最近Dropbox不能用了,据说是 DNS 劫持造成的,于是在一台FreeBSD服务器(192.168.1.168)上配置了dnsmasq 和 dnscrypt-proxy。
> cat /etc/resolv.conf
nameserver 192.168.1.168
> cat /etc/rc.conf
……
dnsmasq_enable="YES"
dnscrypt_proxy_enable="YES"
dnscrypt_proxy_flags="-a 127.0.0.1:5533 -d"
从这里下载两个conf文件,拷贝到 /etc/dnsmasq.d,如果没有这个目录,请先建立之。
> cat /usr/local/etc/dnsmasq.conf
……
server=127.0.0.1#5533
……
conf-dir=/etc/dnsmasq.d
另外,dns使用53端口,dnscrypt使用udp 443端口,需要防火墙添加相应规则,我用 ipfw
# Allow DNSCrypt 443 udp
${fwcmd} add allow udp from any 443 to any
${fwcmd} add allow udp from me to any 443
# Allow inbound DNS and NTP replies. This is somewhat of a hole,
# since we're looking at the incoming port number, which can be
# faked, but that's just the way DNS and NTP work.
${fwcmd} add allow udp from any 53 to ${ip}
${fwcmd} add allow udp from any 53 to ${tunips}
${fwcmd} add allow udp from any 123 to ${ip}
# Allow inbound DNS queries.
${fwcmd} add allow udp from any to ${ip} 53 keep-state
${fwcmd} add allow udp from any to ${tunips} 53 keep-state
${fwcmd} add allow udp from me to any 53 keep-state