发布时间:February 12, 2022 // 分类: // No Comments
为了安全将物联网设备单独使用一个网段和本地网络隔离,这样基于mdns协议的发现应用就不能使用了,如电视投屏、打印机等,可以使用mDNS Reflector来中继两个网段的mdns。
编译方法参考:k2p交叉编译smartdns/openssl
/usr/local/bin/mdns-reflector -n br-lan br-robot br-guest路由配置iptables防火墙允许udp 5353入,并允许本地网络访问电视所在的网络:
iptables -A INPUT -i br-robot -p udp --dport 5353 -j ACCEPT
iptables -A FORWARD -i br-lan -j ACCEPT
iptables -A FORWARD -i robot -o br-lan -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT发布时间:February 7, 2022 // 分类: // No Comments
有一应用需动态更新目标的ip和端口,使用nginx/openresty tcp/udp端口转发配合lua扩展很方便实现。
stream {
lua_shared_dict ups_dict 1m;
lua_shared_dict ups_list 1m;
lua_add_variable $ups_name;
#当nginx启动或reload时读取配置文件内upstream列表到lua_shared_dict,更新后端的时候判断是否有效
init_by_lua_block {
ngx.shared.ups_list:flush_all()
local file = "/etc/nginx/stream.conf"
local f = io.open(file, "r")
local content = f:read("*a")
f:close()
for substr in string.gmatch(content, "upstream%s+([%w-_]+)%s+%{") do
ngx.log(ngx.WARN, substr)
ngx.shared.ups_list:set(substr, 1)
end
}
log_format main '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time "$upstream_addr" '
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
access_log /run/log/nginx/dns_access.log main;
error_log /run/log/nginx/dns_error.log error;
#log level: debug, info, notice, warn, error (default), crit, alert, and emerg.
upstream default_tcp {
server 127.0.0.1:53;
server 127.0.0.1:55;
}
upstream default_udp {
server 10.0.1.1:53;
server 10.0.2.1:53;
}
upstream default_udp2 {
server 10.0.3.1:53;
server 10.0.3.2:53;
}
upstream test1_tcp {
server 127.0.0.1:53;
}
upstream test1_udp {
server 10.0.1.1:53;
}
upstream test1_udp2 {
server 10.0.3.2:53;
}
upstream test2_tcp {
server 127.0.0.1:55;
}
upstream test2_udp {
server 10.0.2.1:53;
}
upstream test2_udp2 {
server 10.0.3.1:53;
}
server {
listen 53000 udp;
preread_by_lua_block {
assert(not ngx.var.ups_name)
local ups = ngx.shared.ups_dict:get("ups_name")
if ups ~= nil then
ngx.log(ngx.WARN, "udp 53000 use " .. ups .. " upstream")
ngx.var.ups_name = ups .. "_udp"
else
ngx.log(ngx.WARN, "udp 53000 use default upstream")
ngx.var.ups_name = "default_udp"
end
}
proxy_pass $ups_name;
proxy_responses 1; #当返回一个udp数据包时就关闭连接,或proxy_timeout时间内无数据关闭连接
proxy_connect_timeout 1s;
proxy_timeout 5s;
}
server {
listen 53000;
preread_by_lua_block {
assert(not ngx.var.ups_name)
local ups = ngx.shared.ups_dict:get("ups_name")
if ups ~= nil then
ngx.log(ngx.WARN, "tcp 53000 use " .. ups .. " upstream")
ngx.var.ups_name = ups .. "_tcp"
else
ngx.log(ngx.WARN, "tcp 53000 use default upstream")
ngx.var.ups_name = "default_tcp"
end
}
proxy_pass $ups_name;
#proxy_responses 1; #当返回一个udp数据包时就关闭连接,或proxy_timeout时间内无数据关闭连接
proxy_connect_timeout 1s;
proxy_timeout 5s;
}
server {
listen 53001 udp;
preread_by_lua_block {
assert(not ngx.var.ups_name)
local ups = ngx.shared.ups_dict:get("ups_name")
if ups ~= nil then
ngx.log(ngx.WARN, "udp 53001 use " .. ups .. " upstream")
ngx.var.ups_name = ups .. "_udp2"
else
ngx.log(ngx.WARN, "udp 53001 use default upstream")
ngx.var.ups_name = "default_udp2"
end
}
proxy_pass $ups_name;
proxy_responses 1; #当返回一个udp数据包时就关闭连接,或proxy_timeout时间内无数据关闭连接
proxy_connect_timeout 1s;
proxy_timeout 5s;
}
server {
listen 53001;
content_by_lua_block {
local sock = assert(ngx.req.socket(true))
local data = sock:receive()
local args, err = ngx.decode_args(data, 0)
if err == nil then
for k,v in pairs(args) do
--ngx.say(v)
ip = v:match("(%d+%.%d+%.%d+%.%d+%:%d+)")
if ip ~= nil then
local sus, err = ngx.shared.ups_dict:set(k, ip)
if sus then
ngx.say("set upstream sus: " .. k .. "=" .. ip)
else
ngx.say(err)
end
end
end
end
}
access_log off;
}
server {
listen 53002;
content_by_lua_block {
local sock = assert(ngx.req.socket(true))
local data = sock:receive()
if data then
local args, err = ngx.decode_args(data, 0)
if err == nil then
for k,v in pairs(args) do
--ngx.say(v)
--if k == "name" and type(v) == "string" and v:find("dns") then
if k == "name" and type(v) == "string" and ngx.shared.ups_list:get(v .. "_udp") then
local sus, err = ngx.shared.ups_dict:set("ups_name", v)
if sus then
ngx.say("set upstream sus: " .. k .. "=" .. v)
ngx.log(ngx.WARN, "set upstream sus: " .. k .. "=" .. v)
else
ngx.say(err)
end
end
end
end
end
}
access_log off;
}
}使用nc测试设置nginx转发使用的后端upstream名称:
nc 127.0.0.1 53002
name=test1
set upstream sus: name=test1也可通过53001端口设置目标ip:port,然后proxy_pass即可。
参考:
https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/balancer.md
https://xiangxianzui.github.io/2017/11/nginx-lua%E5%8A%A8%E6%80%81%E6%94%B9%E5%8F%98upstream/
发布时间:January 24, 2022 // 分类:DNS // No Comments
先在配置文件内禁用ipv6 dhcp服务:
/etc/config/dhcp
config dhcp 'lan'
option interface 'lan'
option start '150'
option limit '100'
option leasetime '12h'
option ra 'disabled'
option dhcpv6 'disabled'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'关闭odhcpd:
/etc/init.d/odhcpd stop
/etc/init.d/odhcpd disable修改dnsmasq配置文件开启ra服务:
/etc/dnsmasq.conf
enable-ra
dhcp-range=::,constructor:br-lan,ra-only
#其它slaac ra-stateless等参考man文档只想通过ipv4查询dns,下面patch让dnsmasq无状态分配ip时候不包含RDNSS,这样客户端只配置ipv4 dns而不配置ipv6 dns。
diff -urN dnsmasq-2.86/src/radv.c dnsmasq-2.86-bak/src/radv.c
--- dnsmasq-2.86/src/radv.c 2021-09-09 04:21:22.000000000 +0800
+++ dnsmasq-2.86-bak/src/radv.c 2022-01-23 11:57:01.818963642 +0800
@@ -507,7 +507,7 @@
}
}
- if (daemon->port == NAMESERVER_PORT && !done_dns && parm.link_pref_time != 0)
+ if ( 0 && daemon->port == NAMESERVER_PORT && !done_dns && parm.link_pref_time != 0)
{
/* default == us, as long as we are supplying DNS service. */
put_opt6_char(ICMP6_OPT_RDNSS);odhcpd新版本参数dns_service也可实现此需求,不使用dhcpv6可尝试使用ra_dns参数关闭ra dns?
再次开启ipv6 dns服务,如果有配置dhcp6 dns服务器,dnsmasq会将其设置为RDNSS:
dhcp-option=option6:dns-server,[xxxx:xxxx:xxxx:xxxx::1]发布时间:January 24, 2022 // 分类: // No Comments
路由上跑dnsmasq通过将客户端ip添加为edns ip转发到其它dns服务器时可以根据客户端ip做相应操作,dnmasq只有在设置add-subnet为固定ip段时才缓存,add-subnet=32时动态添加客户端ip为edns ip时不缓存,做了下修改可以缓存。
--- dnsmasq-2.86/src/edns0.c 2021-09-09 04:21:22.000000000 +0800
+++ dnsmasq-2.86-bak/src/edns0.c 2022-01-23 18:54:04.801336879 +0800
@@ -375,6 +375,7 @@
if (cacheablep)
*cacheablep = cacheable;
+ *cacheablep = 1;
return len + 4;
}
diff -urN dnsmasq-2.86/src/forward.c dnsmasq-2.86-bak/src/forward.c
--- dnsmasq-2.86/src/forward.c 2021-09-09 04:21:22.000000000 +0800
+++ dnsmasq-2.86-bak/src/forward.c 2022-01-23 18:58:25.020648204 +0800
@@ -596,7 +596,7 @@
/* Get extended RCODE. */
rcode |= sizep[2] << 4;
- if (check_subnet && !check_source(header, plen, pheader, query_source))
+ if ( 0 && check_subnet && !check_source(header, plen, pheader, query_source))
{
my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
return 0;发布时间:January 18, 2022 // 分类: // No Comments
unbound做mosdns前置的时候会重新查询域名返回的dns cname记录,这样mosdns做dns域名分流的时候还要额外添加cname域名规则,写了一个mosdns插件删除cname信息直接返回a记录避免二次查询。
//dispatcher/plugin/executable/dcname/dcname.go
package dcname
import (
"context"
"github.com/IrineSistiana/mosdns/v3/dispatcher/handler"
"github.com/IrineSistiana/mosdns/v3/dispatcher/pkg/dnsutils"
"github.com/miekg/dns"
)
const (
PluginType = "dcname"
)
func init() {
handler.RegInitFunc(PluginType, Init, func() interface{} { return new(Args) })
}
var _ handler.ExecutablePlugin = (*dcname)(nil)
type Args struct {
}
type dcname struct {
*handler.BP
args *Args
}
func Init(bp *handler.BP, args interface{}) (p handler.Plugin, err error) {
return newDcname(bp, args.(*Args)), nil
}
func newDcname(bp *handler.BP, args *Args) handler.Plugin {
return &dcname{
BP: bp,
args: args,
}
}
func (t *dcname) Exec(ctx context.Context, qCtx *handler.Context, next handler.ExecutableChainNode) error {
if r := qCtx.R(); r != nil {
q := qCtx.Q()
if (len(q.Question) == 1 && len(r.Answer) >= 1) {
qname := q.Question[0].Name
qtype := q.Question[0].Qtype
rname := r.Answer[0].Header().Name
rtype := r.Answer[0].Header().Rrtype
if ((qtype == dns.TypeA || qtype == dns.TypeAAAA) && qname == rname && rtype == dns.TypeCNAME) {
var Answer2 []dns.RR
for i := range r.Answer {
var rr2 dns.RR
switch rr := r.Answer[i].(type) {
case *dns.A:
rr2 = &dns.A{
Hdr: dns.RR_Header{
Name: qname,
Rrtype: dns.TypeA,
Class: dns.ClassINET,
Ttl: r.Answer[i].Header().Ttl,
},
A: rr.A,
}
case *dns.AAAA:
rr2 = &dns.AAAA{
Hdr: dns.RR_Header{
Name: qname,
Rrtype: dns.TypeAAAA,
Class: dns.ClassINET,
Ttl: r.Answer[i].Header().Ttl,
},
AAAA: rr.AAAA,
}
default:
continue
}
Answer2 = append(Answer2, rr2)
}
r.Answer = Answer2
}
}
}
return handler.ExecChainNode(ctx, qCtx, next)
}开启插件:
dispatcher/plugin/enabled_plugin.go
_ "github.com/IrineSistiana/mosdns/v3/dispatcher/plugin/executable/dcname"qCtx.Q()和qCtx.R()分别获取查询和返回的信息,*dns.Msg定义在:
https://github.com/miekg/dns/blob/master/msg.go#L109
查询信息Question []Question定义在:
https://github.com/miekg/dns/blob/master/types.go#L228
返回信息Answer RR[]定义在:
https://github.com/miekg/dns/blob/master/dns.go#L31
Answer Header:
https://github.com/miekg/dns/blob/master/dns.go#L67
DNS TYPE:
https://github.com/miekg/dns/blob/master/types.go#L25