Created
January 5, 2022 07:47
-
-
Save pietheinstrengholt/bdac4ffd3c3b6caab682f32a249bc7d4 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
=== INSTALL SQUID === | |
sudo apt install squid | |
sudo systemctl status squid | |
sudo cp /etc/squid/squid.conf{,.orginal} | |
sudo ufw allow 'Squid' | |
printf "user:$(openssl passwd -crypt 'password')\n" | sudo tee -a /etc/squid/htpasswd | |
sudo nano /etc/squid/squid.conf | |
# ... | |
auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid/htpasswd | |
auth_param basic realm proxy | |
acl authenticated proxy_auth REQUIRED | |
# ... | |
#http_access allow localnet | |
http_access allow localhost | |
http_access allow authenticated | |
# And finally deny all other access to this proxy | |
http_access deny all | |
sudo systemctl restart squid | |
==== INSTALL BIND 9 === | |
sudo apt install bind9 bind9utils bind9-dnsutils bind9-doc bind9-host | |
sudo systemctl enable named | |
sudo nano /etc/bind/named.conf.options | |
// hide version number from clients for security reasons. | |
version "not currently available"; | |
// optional - BIND default behavior is recursion | |
recursion yes; | |
// provide recursion service to trusted clients only | |
allow-recursion { 127.0.0.1; 192.168.0.0/24; 10.10.10.0/24; }; | |
// enable the query log | |
querylog yes; | |
sudo systemctl restart named | |
sudo ufw allow in from 192.168.0.0/24 to any port 53 | |
dig A google.com @192.168.0.199 | |
sudo nano /etc/systemd/resolved.conf | |
DNS=127.0.0.1 | |
systemd-resolve --status | |
sudo nano /etc/bind/named.conf | |
include "/etc/bind/named.conf.log"; | |
/etc/bind/named.conf.log | |
logging { | |
channel bind_log { | |
file "/var/log/named/bind.log" versions 3 size 5m; | |
severity info; | |
print-category yes; | |
print-severity yes; | |
print-time yes; | |
}; | |
category default { bind_log; }; | |
category update { bind_log; }; | |
category update-security { bind_log; }; | |
category security { bind_log; }; | |
category queries { bind_log; }; | |
category lame-servers { null; }; | |
}; | |
sudo mkdir /var/log/named/ | |
sudo nano /etc/bind/named.conf | |
sudo systemctl restart named | |
=== INSTALL DNSDIST === | |
sudo apt install dnsdist | |
sudo nano /etc/dnsdist/dnsdist.conf | |
setLocal("127.0.0.1:5353") | |
sudo systemctl restart dnsdist | |
sudo apt install certbot | |
=== INSTALL APACHE 2 === | |
sudo apt-get install apache2 | |
sudo nano /etc/apache2/sites-available/example.com.conf | |
<VirtualHost *:80> | |
ServerName example.com | |
DocumentRoot /var/www/dnsdist | |
</VirtualHost> | |
sudo mkdir /var/www/dnsdist | |
sudo chown www-data:www-data /var/www/dnsdist -R | |
sudo a2ensite example.com | |
sudo systemctl reload apache2 | |
sudo certbot certonly --webroot --agree-tos --email user@example.com -d example.com -w /var/www/dnsdist | |
=== CONFIGURE DNSDIST === | |
sudo nano /etc/dnsdist/dnsdist.conf | |
-- allow query from all IP addresses | |
addACL('0.0.0.0/0') | |
-- add a DoH resolver listening on port 443 of all interfaces | |
addDOHLocal("0.0.0.0:443", "/etc/letsencrypt/live/example.com/fullchain.pem", "/etc/letsencrypt/live/example.com/privkey.pem", { "/" }, { doTCP=true, reusePort=true, tcpFastOpenSize=0 }) | |
-- downstream resolver | |
newServer({address="127.0.0.1:53",qps=5, name="resolver1"}) | |
sudo apt install acl | |
sudo setfacl -R -m u:_dnsdist:rx /etc/letsencrypt/ | |
sudo dnsdist --check-config | |
sudo systemctl restart dnsdist | |
=== RUN CHROME === | |
"C:\Program Files\Google\Chrome\Application\chrome.exe" --proxy-server="http://192.168.0.199:3128" --user-data-dir="%LOCALAPPDATA%\Google\Chrome-proxy01\User Data" | |
Go to Security and Privacy, Security, Use secure DNS: https://192.168.0.199 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment