bind + DNSCrypt 实现安全加密转发，避免DNS污染
首先我先贴俩图，看看现象我解析下敏感域名巧了，我瞎蒙的随便一个国外地址都特么是DNS？当然不是，因为祖国的出口伫立着一套高端设备，，，，不说了，敏感了！
首先我先贴俩图，看看现象我解析下敏感域名#616e167a798f52d0be0#巧了，我瞎蒙的随便一个国外地址都特么是DNS ？ &当然不是，因为祖国的出口伫立着一套高端设备，，，， & 不说了，敏感了！&&&&此法的基本思路是避免DNS污染和DNS劫持。（不关心原理的同学请跳过此段）众所周知，GFW的一大凶器是在DNS上做文章。关于DNS污染和DNS劫持的区别，请参考这篇文章。概括地说，DNS劫持是通过DNS返回虚假的IP地址实现的，我们只需将本机使用的DNS改成8.8.8.8等国外服务器即可。但这种方法无法避免DNS污染，因为DNS查询默认使用UDP协议，而墙可以干扰我们与DNS服务器的通信。今天介绍的-proxy，则开设本地的DNS服务器，对DNS请求进行加密（墙无法干扰加密后的请求），从国外的DNS服务器获取正确的IP地址后反馈回来，是为DNS代理的基本原理。但这也就决定了，此法不可能成为通用的翻墙方法，因为GFW对于有些网站是直接通过IP地址屏蔽的。平台：RHEL 6.6 x64 （CentOS）dns服务器：Bind Serveryum源并没有-proxy，所以只能编译安装了首先下载 dnscrypt-proxy下载地址& （巧，这也被qiang了）另外需要安装&libsodium依赖库 （我这里选择的是libsodium-0.5.0-mingw.tar.gz）下载地址&wget&&
tar&xf&libsodium-0.5.0-mingw.tar.gz
cd&cd&libsodium-0.5.0
CFLAGS="-O3&-fPIC"&./configure
make&&&&&&make&install
ldconfig依赖库装好了，下面来安装 dnscrypt上传dnscrypt-proxy-1.4.0.tar.gz至服务器tar&xf&dnscrypt-proxy-1.4.0.tar.gz
cd&dnscrypt-proxy-1.4.0
cd&src/libevent-modified/
CFLAGS="-O3&-fPIC"&./configure
make&&&&make&install
./configure&
make&-j&2&&&&make&install安装好了&dnscrypt-proxy&-h&&&//显示帮助信息可用选项
&-a --local-address=...&&&//监听的本地地址[端口]&（不指定端口默认监听在53端口）
&-d --daemonize&&&&&&&&//后台运行（不提示错误信息）
&-R --resolver-name=...&&//选定的国外加密解析服务器
&-T --tcp-only&&&&&&&&&//仅以TCP协议运行（默认监听在udp&tcp上）
&-k&&&&&&&&&&&&&&&&&&&&&&&&//手动指定密钥串
&-V --version&&&&&&&&&&//版本信息常用就这几个选项 & 更多详细帮助 man &dnscrypt-proxy运行 dnscrypt-proxy 提示有错误，但是请注意这一条这个文件中有默认的已经支持dnscrypt查询的公共dns &opendns也在其中。我们来查看下这个文件 &dnscrypt-resolvers.csv第一行定义的是列标题，每个字段用逗号隔开，每一行开头就是 resolver_name &用法如下dnscrypt-proxy&--resolver-name=resolver_name&--local-address=127.0.0.1:40&--daemonize
dnscrypt-proxy&-R&resolver_name&-a&127.0.0.1:40&-d&&&//简写，监听在本地udp&tcp40端口，远端加密dns选用resolver_name不加-d参数 默认是前台运行然后如果需要局域网开启加密访问，记得在iptables开启相应端口最后在其他电脑上查询一下看是否生效，dig&&@*.*.*.*&-p&3535
;&&&&&&DiG&9.10-P2&&&&&&&@*.*.*.*&-p&3535
;;&global&options:&+cmd
;;&Got&answer:
;;&-&&HEADER&&-&opcode:&QUERY,&status:&NOERROR,&id:&32356
;;&flags:&qr&rd&&QUERY:&1,&ANSWER:&8,&AUTHORITY:&0,&ADDITIONAL:&1
;;&OPT&PSEUDOSECTION:
;&EDNS:&version:&0,&flags:;&udp:&4096
;;&QUESTION&SECTION:
;&&&&&&&&&&&&&&&IN&&&&&&A
;;&ANSWER&SECTION:
&&&&&&&&86400&&&IN&&&&&&CNAME&&&youtube-ui..
youtube-ui..&900&&&&IN&&&&&&CNAME&&&youtube-ui-china..
youtube-ui-china..&180&IN&&&A&&&&&&&173.194.72.138
youtube-ui-china..&180&IN&&&A&&&&&&&173.194.72.102
youtube-ui-china..&180&IN&&&A&&&&&&&173.194.72.100
youtube-ui-china..&180&IN&&&A&&&&&&&173.194.72.113
youtube-ui-china..&180&IN&&&A&&&&&&&173.194.72.101
youtube-ui-china..&180&IN&&&A&&&&&&&173.194.72.139
;;&Query&time:&872&msec
;;&SERVER:&*.*.*.*#.7.250)
;;&WHEN:&Sun&Jan&11&99:29:00&?D1ú±ê×?ê±??&2015
;;&MSG&SIZE&&rcvd:&205解析是对了，但是并不代表 FQ &所以，这主要是搭配其他工具来实现FQ 。本文出自 “Professor哥” 博客，谢绝转载！，
你最喜欢的DNS Security with DNSCrypt | OpenDNS
OpenDNS is now part of Cisco
Introducing DNSCrypt
Background: The need for a better DNS security
DNS is one of the fundamental building blocks of the Internet.
It’s used any time you visit a website, send an email, have an IM conversation or do anything else online.
While OpenDNS has provided world-class security using DNS for years, and OpenDNS is the most secure DNS service available, the underlying DNS protocol has not been secure enough for our comfort.
Many will remember the , which impacted nearly every DNS implementation in the world (though not OpenDNS).
That said, the class of problems that the Kaminsky Vulnerability related to were a result of some of the underlying foundations of the DNS protocol that are inherently weak
— particularly in the “last mile.”
The “last mile” is the portion of your Internet connection between your computer and your ISP.
DNSCrypt is our way of securing the “last mile” of DNS traffic and resolving (no pun intended) an entire class of serious security concerns with the DNS protocol. As the world’s Internet connectivity becomes increasingly mobile and more and more people are connecting to several different WiFi networks in a single day, the need for a solution is mounting.
There have been numerous examples of tampering, or man-in-the-middle attacks, and snooping of DNS traffic at the last mile and it represents a serious security risk that we’ve always wanted to fix. Today we can.
Why DNSCrypt is so significant
In the same way the SSL turns HTTP web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks.
It doesn’t require any changes to domain names or how they work, it simply provides a method for securely encrypting communication between our customers and our DNS servers in our data centers.
We know that claims alone don’t work in the security world, however, so we’ve opened up the source to our DNSCrypt code base and it’s available on .
DNSCrypt has the potential to be the most impactful advancement in Internet security since SSL, significantly improving every single Internet user’s online security and privacy.
Note: Looking for malware, botnet and phishing protection for laptops or iOS devices?
by OpenDNS.
Download Now:
Frequently Asked Questions (FAQ):
1. In plain English, what is DNSCrypt?
DNSCrypt is a piece of lightweight software that everyone should use to boost online privacy and security.
It works by encrypting all DNS traffic between the user and OpenDNS, preventing any spying, spoofing or man-in-the-middle attacks.
2. How can I use DNSCrypt today?
We’ve opened up the source to our DNSCrypt code base and it’s available on . The graphical interfaces are no l however, the open source community is still providing unofficial updates to the technical preview.
If you have a firewall or other middleware mangling your packets, you should try enabling DNSCrypt with TCP over port 443.
This will make most firewalls think it’s HTTPS traffic and leave it alone.
If you prefer reliability over security, enable fallback to insecure DNS.
If you can’t reach us, we’ll try using your DHCP-assigned or previously configured DNS servers.
This is a security risk though.
3. What about DNSSEC? Does this eliminate the need for DNSCrypt?
No. DNSCrypt and DNSSEC are complementary.
DNSSEC does a number of things.
First, it provides authentication. (Is the DNS record I’m getting a response for coming from the owner of the domain name I’m asking about or has it been tampered with?)
Second, DNSSEC provides a chain of trust to help establish confidence that the answers you’re getting are verifiable.
But unfortunately, DNSSEC doesn’t actually provide encryption for DNS records, even those signed by DNSSEC.
Even if everyone in the world used DNSSEC, the need to encrypt all DNS traffic would not go away. Moreover, DNSSEC today represents a near-zero percentage of overall domain names and an increasingly smaller percentage of DNS records each day as the Internet grows.
That said, DNSSEC and DNSCrypt can work perfectly together.
They aren’t conflicting in any way.
Think of DNSCrypt as a wrapper around all DNS traffic and DNSSEC as a way of signing and providing validation for a subset of those records.
There are benefits to DNSSEC that DNSCrypt isn’t trying to address. In fact, we hope DNSSEC adoption grows so that people can have more confidence in the entire DNS infrastructure, not just the link between our customers and OpenDNS.
4. Is this using SSL? What’s the crypto and what’s the design?
We are not using SSL.
While we make the analogy that DNSCrypt is like SSL in that it wraps all DNS traffic with encryption the same way SSL wraps all HTTP traffic, it’s not the crypto library being used.
We’re using elliptic-curve cryptography, in particular the
elliptic curve.
The design goals are similar to those described in the
& OpenDNS, 2016208.67.222.222 & 208.67.220.220503: Service Unavailable
503: Service Unavailable
访问太频繁了，服务器要炸。博客访问： 161769
博文数量： 141
博客积分： 1395
博客等级： 中尉
技术积分： 1420
注册时间：
智者，既能奋发不休，又能尽人事，顺天命
IT168企业级官微
微信号：IT168qiye
系统架构师大会
微信号：SACC2013
分类： Android平台
首先到http://download.dnscrypt.org/dnscrypt-proxy/下载，bz2是源码包，需要自己编译(/jedisct1/dnscrypt-proxy/blob/master/README.markdown,http://dnscrypt.org/)
$ ./configure && make -j2
# make install
gz包是编译好的，解压后将hostip、dnscrypt-proxy、dnscrypt-resolvers.csv复制到/system/xbin下，执行命令
dnscrypt-proxy --daemonize --resolver-name=<dnsservername>
dnsservername在dnscrypt-resolvers.csv列表中选一个，然后编辑/etc/resolv.conf，添加
nameserver 127.0.0.1
若要开机启动，装一个com.kislay.bootshellcommand，可以自定义开机脚本或命令。
阅读(2989) | 评论(0) | 转发(0) |
相关热门文章
给主人留下些什么吧！~~
请登录后评论。使用DNSCrypt来加密您与OpenDNS之间的通信
- 开源中国社区
当前访客身份：游客 [
当前位置：
使用DNSCrypt来加密您与OpenDNS之间的通信
正如SSL能将HTTP通信变为加密过的HTTPS通信，DNSCrypt, 物如其名， 是一款能加密您电脑与OpenDNS之间的通信的小神器。
刚问世的时候，官方公布它只是一款Mac才能用的工具，但根据最近一篇由OpenDNS发的表明，虽然还没有用户界面，但其实当Mac版DNSCrypt推出的时候源码已经放到了Github上了， Linux的用户也可以安装以及使用哦！（LCTT译注：目前已经有、、&和&&等第三方图形界面客户端出现。）
为神马要使用 DNSCrypt?
DNSCrypt可以加密您电脑与OpenDNS服务器的所有通信，加密可以防止中间人攻击，信息窥觑，DNS劫持。更能防止网络供应商对某些网站的封锁。
这是世界上第一款加密DNS通信的工具，虽然TOR可以加密DNS的请求，但毕竟它们只是在出口节点加密而已。
这款工具并不需要对域名或其工作方式做任何的改变，它只是提供了个该工具的用户与机房里的DNS服务器之间的加密方式而已。
您可以在的页面阅读更多的相关信息。
如何在Linux使用DNSCrypt
首先下载安装&(LCTT译注，安装过程不详述，请参照官网描述)， 然后在Terminal里输入这个命令:
sudo&/usr/sbin/dnscrypt-proxy&--daemonize
然后把您的DNS服务器调成&127.0.0.1& - 在GNOME界面下的话，只要到Network Connections（网络连接）选项然后选择&Edit&并在&DNS servers&输入&127.0.0.1&就好了。如果您用的是DHCP的话，请选择Automatic (DHCP) addresses only&， 这样的话才能输入DNS服务器。然后只要重连网络便可。
您可以访问这条来测试您连接到了OpenDNS了没。
如果您想设置开机启动DNSCrypt，可以自建一个init的脚本，如果您用的是Ubuntu，可以参考下面的。
Arch Linux的用户可以通过来安装DNSCrypt-proxy （内含rc.d脚本）
Ubuntu下的DNSCrypt
如果您想在Ubuntu设置开机启动，您可以使用这个。
注： 在Ubuntu 12.04版在127.0.0.1有个本地的DNS cache 服务器（dnsmasq）在跑，所以已经把改脚本改成让DNSCrypt使用127.0.0.2了， 所以按照上面的教程，应该把127.0.0.1换成127.0.0.2了。
要安装此脚本请使用以下的指令（要首先解压下下来的压缩文件）：
sudo&cp&dnscrypt.conf&/etc/init/
sudo&ln&-s&/lib/init/upstart-job&/etc/init.d/dnscrypt
然后用这个指令来启动:
sudo&start&dnscrypt
现在DNSCrypt就应该是开机自启了，如果您想停止的话，可以使用：
sudo&stop&dnscrypt
(.deb、 .rpm以及源码都可供下载哦！)
via: http://www.webupd8.org/2012/02/encrypt-dns-traffic-in-linux-with.html
译者： 校对：
原创翻译， 荣誉推出
本文地址：
DNSCrypt 的详细介绍：
DNSCrypt 的下载地址：
想通过手机客户端（支持 Android、iPhone 和 Windows Phone）访问开源中国：
旧一篇： 2年前
新一篇： 2年前
你也许会喜欢
话说现在都是直接改host的
照样被墙…
2楼：tony.li 来自
话说现在都是直接改host的
照样被墙…
3楼：久永 来自
等着被封ip的节奏～
许多网站还是打不开
5楼：SupNatural
好吧，以后在局域网里就只能访问白名单里的ip了。
6楼：MarvinGuo
ip地址不是快用完了吗，ip v6什么时候上？我就不信ip v6的地址也能封
7楼：SeeleScheider 来自
论udp的加密传输…新闻太老，LinuxCN早有了…
8楼：DarkAngel
估计能抵御DNS污染，但是问题在于IP被封了，获取了正常IP也没法用啊。。。。。。。。。
9楼：JettyKoo
好东西啊，希望可以突破防火长城
10楼：霸气千秋
已经使用 win+mac
11楼：topper
引用来自“MarvinGuo”的评论ip地址不是快用完了吗，ip v6什么时候上？我就不信ip v6的地址也能封天朝创新的本事没有，墙的技术却是一流的
12楼：樱散零乱
早就有Windows界面的版本了都用一年多了
13楼：哇哈哈123
14楼：哇哈哈123
15楼：墙上的蜗牛
14:25 (非会员)
现在就用这东西配合DNSmasq给局域网翻墙，不是太稳定，有时候会有被墙的网站无法打开的情况，而且速度有写慢。
17楼：jay_
&更能防止网络供应商对某些网站的封锁。& 这一条到底行不行？ 求真相
与内容无关的评论将被删除，严重者禁用帐号
本周热点资讯
本站最新资讯