Lantern(蓝灯)——开源且跨平台的翻墙代理

文章目录

★“Lantern”是啥?
★为啥到现在才推荐它?
★如何获取?
★如何安装?
★如何使用?
★其它相关的链接

  本月初(8月7日),俺发了一篇《翻墙快报》。发完之后,就有几个热心读者在博客评论中提醒俺——Lantern 的2.0版本刚刚发布,效果不错。最近2周,俺尝试了一下,决定发一篇博文介绍给大伙儿。
顺便提醒一下:
党国正在热火朝天地筹备大阅兵。按照以往的惯例——每逢敏感时期,都会加大网络封锁。大伙儿手头多备几个翻墙工具,以防万一。

★“Lantern”是啥?

如标题所说,“Lantern”是一款开源并且跨平台的翻墙工具。“蓝灯”是它的中文名。
说到“跨平台”,它目前支持:Windows、Linux、Mac OS X
说到“开源”,其官方 GitHub 帐号在“这里”。
顺便提一下:该开源项目受到美国政府的资助。
更多的介绍可以参见维基百科的词条(在“这里”)。

★为啥到现在才推荐它?

“蓝灯”早在两年前(2013)就发布了初始版本,为啥俺到现在才写博文推荐捏?
主要原因是:早期的蓝灯,不够易用,不够傻瓜化。比如很多人抱怨其“邀请机制”;比如早期版本需要依赖 Chrome 浏览器。比如早期版本经常登录失败。
相比之下,如今刚刚推出的2.0版本,已经很傻瓜化了,很易用了。所以俺才决定推荐它。

★如何获取?

◇官网

它的官网是 https://GetLantern.org/,打开之后就会看到醒目的下载按钮。提醒一下:其官网的页面依赖 JavaScript,你的浏览器要启用 JS 脚本。

◇Lantern 官方的 GitHub 帐号(免翻墙)

一般来说,翻墙工具的官网都都会受到 GFW 的特别照顾,Lantern 的官网也不例外。所以俺再提供一个【免翻墙】的下载页面(如下)。
https://github.com/getlantern/lantern-binaries
这个页面来自 Lantern 官方的 GitHub 帐号(到目前为止,GitHub 全站都可以【免翻墙】访问),该页面同时提供三大桌面操作系统(Windows、Linux、Mac)的安装包。

◇俺提供的 BT Sync 自动同步(免翻墙)

对于暂时无法翻墙的同学,你还可以考虑用 BT Sync 来获取。
首先安装 BT Sync,然后使用如下密钥,【自动】同步俺分享的【多款翻墙软件】。

各种翻墙软件的同步密钥 BTLZ4A4UD3PEWKPLLWEOKH3W7OQJKFPLG

BT Sync 客户端的官方下载页面:1.4 版本2.0 版本(这两个链接是【页面】链接,【不要】直接“另存为”)
从来没用过 BT Sync 的同学,请先看《扫盲 BT Sync——不仅是同步利器,而且是【分布式】网盘》。
虽然俺博客已经被 GFW 彻底封杀,但是你可以通过“RSS博客阅读器”,看到这篇教程

★如何安装?

(考虑到用 Windows 的读者比较多,本章节仅针对 Windows 平台)
Lantern 的安装文件自带“数字签名”。为了保险起见,照例先检查一下数字签名是否有效(如果你不懂得校验“数字签名”,先看“这篇博文”)。
安装很简单,双击这个 exe 既可(“一键式”安装)。
由于安装过程没有让你选“安装目录”,有些同学可能想知道“蓝灯安装在哪里”。很简单——你只需在“资源管理器”的地址栏输入 %APPDATA% 然后回车,就会进入“当前用户的 APPDATA 目录”,在该目录下,就可以看到有一个子目录叫做 lantern——这就是它的安装目录。
由于 Lantern 的安装【无需】管理员权限,以俺的习惯,使用【普通用户】来安装它。再次唠叨一下:能不使用管理员的场合,就尽量不要使用——可以降低一些安全风险。

★如何使用?

◇启动/停止

安装之后,你可以通过“开始菜单”或者“桌面上的图标”,来启动蓝灯。
然后在任务栏的“托盘区”会出现一个蓝灯的图标;同时,它还会自动弹出系统默认的浏览器,在浏览器上显示它的主界面。这个“主界面”很简单,大伙儿自己看一下就明白了。
如果你想退出,在任务栏的“托盘区图标”点右键,弹出的“快捷菜单”上会有退出的选项。

◇Lantern 的配置参数

主界面的右下角有一个“配置按钮”,点击之后会弹出“Lantern 的配置界面”——这个界面同样很简单,目前只有3个复选框(选项)。
其中一个选项是“Proxy all traffic”,俺稍微说一下:
如果你勾选了这个选项,那么所有的 HTTP 请求都会走 Lantern 的翻墙通道;反之(没有勾选),那么只有那些“被墙的网站”才会走 Lantern 的线路。Lantern 内置了一个“被屏蔽的网站列表”,以此来判断那些是“被墙的”。

◇配置网络软件走 Lantern 的代理

(本章节所说的“网络软件”指的是:浏览器、IM 工具、下载工具 …)
蓝灯默认会在【本机地址】上开启一个 HTTP 代理的端口,端口号是 8787
如果你的网络软件跟它运行在【同一个操作系统】,那么你只需在网络软件的代理界面上设置 HTTP 代理——地址填写 127.0.0.1 端口号填写 8787
(注:“127.0.0.1”表示“本机地址”)
如果你想要【跨操作系统】共享蓝灯的翻墙通道,参见俺的另一篇博文《多台电脑如何共享翻墙通道》。
本文发出后,经热心读者提醒,补充说一下:
蓝灯可以作为 TOR 的前置代理。对于那些看重【隐匿性】的网友,建议使用“蓝灯 + TOR”构造双重代理。关于“双重代理”的原理及好处,请参见《如何隐藏你的踪迹,避免跨省追捕》系列的其中一篇。

Free and Public DNS Servers

Your ISP automatically assigns DNS servers when your router or computer connects to the Internet via DHCP… but you don’t have to use those.

Below are free DNS servers you can use instead of the ones assigned, the best and most reliable of which, from the likes of Google and OpenDNS, you can find below:

See How Do I Change DNS Servers? for help. More help is below the table.

Free & Public DNS Servers (Valid February 2016)

Provider Primary DNS Server Secondary DNS Server
Level31 209.244.0.3 209.244.0.4
Verisign2 64.6.64.6 64.6.65.6
Google3 8.8.8.8 8.8.4.4
DNS.WATCH4 84.200.69.80 84.200.70.40
Comodo Secure DNS 8.26.56.26 8.20.247.20
OpenDNS Home5 208.67.222.222 208.67.220.220
DNS Advantage 156.154.70.1 156.154.71.1
Norton ConnectSafe6 199.85.126.10 199.85.127.10
GreenTeamDNS7 81.218.119.11 209.88.198.133
SafeDNS8 195.46.39.39 195.46.39.40
OpenNIC9 50.116.23.211 192.99.240.129
SmartViper 208.76.50.50 208.76.51.51
Dyn 216.146.35.35 216.146.36.36
FreeDNS10 37.235.1.174 37.235.1.177
Alternate DNS11 198.101.242.72 23.253.163.53
Yandex.DNS12 77.88.8.8 77.88.8.1
censurfridns.dk13 89.233.43.71 91.239.100.100
Hurricane Electric14 74.82.42.42
puntCAT15 109.69.8.51

Note: Primary DNS servers are sometimes called preferred DNS servers and secondary DNS servers are sometimes called alternate DNS servers. Primary and secondary DNS servers can be “mixed and matched” to provide another layer of redundancy.

Why Use Different DNS Servers?

One reason you might want to change from the DNS servers assigned by your ISP is if you suspect there’s a problem with the ones you’re using now.

An easy way to test for a DNS server issue is by typing a website’s IP address into the browser. If you can reach the website with the IP address, but not the name, then the DNS server is likely having issues.

Another reason to change DNS servers is if you’re looking for a better performing service. Many people complain that their ISP-maintained DNS servers are sluggish and contribute to a slower overall browsing experience.

Yet another, increasingly common reason to use DNS servers from a third party is to prevent logging of your web activity and to circumvent the blocking of certain websites.

The Small Print

Don’t worry, this is good small print!

Many of the DNS providers listed above have varying levels of services (OpenDNS, Norton ConnectSafe, etc.), IPv6 DNS servers (Google, DNS.WATCH, etc.), and location specific servers you might prefer (OpenNIC).

While you don’t need to know anything beyond what I included in the table above, this bonus information might be helpful for some of you, depending on your needs:

[1] The free DNS servers listed above as Level3 will automatically route to the nearest DNS server operated by Level3 Communications, the company that provides most of the ISPs in the US their access to the Internet backbone.

[2] Verisign says this about their free DNS servers: “We will not sell your public DNS data to third parties nor redirect your queries to serve you any ads.” Verisign offers IPv6 public DNS servers as well: 2620:74:1b::1:1 and 2620:74:1c::2:2.

[3] Google also offers IPv6 public DNS servers: 2001:4860:4860::8888 and 2001:4860:4860::8844.

[4] DNS.WATCH also has IPv6 DNS servers at 2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b. In an uncommon but much appreciated move, DNS.WATCH publishes live statistics for both of their free DNS servers. Both servers are located in Germany which could impact performance if used from the US or other remote locations.

[5] OpenDNS also offers DNS servers that block adult content, called OpenDNS FamilyShield. Those DNS servers are 208.67.222.123 and 208.67.220.123. A premium DNS offering is also available, called OpenDNS Home VIP.

[6] The Norton ConnectSafe free DNS servers listed above block sites hosting malware, phishing schemes, and scams, and is called Policy 1. Use Policy 2 (199.85.126.20 and 199.85.127.20) to block those sites plus those with pornographic content. Use Policy 3 (199.85.126.30 and 199.85.127.30) to block all previously mentioned site categories plus those Norton deems “non-family friendly.” Be sure to check out the list of things blocked in Policy 3 – there are several controversial topics in there that you may find perfectly acceptable.

[7] GreenTeamDNS “blocks tens of thousands of dangerous websites which include malware, botnets, adult related content, aggressive/ violent sites as well as advertisements and drug-related websites ” according to their FAQ page. Premium accounts have more control.

[8] Register here with SafeDNS for content filtering options in several areas.

[9] The DNS servers listed here for OpenNIC are just two of many in the US and across the globe. Instead of using the OpenNIC DNS servers listed above, see their complete list of public DNS servers here and use two that are close to you or, better yet, let them tell you that automatically here. OpenNIC also offers some IPv6 public DNS servers.

[10] FreeDNS says that they “never log DNS queries.” Their free DNS servers are located in Austria.

[11] Alternate DNS says that their DNS servers “block unwanted ads” and that they engage in “no query logging.”

[12] Yandex’s Basic free DNS servers, listed above, are also available in IPv6 at 2a02:6b8::feed:0ff and 2a02:6b8:0:1::feed:0ff. Two more free tiers of DNS are available as well. The first is Safe, at 77.88.8.88 and 77.88.8.2, or 2a02:6b8::feed:bad and 2a02:6b8:0:1::feed:bad, which blocks “infected sites, fraudulent sites, and bots.” The second is Family, at 77.88.8.7 and 77.88.8.3, or 2a02:6b8::feed:a11 and 2a02:6b8:0:1::feed:a11, which blocks everything thatSafe does, plus “adult sites and adult advertising.”

[13] The censurfridns.dk DNS servers are uncensored, operated by a privately funded individual, and are physically located in Denmark. You can read more about them here. IPv6 DNS servers are also available at 2002:d596:2a92:1:71:53:: and 2001:67c:28a4::.

[14] Hurricane Electric also has an IPv6 public DNS server available: 2001:470:20::2.

[15] puntCAT is physically located near Barcelona, Spain. The IPv6 version of their free DNS server is 2a00:1508:0:4::9.

Best Free Public DNS Servers

google public dns

Looking to switch from your ISP DNS to another provider? I was surprised to find out that using a free public DNS server from a reputable company was far better than using my local ISP DNS, especially when travelling in foreign countries.

I was recently in India and was getting very frustrated with the constant Webpage cannot load errors followed by the website loading 5 seconds later. I kept seeing the DNS lookup failed message, so I figured let me try another DNS provider and that made an absolute world of difference.

There are a bunch of public DNS servers you can use, but I won’t bother mentioning them all as the top 5 to 10 will cover the needs for pretty much everyone. Some DNS servers provide additional benefits like filtering out phishing scams, blocking porn sites, etc. and I’ll be sure to mention the features for each service.

Also, be sure to read my post on finding the fastest public DNS server from your location using free utilities. Once you have chosen a DNS service, read my post on how to change your DNS servers in Windows.

1. Google Public DNS

google public dns

Google being Google, they have massive scale, load-balancing, redundancy and DNS servers distributed all over the world. They also support the latest technologies and security mechanisms like IPv6 DNS servers and DNSSEC. Their DNS servers are also well protected against DoS attacks and cache poisoning attacks.

It’s worth noting that Google Public DNS does not perform any blocking or filtering on the DNS requests, as some of the other services do. They state that only under extraordinary circumstances would they block anything. For me, this is a good option because I use other tools to filter out malware sites, etc and don’t necessarily want my DNS service to be involved.

The main benefit for using Google is their global data center and the fact that they have DNS servers located around the world. Some other services only have DNS servers located in one part of the world, so the performance will suffer considerably.

The main downside to using Google is that they are all about tracking and logging everything anyone does on the Internet and this is no exception. If you are leery of Google having too much information, I would suggest using a different DNS server.

Google Public DNS IPv4 Addresses:

  • 8.8.8.8
  • 8.8.4.4

Google Public DNS IPv6 Addresses:

  • 2001:4860:4860::8888
  • 2001:4860:4860::8844

2. Level 3 DNS

level 3

Level 3 is the company that provides a lot of ISPs their connection to the Internet backbone, so they are huge, reliable and secure. There is no filtering with Level 3, just like Google DNS, so it’s mostly used for performance and reliability.

Depending on your location in the world, any of the public DNS servers I mention here could be the fastest, so that’s why it’s necessary to read the link above on finding the fastest DNS server for your connection.

Level 3 Public DNS Server Addresses:

  • 209.244.0.3
  • 209.244.0.4
  • 4.2.2.1
  • 4.2.2.2
  • 4.2.2.3
  • 4.2.2.4

3. OpenDNS

opendns

OpenDNS has been around for a very long time and they are a reputable company. OpenDNS provides several services including Enhanced DNS and Parental Controls, both of which are free.

OpenDNS is also the first public DNS that I have mentioned that does automatic blocking and filtering against phishing attacks and identity theft. This is a great option if you have kids and want to prevent them from landing on malware-infested sites or if you have older family members who sometimes click on spam links in emails.

They also have a VIP service for $20 a month that gives you a bunch Internet usage statistics for all the devices on your network.

OpenDNS IP Addresses:

  • 208.67.222.222
  • 208.67.220.220

4. Norton ConnectSafe DNS

norton connectsafe

Norton ConnectSafe is the public DNS service provided by Norton. Like OpenDNS, Norton also has automatic filtering and blocking based on their database of sites. Using the free DNS speed tools I mentioned, it’s also one of the fastest public DNS servers.

Norton DNS has a couple of different DNS servers, depending on the type of protection you want. They have three options:

A – Protection against malware, phishing sties and scam sites

B – A + Pornography

C – A +Pornography + Other

Other will basically block sites related to mature content, gambling, hate, suicide, tobacco, drugs, alcohol, etc. Obviously, that could block a lot of sites, so us that option as you see fit.

Norton DNS IP Addresses:

Option A:

  • 199.85.126.10
  • 199.85.127.10

Option B:

  • 199.85.126.20
  • 199.85.127.20

Option C:

  • DNSDNSDNS199.85.126.30
  • 199.85.127.30

5. OpenNIC DNS

opennic

Lastly, another one I like to use is OpenNIC. They have servers all of the world run by their own members and exist to provide a democratic, non-national network that protects your privacy. The link above will show you a list of all of their Tier 2 DNS servers around the world, but you can go to thehomepage and it will tell you the closest servers to your IP automatically at the top right.

When looking at the list of servers, you can choose one that fits your privacy needs. A lot of them keep no logs, have logs completely disabled or keep anonymous logs.

So those are my top recommendations for public DNS servers that are reliable, fast, and provide extra security and filtering for those that need it. Even though most people use their ISP for DNS, it’s really much better to use a third-party. If you have any questions, let us know in the comments. Enjoy!

利用dnsmasq自动翻墙及防dns劫持

首先dnsmasq是什么
它是一个dns缓存转发器,它先缓存一些dns记录,我们再用的时候就是直接访问路由里面的dns条目,而不会再去解析一次,节省了时间
比如说我们访问g.cn,因为最近这个域名会被先转到google.cn,再转到google.com.hk,所以每次解释域名就得等待10来秒,用dnsmasq之后这个时间就省了
当然第一次的时候还是要解析一次,以后就好了,缓存过多自动删掉一些就另当别论了
最近网上出现各种hosts,虽然可以直接放到电脑和手机里,但是用路由器更加方便一点
好谈翻墙的问题
将dd切换到服务界面,会看到dnsmasq下面有一个很空的地方让你填,这个就是今天最主要的地方了

address=/.youtube.com/203.208.46.30
address=/.ytimg.com/203.208.46.30
address=/.googlevideo.com/203.208.46.30
address=/.2mdn.net/203.208.46.30
将上面的复制进去就行了
在开浏览器试试上youtube就可以了
意思很简单address后面的域名会自动解析到后面的ip,类似于hosts 的效果
不过不用像hosts一样复制一长串,因为这个有点通配符的意思,*.youtube.com都是到203.208.46.30

我还尝试加ipv6的地址,可惜路由会挂掉,只能插网线,并且电脑配固定ip改回来
address=/.blogger.com/2001:4860:8006::bf
address=/.blogspot.com/2001:4860:8006::62
address=/.appspot.com/2001:4860:8006::8d
有兴趣的看可以尝试一下
照http://www.linuxidc.com/Linux/2011-03/33072.htm 看是支持这样写ipv6的,可能是dd里面的不支持

当然dnsmasq是支持hosts文件的,它会默认读取/etc/hosts文件
不过有一个问题重启后hosts文件就还原了,总不能一次次传吧
当然你可以把hosts文件传到网上去,然后用命令wget下来(可以到管理里面设为开机命令,cd /tmp wget http://xxx.xxx/host(放在tmp比较好))
对了dnsmasq可以指定hosts
addn-hosts=/tmp/dnsmasq.hosts
还是填在刚才的地方,那地方相当于在配置dnsmasq的配置文件linux上在/etc/dnsmasq.conf可惜dd上找不到在哪

一般情况下dns解析是从你的isp的dns服务器那缓存下来的,当然也可以改
设置#不读取/etc/resolv.conf文件
no-resolv
#不扫描/etc/resolv.conf和/etc/dnsmasq.conf文件的改动,如果有改动直接重启程序即可
no-poll
#设置dns服务器
server=8.8.8.8
server=8.8.8.4 #google的dns,你也可以使用opendns的server
这样以后就会从google的dns缓存

至于dns劫持,比较常见的一种情况就是输错网址然后跳动isp的广告页面如 http://nfdnserror8.wo.com.cn:8080/?HOST=fuck.U&R=/&
这种一般勉强还能接受,严重的如这里 http://www.cnbeta.com/articles/23851.htm
我这的会劫持一些它不想我访问的网站如google的一些服务
先获得这些地址的ip
然后还是刚才的地方
bogus-nxdomain=123.129.254.11
bogus-nxdomain=123.129.254.12
bogus-nxdomain=123.129.254.13
bogus-nxdomain=123.129.254.14
bogus-nxdomain=123.129.254.15
bogus-nxdomain=123.129.254.16
bogus-nxdomain=123.129.254.17
bogus-nxdomain=123.129.254.18
这些填进去,后面的ip换成你的可以有多个

更新:关于这个,这里还有 http://blog.kangkang.org/index.php/archives/141 跟我们没关系,上面已经实现了,这是openwrt的(其实也可以改配置文件)留着作为研究之用

前面有写server=8.8.8.8这里是全部的
也可以只让部分网站从自定义的dns解析
用server=/google.com/8.8.8.8
详见这里http://bbs.pku6.edu.cn/bbs/bbstc … p;threadid=12826958

参考资料,除了上面的还有
http://server.blog.163.com/blog/static/1076358201162424629295/

openwrt的配置文件在/etc/dnsmasq.conf直接改就行了

Google IP 地址范围

Google IP 地址范围

当您为所在的网域配置电子邮件处理时,如果您想要防止系统将 Google 邮件标记为垃圾邮件,您可能需要了解 Google Apps 邮件服务器的 IP 地址。

请注意:以下说明是针对用于处理电子邮件流量的列表 IP 地址。这并不是 Google 保留的 IP 地址的完整列表。

Google 拥有一个全局基础架构,该基础架构会动态地进行扩展,以适应不断增长的需求。因此,Google Apps 邮件服务器使用的 IP 地址范围很大,并且地址经常变动。查找当前 Google IP 地址范围的最有效方法是查询 Google 的 SPF 记录

要为您的网域创建SPF记录,只需使该记录指向当前IP地址列表的Google SPF记录即可:

v=spf1 include:_spf.google.com ~all

使用此方法,您的网域会在Google IP地址发生变化时自动继承这些变更。

如需Google Apps邮件服务器的文字IP地址,建议您使用某个常用DNS查找命令(nslookupdighost)提取_spf.google.com网域的SPF记录,如下所示:

nslookup -q=TXT _spf.google.com 8.8.8.8

此操作会返回一张列表,其中列出了Google SPF记录中包含的网域,例如:
_netblocks.google.com、_netblocks2.google.com、_netblocks3.google.com

现在,请逐个查找与这些网域关联的DNS记录,例如:

nslookup -q=TXT _netblocks.google.com 8.8.8.8
nslookup -q=TXT _netblocks2.google.com 8.8.8.8
nslookup -q=TXT _netblocks3.google.com 8.8.8.8

这些命令得到的结果中会包含当前地址范围。

 

服务器: google-public-dns-a.google.com
Address: 8.8.8.8

非权威应答:
_netblocks.google.com text =

“v=spf1 ip4:64.18.0.0/20 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.24
9.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.
0/16 ip4:207.126.144.0/20 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32
.0/19 ~all”

服务器: google-public-dns-a.google.com
Address: 8.8.8.8

非权威应答:
_netblocks2.google.com text =

“v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:40
00::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~
all”

 

 

Ubuntu使用dnsmasq

Ubuntu使用dnsmasq作本地DNS缓存

http://mydf.github.io/blog/ubuntu-dnsmasq/

Dnsmasq是一个很实用的小工具,解决局域网的需求看来非常合适,特别是网关和防火墙上。
它同时也可以作为一个dns查询服务器,虽然不如bind等完善,但基本功能也够用了。
它可以提供如下几个实用的功能:

1 提供dns服务

2 优先使用本地自定义dns

3 提供dhcp服务

安装 dnsmasq加速网络访问速度

sudo apt-get install dnsmasq

配置 dnsmasq

修改/etc/resolv.conf文件。

sudo gedit /etc/resolv.conf   

将原有的内容全部注释,然后在第一行写上

nameserver 127.0.0.1

也可以使用ubuntu的网络管理小程序“Network Manager”在桌面右上角有一个它的图标,右键点击该图标,选择“编辑连接”,选择你所使用的连接,点击编辑,在“IPv4设置”标签的“DNS服务器”输入框中,把原有的DNS服务器删除,输入 127.0.0.1

在/etc目录下新建resolv.dnsmasq文件。 文件的内容为DNS服务器的地址,是真正的DNS服务器,如我的文件内容是:

nameserver 199.91.73.222  
nameserver 42.120.21.30  
nameserver 8.8.8.8  

可以不按帮助文档所说的执行“dnsmasq-r/etc/resolv.dnsmasq”命令,如果这样,岂不是每次都得在命令行里输入,非常麻烦,当然,可以考虑把这个命令写入“/etc/rc.local”文件中,让系统每次启动时帮你运行。 我所使用的方法是编辑“/etc/dnsmasq.conf”文件。

sudo gedit /etc/dnsmasq.conf

找到下面这一项 resolv-file=

用下面的一条语句替换 resolv-file=/etc/resolv.dnsmasq

其实也就是执行dnsmasq命令中-r参数后面的内容。

编辑 /etc/dhcp3/dhclient.conf

sudo gedit /etc/dhcp3/dhclient.conf 

找到下面这一项 #prepend domain-name-servers 127.0.0.1将前面的“#”删除。这么做的目的是为了在使用自动连接时,能在/etc/resolv.conf文件的第一行添加上“nameserver 127.0.0.1”,这样,dns缓存依然有效。

编辑 /etc/ppp/peers/dsl-provider

sudo gedit /etc/ppp/peers/dsl-provider 

可能有的系统没有“/etc/ppp/peers/dsl-provider”文件,而是“/etc/ppp/peers/provider”文件,找到下面这一项 usepeerdns 在前面增加“#”,也就是把这条语句注释掉,以防resolv.conf的设置被pppoe复盖。

对于12.04版本
由于该版本已经安装dnsmasq-base,则必须先修改/etc/NetworkManager/NetworkManager.conf文件

sudo gedti /etc/NetworkManager/NetworkManager.conf  

找到dns=dnsmasq,在前面增加“#”,也就是把这句注释掉。

sudo gedit /etc/default/dnsmasq

找到IGNORE_RESOLVCONF=yes,这一条要删除注释,删掉#号。

重启服务:

sudo /etc/init.d/dnsmasq restart

或者

sudo service dnsmasq restart

测试结果:

随便找一个网址,测试两次就能看出查询时间的差异:

dig google.com

两次返回结果的时间不一样,第二次一般是0ms;多试几个网址,证明成功了。

最后,留下自己的dnsmasq.conf设置备份。

listen-address=127.0.0.1
strict-order
#no-hosts
#no-poll
resolv-file=/etc/resolv.dnsmasq.conf

#反电信劫持-114导航
bogus-nxdomain=218.30.64.194
#bogus-nxdomain=67.215.66.132
# Set the cachesize here.
cache-size=2048

#国内指定DNS
server=/cn/114.114.114.114
server=/taobao.com/114.114.114.114
server=/taobaocdn.com/114.114.114.114
server=/tbcache.com/114.114.114.114
server=/tdimg.com/114.114.114.114
server=/weibo.com/114.114.114.114
server=/weibo.cn/114.114.114.114
server=/xunlei.com/114.114.114.114  
    
#国外指定DNS
server=/google.com/42.120.21.30
server=/twitter.com/42.120.21.30
server=/facebook.com/42.120.21.30  
    
#host区段
#本机
address=/tp.set/192.168.2.1
address=/dx.set/192.168.1.1
      
#其他
address=/t66y.com/184.154.128.246
#address=/github.com/192.30.252.131

 

16 August 2011

Dnsmasq是一个轻量的dns缓存和dhcp服务器。我们可以使用dnsmasq通过缓存加速来dns解析,另外使用dnsmasq还可以实现一些更有趣的功能。

1.安装dnsmasq

大多数linux发行版都能够很容易地安装dnsmasq。如Gentoo中:emerge dnsmasq即可。

2.配置dnsmasq

dnsmasq的配置文件为/etc/dnsmasq.conf,最简单的配置如下:

listen-address=127.0.0.1

cache-size=150

这样的配置后,再编辑/etc/resolv.conf加上nameserver 127.0.0.1就可以使用127.0.0.1即本地的dnsmasq作为dns服务器了。dnsmasq默认会使用/etc/resolv.conf中的nameserver来作为自己的上游dns服务器。你也可以自己指定dns服务器,如: resolv-file=/etc/dnsmasq_resolver

这样dnsmasq就使用/etc/dnsmasq_resolver文件中的dns服务器,这个文件可以任意指定,格式和/etc/resolv.conf的一样。像我的就是: nameserver 211.68.71.5 nameserver 211.68.71.4 nameserver 8.8.8.8

3.为特定的域名指定dns服务器

这个功能很有用,像我在教育网可以使用ipv6,于是访问Google的服务通过ipv6更稳定和快速,所以可以使用能够解析出Google ipv6地址的dns服务器:

server=/google.com/2001:470:20::2 

server=/appspot.com/2001:470:20::2 

server=/blogspot.com/2001:470:20::2 

server=/google.com.hk/2001:470:20::2 

server=/youtube.com/2001:470:20::2

这样所有*.google.com的域名都使用2001:470:20::2这个dns服务器来解析,其他的域名类似。

4.用dnsmasq代替hosts文件

这个比普通hosts文件方便的是普通的hosts不支持通配符,像*.phobos.apple.com 208.46.163.74是不可以的,在dnsmasq.conf里面则可以: address=/.phobos.apple.com/208.46.163.74

另外要让dnsmasq每次开机起作用,Gentoo下rc-update add dnsmasq default,Arch下在/etc/rc.conf的DAEMONS列表添加dnsmasq就可以了。如果你每次dhcp都会重写/etc/resolv.conf文件,dhcpcd的话可以创建个/etc/resolv.conf.head文件,添加一行nameserver 127.0.0.1,dhclient的话可以添加或编辑 /etc/dhclient.conf 文件添加prepend domain-name-servers 127.0.0.1;