Last active
November 18, 2020 11:55
-
-
Save rochmad/0b0598b40573c424ef4e302d666122c0 to your computer and use it in GitHub Desktop.
install DoH only on Raspberry 1 model B+
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#install golang | |
export GOLANG="$(curl https://golang.org/dl/|grep armv6l|grep -v beta|head -1|awk -F\> {'print $3'}|awk -F\< {'print $1'})" | |
wget https://golang.org/dl/$GOLANG | |
sudo tar -C /usr/local -xzf $GOLANG | |
rm $GOLANG | |
unset GOLANG | |
#install DoH | |
git clone https://github.com/m13253/dns-over-https.git | |
cd dns-over-https | |
make | |
make install | |
nano /etc/dns-over-https/doh-client.conf | |
cat <<EOF >>/etc/dns-over-https/doh-client.conf | |
# DNS listen port | |
listen = [ | |
"0.0.0.0:53", | |
"0.0.0.0:5380", | |
# "[::1]:53", | |
# "[::1]:5380", | |
## To listen on both 0.0.0.0:53 and [::]:53, use the following line | |
# ":53", | |
] | |
# HTTP path for upstream resolver | |
[upstream] | |
# available selector: random or weighted_round_robin or lvs_weighted_round_robin | |
upstream_selector = "weighted_round_robin" | |
# weight should in (0, 100], if upstream_selector is random, weight will be ignored | |
#adguard | |
# Google's resolver, good ECS, good DNSSEC | |
#[[upstream.upstream_ietf]] | |
# url = "https://dns.adguard.com/dns-query" | |
# weight = 100 | |
# Google's resolver, good ECS, good DNSSEC | |
[[upstream.upstream_ietf]] | |
url = "https://dns.google/dns-query" | |
weight = 50 | |
## CloudFlare's resolver, bad ECS, good DNSSEC | |
## ECS is disabled for privacy by design: https://developers.cloudflare.com/1.1.1.1/nitty-gritty-details/#edns-client-subnet | |
[[upstream.upstream_ietf]] | |
url = "https://cloudflare-dns.com/dns-query" | |
weight = 70 | |
## CloudFlare's resolver, bad ECS, good DNSSEC | |
## ECS is disabled for privacy by design: https://developers.cloudflare.com/1.1.1.1/nitty-gritty-details/#edns-client-subnet | |
## Note that some ISPs have problems connecting to 1.1.1.1, try 1.0.0.1 if problems happen. | |
#[[upstream.upstream_ietf]] | |
# url = "https://1.1.1.1/dns-query" | |
# weight = 50 | |
## DNS.SB's resolver, good ECS, good DNSSEC | |
## The provider claims no logging: https://dns.sb/doh/ | |
#[[upstream.upstream_ietf]] | |
# url = "https://doh.dns.sb/dns-query" | |
# weight = 50 | |
## Quad9's resolver, bad ECS, good DNSSEC | |
## ECS is disabled for privacy by design: https://www.quad9.net/faq/#What_is_EDNS_Client-Subnet | |
#[[upstream.upstream_ietf]] | |
# url = "https://9.9.9.9/dns-query" | |
# weight = 50 | |
## CloudFlare's resolver for Tor, available only with Tor | |
## Remember to disable ECS below when using Tor! | |
## Blog: https://blog.cloudflare.com/welcome-hidden-resolver/ | |
#[[upstream.upstream_ietf]] | |
# url = "https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/dns-query" | |
# weight = 50 | |
[others] | |
# Bootstrap DNS server to resolve the address of the upstream resolver | |
# If multiple servers are specified, a random one will be chosen each time. | |
# If empty, use the system DNS settings. | |
# If you want to preload IP addresses in /etc/hosts instead of using a | |
# bootstrap server, please make this list empty. | |
bootstrap = [ | |
# Google's resolver, bad ECS, good DNSSEC | |
"8.8.8.8:53", | |
"8.8.4.4:53", | |
# CloudFlare's resolver, bad ECS, good DNSSEC | |
#"1.1.1.1:53", | |
#"1.0.0.1:53", | |
] | |
# The domain names here are directly passed to bootstrap servers listed above, | |
# allowing captive portal detection and systems without RTC to work. | |
# Only effective if at least one bootstrap server is configured. | |
passthrough = [ | |
"captive.apple.com", | |
"connectivitycheck.gstatic.com", | |
"detectportal.firefox.com", | |
"msftconnecttest.com", | |
"nmcheck.gnome.org", | |
"pool.ntp.org", | |
"time.apple.com", | |
"time.asia.apple.com", | |
"time.euro.apple.com", | |
"time.nist.gov", | |
"time.windows.com", | |
"time.google.com", | |
] | |
# Timeout for upstream request in seconds | |
timeout = 30 | |
# Disable HTTP Cookies | |
# | |
# Cookies may be useful if your upstream resolver is protected by some | |
# anti-DDoS services to identify clients. | |
# Note that DNS Cookies (an DNS protocol extension to DNS) also has the ability | |
# to track uesrs and is not controlled by doh-client. | |
no_cookies = true | |
# Disable EDNS0-Client-Subnet (ECS) | |
# | |
# DNS-over-HTTPS supports EDNS0-Client-Subnet protocol, which submits part of | |
# the client's IP address (/24 for IPv4, /56 for IPv6 by default) to the | |
# upstream server. This is useful for GeoDNS and CDNs to work, and is exactly | |
# the same configuration as most public DNS servers. | |
no_ecs = false | |
# Disable IPv6 when querying upstream | |
# | |
# Only enable this if you really have trouble connecting. | |
# Doh-client uses both IPv4 and IPv6 by default and should not have problems | |
# with an IPv4-only environment. | |
# Note that DNS listening and bootstrapping is not controlled by this option. | |
no_ipv6 = true | |
# Disable submitting User-Agent | |
# | |
# It is generally not recommended to disable submitting User-Agent because it | |
# is still possible to probe client version according to behavior differences, | |
# such as TLS handshaking, handling of malformed packets, and specific bugs. | |
# Additionally, User-Agent is an important way for the server to distinguish | |
# buggy, old, or insecure clients, and to workaround specific bugs. | |
# (e.g. doh-server can detect and workaround certain issues of DNSCrypt-Proxy | |
# and older Firefox.) | |
no_user_agent = false | |
# Enable logging | |
verbose = true | |
EOF | |
#enable startup and restart service | |
sudo systemctl stop systemd-resolved | |
sudo systemctl start doh-client | |
sudo systemctl disable systemd-resolved | |
sudo systemctl enable doh-client | |
#check port 53 | |
netstat -plntu | grep 53 | |
#final | |
change dns server to your raspberry ip address | |
#for debug | |
tail -f /var/log/syslog | |
journalctl -af |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment