-
|
请问有好的办法避免dns泄露吗?paopaodns自建递归dns都是先经过dns查询国内然后抛弃不属于国内的ip,再发到国外请求。这样一来https://browserleaks.com/dns/ 能清晰的看见公网IP,有办法改下mosdns的配置吗,就像https://apad.pro/dns-leak/ 这篇文章讲的。已知的本地域名或CDN域名用本地服务器解析,然后已知的污染域名用远程服务器解析,最后剩下的未知域名用IP分流,先用远程服务器,应答是本地IP就丢弃,再从本地服务器解析 |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 7 replies
-
|
可以的,你可以参考文档说明,如下配置:
#cnfall - exec: cache 1024
#cnfall - matches: has_wanted_ans
#cnfall exec: accept
#ipv6ok - exec: prefer_ipv4
#autoforward-no - exec: $forward_unbound
- matches:
- "!qtype 1 28"
- has_wanted_ans
exec: accept
- matches: !resp_ip_mmdb $cnip CN
exec: accept
- exec: drop_resp
#nofall - exec: $local_unbound
#cnfall - exec: $cn_test
#autoforward-no - matches: has_wanted_ans
#autoforward-no exec: accept
- exec: reject 0请注意yaml文件要求缩进对齐,如果你复制代码请仔细检查。修改配置后需要重启容器生效。需要注意如果配置文件缩进出错将无法正常启动。此外该方案由于先查询远程服务器,可能会降低你的延迟体验。 |
Beta Was this translation helpful? Give feedback.
-
|
就是比如匹配到akamaiedge.net这个CNAME,就用local处理 |
Beta Was this translation helpful? Give feedback.
-
|
你可以为/data/mosdns.yaml添加如下配置(在qname后新增两行cname): 然后你把需要“CNAME直连”的域名填在force_cn_list.txt即可。 |
Beta Was this translation helpful? Give feedback.
-
试了下。加了!后dns查询没回应了。其他都没修改 |
Beta Was this translation helpful? Give feedback.
-
|
你也可以这么修改: #cnfall - exec: cache 1024
#cnfall - matches: has_wanted_ans
#cnfall exec: accept
#ipv6ok - exec: prefer_ipv4
#autoforward-no - exec: $forward_unbound
- matches:
- "!qtype 1 28"
- has_wanted_ans
exec: accept
- matches: resp_ip_mmdb $cnip CN
exec: drop_resp
- matches: has_wanted_ans
exec: accept
#nofall - exec: $local_unbound
#cnfall - exec: $cn_test
#autoforward-no - matches: has_wanted_ans
#autoforward-no exec: accept
- exec: reject 0 |
Beta Was this translation helpful? Give feedback.
-
忽略了一个细节,取反需要使用双引号包起来: - matches: "!resp_ip_mmdb $cnip CN" |
Beta Was this translation helpful? Give feedback.
-
|
新版本已经发布,使用 |
Beta Was this translation helpful? Give feedback.
你也可以这么修改: