apr 18, 2020

PS C:\WINDOWS\system32> ipconfig /flushdns

Windows IP 配置

已成功刷新 DNS 解析缓存。
PS C:\WINDOWS\system32> nslookup www.taobao.com
服务器: SnakWu-OpenWrt.lan
Address: fd00:100:100::1

非权威应答:
名称: www.taobao.com.danuoyi.tbcache.com
Addresses: 240e:ff:d800:500:3::3fa
240e:ff:d800:500:3::3f9
113.96.109.101
113.96.109.100
Aliases: www.taobao.com

PS C:\WINDOWS\system32>

snakwu@hassio-server:~/go-workspace/src/coredns$ dig www.taobao.com

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> www.taobao.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63926
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www.taobao.com. IN A

;; ANSWER SECTION:
www.taobao.com. 562 IN CNAME www.taobao.com.danuoyi.tbcache.com.
www.taobao.com.danuoyi.tbcache.com. 554 IN A 113.96.109.101
www.taobao.com.danuoyi.tbcache.com. 554 IN A 113.96.109.100

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Apr 18 10:26:23 CST 2020
;; MSG SIZE rcvd: 120

@snakwu
Copy link

snakwu commented Apr 18, 2020

image
看日志很正常,就是为什么打开网页这么慢!

@missdeer
Copy link
Author

ns的结果正常,就是打开网页非常慢!

估计是屏蔽了一些css,js的链接,导致整个网页都卡了

@missdeer
Copy link
Author

话说你怎么那么多block的解析请求

@snakwu
Copy link

snakwu commented Apr 18, 2020

话说你怎么那么多block的解析请求

加的源和你的是一样的,只是我打开的网页比较多广告吧,网页卡这问题怎么破?

@missdeer
Copy link
Author

加的源和你的是一样的,只是我打开的网页比较多广告吧,网页卡这问题怎么破?

我觉得你可以问一下源的作者

@snakwu
Copy link

snakwu commented Apr 18, 2020

加的源和你的是一样的,只是我打开的网页比较多广告吧,网页卡这问题怎么破?

我觉得你可以问一下源的作者

ok.thx!

@echowings
Copy link

用coredns 每次解析都很慢,需要刷好几下,才能返回正确的dns解析,这个怎么破?

@recall704
Copy link

这个 ipset 需要先创建吗? 还是说会自动创建?

@missdeer
Copy link
Author

这个 ipset 需要先创建吗? 还是说会自动创建?

要事先手动创建。

@zone009
Copy link

zone009 commented Dec 7, 2020

coredns 把proxy插件给干掉了,增加进去编译不成功了,有替代的插件吗?

@missdeer
Copy link
Author

missdeer commented Dec 8, 2020

coredns 把proxy插件给干掉了,增加进去编译不成功了,有替代的插件吗?

参考:
https://github.com/missdeer/coredns_custom_build

@ppproxy
Copy link

ppproxy commented Feb 3, 2024

line 7, there is a duplicate letter "m" for "https://raw.githubusercontent.comm"

@missdeer
Copy link
Author

missdeer commented Feb 6, 2024

line 7, there is a duplicate letter "m" for "https://raw.githubusercontent.comm"

Fixed. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment