WeAir

基于mosdns搭建DOH

下载mosdns

1
2
3
4
wget https://github.com/IrineSistiana/mosdns/releases/download/v5.3.3/mosdns-linux-amd64.zip -O /tmp/mosdns.zip
unzip /tmp/mosdns.zip -d /tmp/mosdns/
\mv /tmp/mosdns/mosdns /usr/local/bin/
rm -rf /tmp/mosdns*

创建及下载相关分流规则

1
2
3
4
5
6
mkdir -p /usr/local/etc/mosdns/rules/

echo "localhost 127.0.0.1" > /usr/local/etc/mosdns/rules/hosts
curl https://raw.githubusercontent.com/pmkol/easymosdns/refs/heads/rules/china_domain_list.txt > /usr/local/etc/mosdns/rules/china_domain_list.txt
curl https://raw.githubusercontent.com/pmkol/easymosdns/refs/heads/rules/china_ip_list.txt > /usr/local/etc/mosdns/rules/china_ip_list.txt
curl https://raw.githubusercontent.com/pmkol/easymosdns/refs/heads/rules/ad_domain_list.txt > /usr/local/etc/mosdns/rules/ad_domain_list.txt

创建配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
cat >> /usr/local/etc/mosdns/config.yaml << EOF
log:
level: error
file: "./mosdns.log"

plugins:
# 国内域名列表
# https://raw.githubusercontent.com/pmkol/easymosdns/refs/heads/rules/china_domain_list.txt
- tag: cn_domainList
type: "domain_set"
args:
files:
- "./rules/china_domain_list.txt"

# 国内IP列表
# https://raw.githubusercontent.com/pmkol/easymosdns/refs/heads/rules/china_ip_list.txt
- tag: cn_ipList
type: "ip_set"
args:
files:
- "./rules/china_ip_list.txt"

# 广告域名列表
# https://raw.githubusercontent.com/pmkol/easymosdns/refs/heads/rules/ad_domain_list.txt
- tag: block_domains
type: "domain_set"
args:
files:
- "./rules/ad_domain_list.txt"

# hosts
- tag: custom_hosts
type: "hosts"
args:
files:
- "./rules/hosts"

# cache
- tag: cache
type: "cache"
args:
size: 65535
dump_file: "./cache.dump"
lazy_cache_ttl: 86400
dump_interval: 600

# 国内DNS
- tag: cn_DNS
type: "forward"
args:
concurrent: 2
upstreams:
- tag: ali_doh
addr: "https://223.5.5.5/dns-query"
enable_pipeline: true
insecure_skip_verify: false

- tag: dnspod_doh
addr: "https://1.12.12.12/dns-query"
enable_pipeline: true
insecure_skip_verify: false

# 国外DNS
- tag: global_DNS
type: "forward"
args:
concurrent: 2
upstreams:
- tag: google_doh
addr: "https://8.8.8.8/dns-query"
#socks5: "127.0.0.1:7890"
enable_pipeline: true
insecure_skip_verify: false

- tag: google_dot
addr: "tls://8.8.4.4"
#socks5: "127.0.0.1:7890"
enable_pipeline: true
insecure_skip_verify: false

# 修改TTL
- tag: modify_ttl
type: "sequence"
args:
- exec: ttl 60-300

- tag: modify_black_ttl
type: "sequence"
args:
- exec: ttl 600-3600

- tag: modify_resp_ttl
type: "sequence"
args:
- matches: "qname \$block_domains"
exec: mark 1
- matches: "mark 1"
exec: jump modify_black_ttl
- matches: "!mark 1"
exec: jump modify_ttl

- tag: custom_hosts_resp
type: "sequence"
args:
- exec: jump modify_resp_ttl
- matches: "has_resp"
exec: query_summary hit_custom_hosts
- matches: "has_resp"
exec: accept

- tag: hit_cache_resp
type: "sequence"
args:
- exec: jump modify_resp_ttl
- matches: "has_resp"
exec: query_summary hit_cache
- matches: "has_resp"
exec: accept

# 拒绝解析
- tag: query_is_reject
type: "sequence"
args:
- exec: black_hole 127.0.0.1 ::1 0.0.0.0
- exec: query_summary hit_block_domains
- matches: "qtype 65"
exec: reject 3
- matches: "has_resp"
exec: accept

# 国内解析
- tag: cn_resolve
type: "sequence"
args:
- exec: ecs 211.100.0.0
- exec: \$cn_DNS
- exec: jump modify_resp_ttl
- exec: query_summary hit_cn_DNS

# 国外解析
- tag: global_resolve
type: "sequence"
args:
- exec: ecs 211.100.0.0
- exec: \$global_DNS
- exec: jump modify_resp_ttl
- exec: query_summary hit_global_DNS
- matches: "has_resp"
exec: accept

- tag: cn_resolve_sequence
type: "sequence"
args:
- exec: \$cn_resolve
- matches: "resp_ip \$cn_ipList"
exec: accept

- tag: global_resolve_sequence
type: "sequence"
args:
- exec: \$global_resolve
- matches: "has_resp"
exec: accept

# 解析流程
- tag: resolve_process
type: "sequence"
args:
- exec: prefer_ipv4

- exec: \$custom_hosts
- matches: "has_resp"
exec: goto custom_hosts_resp

- exec: \$cache
- matches: "has_resp"
exec: goto hit_cache_resp

- matches: "qname \$block_domains"
exec: jump query_is_reject

- matches: "qname \$cn_domainList"
exec: jump cn_resolve_sequence

- exec: goto global_resolve_sequence

# DNS服务
# - tag: udp_server
# type: "udp_server"
# args:
# entry: resolve_process # 可执行插件的 tag。
# listen: "127.0.0.1:53" # 监听地址。

# - tag: tcp_server
# type: "tcp_server"
# args:
# entry: resolve_process # 可执行插件的 tag。
# listen: "127.0.0.1:53" # 监听地址。
# cert: "" # 配置 cert 和 key 后会启用 TLS (DoT),别忘记修改为853端口。
# key: ""
# idle_timeout: 10 # 空连接超时。单位秒。默认 10。

# - tag: quic_server
# type: "quic_server"
# args:
# entry: resolve_process # 可执行插件的 tag。
# listen: "0.0.0.0:443" # 监听地址。
# cert: ""
# key: ""
# idle_timeout: 30 # 空连接超时。单位秒。默认 30。

- tag: server_http
type: "http_server"
args:
entries: # []extry
- path: /dns-query # 本路径执行
exec: resolve_process # 可执行插件的 tag。
src_ip_header: "X-Real-IP" # 从 HTTP 头获取用户 IP。
listen: 127.0.0.1:8443 # 监听地址。
cert: "" # 留空 cert 和 key 后会禁用 TLS。
key: ""
idle_timeout: 10 # 空连接超时。单位秒。默认 30。
EOF

测试运行mosdns

1
/usr/local/bin/mosdns -c /usr/local/etc/mosdns/config.yaml -d /usr/local/etc/mosdns

创建Systemd服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
cat >> /etc/systemd/system/mosdns.service << EOF
[Unit]
Description=mosdns daemon, DNS server.
After=network-online.target

[Service]
Type=simple
WorkingDirectory=/usr/local/etc/mosdns
ExecStart=/usr/local/bin/mosdns start -c /usr/local/etc/mosdns/config.yaml -d /usr/local/etc/mosdns
Restart=on-failure
RestartSec=3s

[Install]
WantedBy=multi-user.targe
EOF

启动mosdns服务

1
2
systemctl daemon-reload
systemctl enable --now mosdns.service

分流规则升级脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
cat >> /usr/local/etc/mosdns/rules/update_rules.sh << EOF
#!/usr/bin/env bash

mosdns_working_dir="/usr/local/etc/mosdns"
mkdir -p /tmp/mosdns
curl https://raw.githubusercontent.com/pmkol/easymosdns/refs/heads/rules/china_domain_list.txt > /tmp/mosdns/china_domain_list.txt
curl https://raw.githubusercontent.com/pmkol/easymosdns/refs/heads/rules/china_ip_list.txt > /tmp/mosdns/china_ip_list.txt
curl https://raw.githubusercontent.com/pmkol/easymosdns/refs/heads/rules/ad_domain_list.txt > /tmp/mosdns/ad_domain_list.txt
\cp -rf /tmp/mosdns/*.txt \${mosdns_working_dir}/rules
rm -rf /tmp/mosdns/*
echo "Update successful!"
mosdns service restart
EOF

设置分流规则每天自动升级

1
2
3
crontab -e

0 12 * * * bash /usr/local/etc/mosdns/rules/update_rules.sh &> /dev/null

Nginx反代配置

1
2
3
4
5
6
7
8
9
10
11
...
location /dns-query {
proxy_pass http://127.0.0.1:8443/dns-query;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
proxy_set_header REMOTE-HOST $proxy_protocol_addr;

access_log /path/dns-query.log;
}
...