海运的博客

openwrt/PandoraBox使用dnsmasq替换odhcpd提供SLAAC分配ip及禁用ipv6 dns

发布时间:January 24, 2022 // 分类:DNS // No Comments

先在配置文件内禁用ipv6 dhcp服务:

/etc/config/dhcp 
config dhcp 'lan'
        option interface 'lan'
        option start '150'
        option limit '100'
        option leasetime '12h'
        option ra 'disabled'
        option dhcpv6 'disabled'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

关闭odhcpd:

/etc/init.d/odhcpd stop
/etc/init.d/odhcpd disable

修改dnsmasq配置文件开启ra服务:

/etc/dnsmasq.conf 
enable-ra
dhcp-range=::,constructor:br-lan,ra-only
#其它slaac ra-stateless等参考man文档

只想通过ipv4查询dns,下面patch让dnsmasq无状态分配ip时候不包含RDNSS,这样客户端只配置ipv4 dns而不配置ipv6 dns。

diff -urN dnsmasq-2.86/src/radv.c dnsmasq-2.86-bak/src/radv.c
--- dnsmasq-2.86/src/radv.c     2021-09-09 04:21:22.000000000 +0800
+++ dnsmasq-2.86-bak/src/radv.c 2022-01-23 11:57:01.818963642 +0800
@@ -507,7 +507,7 @@
        }
     }
 
-  if (daemon->port == NAMESERVER_PORT && !done_dns && parm.link_pref_time != 0)
+  if ( 0 && daemon->port == NAMESERVER_PORT && !done_dns && parm.link_pref_time != 0)
     {
       /* default == us, as long as we are supplying DNS service. */
       put_opt6_char(ICMP6_OPT_RDNSS);

odhcpd新版本参数dns_service也可实现此需求,不使用dhcpv6可尝试使用ra_dns参数关闭ra dns?
再次开启ipv6 dns服务,如果有配置dhcp6 dns服务器,dnsmasq会将其设置为RDNSS:

dhcp-option=option6:dns-server,[xxxx:xxxx:xxxx:xxxx::1]

dnsmasql设置客户端add-subnet edns ip缓存问题

发布时间:January 24, 2022 // 分类: // No Comments

路由上跑dnsmasq通过将客户端ip添加为edns ip转发到其它dns服务器时可以根据客户端ip做相应操作,dnmasq只有在设置add-subnet为固定ip段时才缓存,add-subnet=32时动态添加客户端ip为edns ip时不缓存,做了下修改可以缓存。

--- dnsmasq-2.86/src/edns0.c    2021-09-09 04:21:22.000000000 +0800
+++ dnsmasq-2.86-bak/src/edns0.c        2022-01-23 18:54:04.801336879 +0800
@@ -375,6 +375,7 @@
   if (cacheablep)
     *cacheablep = cacheable;
   
+  *cacheablep = 1;
   return len + 4;
 }
  
diff -urN dnsmasq-2.86/src/forward.c dnsmasq-2.86-bak/src/forward.c
--- dnsmasq-2.86/src/forward.c  2021-09-09 04:21:22.000000000 +0800
+++ dnsmasq-2.86-bak/src/forward.c      2022-01-23 18:58:25.020648204 +0800
@@ -596,7 +596,7 @@
       /* Get extended RCODE. */
       rcode |= sizep[2] << 4;
 
-      if (check_subnet && !check_source(header, plen, pheader, query_source))
+      if ( 0 && check_subnet && !check_source(header, plen, pheader, query_source))
        {
          my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
          return 0;

mosdns删除dns返回结果中的cname直接返回a记录插件

发布时间:January 18, 2022 // 分类: // No Comments

unbound做mosdns前置的时候会重新查询域名返回的dns cname记录,这样mosdns做dns域名分流的时候还要额外添加cname域名规则,写了一个mosdns插件删除cname信息直接返回a记录避免二次查询。

//dispatcher/plugin/executable/dcname/dcname.go
package dcname

import (
  "context"
  "github.com/IrineSistiana/mosdns/v3/dispatcher/handler"
  "github.com/IrineSistiana/mosdns/v3/dispatcher/pkg/dnsutils"
  "github.com/miekg/dns"
)

const (
  PluginType = "dcname"
)

func init() {
  handler.RegInitFunc(PluginType, Init, func() interface{} { return new(Args) })
}

var _ handler.ExecutablePlugin = (*dcname)(nil)

type Args struct {
}

type dcname struct {
  *handler.BP
  args *Args
}

func Init(bp *handler.BP, args interface{}) (p handler.Plugin, err error) {
  return newDcname(bp, args.(*Args)), nil
}

func newDcname(bp *handler.BP, args *Args) handler.Plugin {
  return &dcname{
    BP:   bp,
    args: args,
  }
}

func (t *dcname) Exec(ctx context.Context, qCtx *handler.Context, next handler.ExecutableChainNode) error {
  if r := qCtx.R(); r != nil {
    q := qCtx.Q()
    if (len(q.Question) == 1 && len(r.Answer) >= 1) {
      qname := q.Question[0].Name
      qtype := q.Question[0].Qtype
      rname := r.Answer[0].Header().Name
      rtype := r.Answer[0].Header().Rrtype
      if ((qtype == dns.TypeA || qtype == dns.TypeAAAA) && qname == rname && rtype == dns.TypeCNAME) {
        var Answer2 []dns.RR
        for i := range r.Answer {
          var rr2 dns.RR
          switch rr := r.Answer[i].(type) {
          case *dns.A:
            rr2 = &dns.A{
              Hdr: dns.RR_Header{
                Name:   qname,
                Rrtype: dns.TypeA,
                Class:  dns.ClassINET,
                Ttl:    r.Answer[i].Header().Ttl,
              },
              A: rr.A,
            }
          case *dns.AAAA:
            rr2 = &dns.AAAA{
              Hdr: dns.RR_Header{
                Name:   qname,
                Rrtype: dns.TypeAAAA,
                Class:  dns.ClassINET,
                Ttl:    r.Answer[i].Header().Ttl,
              },
              AAAA: rr.AAAA,
            }
          default:
            continue
          }
          Answer2 = append(Answer2, rr2)
        }
        r.Answer = Answer2
      }
    }
  }
  return handler.ExecChainNode(ctx, qCtx, next)
}

开启插件:

dispatcher/plugin/enabled_plugin.go 
_ "github.com/IrineSistiana/mosdns/v3/dispatcher/plugin/executable/dcname"

qCtx.Q()和qCtx.R()分别获取查询和返回的信息,*dns.Msg定义在:
https://github.com/miekg/dns/blob/master/msg.go#L109
查询信息Question []Question定义在:
https://github.com/miekg/dns/blob/master/types.go#L228
返回信息Answer RR[]定义在:
https://github.com/miekg/dns/blob/master/dns.go#L31
Answer Header:
https://github.com/miekg/dns/blob/master/dns.go#L67
DNS TYPE:
https://github.com/miekg/dns/blob/master/types.go#L25

ubuntu安装Knot 域名权威Authoritative DNS服务器配置ddns动态更新ip

发布时间:February 4, 2021 // 分类:DNS // No Comments

目前在使用dnspod更新ddns ip,但是dnspod免费账号ttl最低设置为600,对于要求及时更新的可自己搭建dns服务器更新ddns,本文使用knot,相对bind有占用资源小,配置简单优点。

apt install knot knot-dnsutils

生成远程更新验证key并添加到配置文件,首行格式用于客户端knsupdate验证key:

keymgr -t key_knsupdate
# hmac-sha256:key_knsupdate:USWfnZKqVwfbv/rcaJtyJA+Evj9eS6v23BmXFO0h0r0=
key:
  - id: key_knsupdate
    algorithm: hmac-sha256
    secret: USWfnZKqVwfbv/rcaJtyJA+Evj9eS6v23BmXFO0h0r0=

knot配置文件,knsupdate和主从同步可使用key或ip认证:

server:
    identity: 
    version: 
    nsid: 
    rundir: "/run/knot"
    user: knot:knot
    #listen: [ 0.0.0.0@53, 127.0.0.1@53, ::1@53 ]
    listen: 192.168.1.1@53

log:
  - target: syslog
    any: info

# hmac-sha256:key_knsupdate:USWfnZKqVwfbv/rcaJtyJA+Evj9eS6v23BmXFO0h0r0=
key:
  - id: key_knsupdate
    algorithm: hmac-sha256
    secret: USWfnZKqVwfbv/rcaJtyJA+Evj9eS6v23BmXFO0h0r0=

remote:
  - id: slave
    address: 192.168.2.1@53
    key: key_knsupdate

  - id: master
    address: 192.168.1.1@53
    key: key_knsupdate

acl:
  - id: acl_slave
    #address: 192.168.2.1
    key: key_knsupdate
    action: transfer

  - id: acl_master
    #address: 192.168.1.1
    key: key_knsupdate
    action: notify

  - id: acl_knsupdate
    #address: [ 127.0.0.1, 192.168.1.1 ]
    key: key_knsupdate
    action: update

template:
  - id: default
    storage: "/var/lib/knot"
    file: "%s.zone"

zone:
    # Master zone
  - domain: ddns.haiyun.me
    notify: slave
    #acl: acl_slave
    acl: [ acl_slave, acl_knsupdate ]

knot dns主从同步配置,以上配置文件zone为master,slave要将zone替换为:

zone:
    # Slave zone
  - domain: ddns.haiyun.me
    master: master
    zonefile-load: whole
    acl: acl_master

zone文件:

cat /var/lib/knot/ddns.haiyun.me.zone 
;; Zone dump (Knot DNS 2.7.8)
ddns.haiyun.me.         3600    SOA     ns1.haiyun.me. admin.haiyun.me. 2021020415 60 60 1800 60
ddns.haiyun.me.         3600    NS      ns1.haiyun.me.
ddns.haiyun.me.         3600    NS      ns2.haiyun.me.
1.ddns.haiyun.me.       10      A       1.1.1.1
1.ddns.haiyun.me.       10      AAAA    ::1
www.ddns.haiyun.me.     10      A       1.1.1.1
;; Written 6 records
;; Time 2021-02-04 17:52:03 CST

使用knsupdate动态更新dns ip:

cat > cmd.txt << EOF
server 127.0.0.1
zone ddns.haiyun.me.
del 1.ddns.haiyun.me.
add 1.ddns.haiyun.me. 10 A 1.1.1.1
add 1.ddns.haiyun.me. 10 AAAA ::1
show
send
answer
quit
EOF
knsupdate -y "hmac-sha256:key_knsupdate:USWfnZKqVwfbv/rcaJtyJA+Evj9eS6v23BmXFO0h0r0=" cmd.txt

或通过knotc更改dns记录:

knotc zone-begin ddns.haiyun.me
knotc zone-set ddns.haiyun.me www 10 A 1.1.1.1
knotc zone-commit ddns.haiyun.me

参考:
https://www.knot-dns.cz/docs/2.7/html/reference.html
https://www.knot-dns.cz/docs/2.7/singlehtml/index.html
https://en.wikipedia.org/wiki/Comparison_of_DNS_server_software
https://blog.groverchou.com/2020/08/10/Knot-DNS-%E4%BD%BF%E7%94%A8%E6%95%99%E7%A8%8B/

ubuntu下交叉编译PandoraBox/潘多拉 k2p/mipsel软件openssl和smartdns

发布时间:December 16, 2019 // 分类: // No Comments

交叉编译环境配置,使用PandoraBox提供的SDK:

apt install build-essential -y
wget https://downloads.pangubox.com/pandorabox/18.10/targets/ralink/mt7621/PandoraBox-SDK-ralink-mt7621_gcc-5.5.0_uClibc-1.0.x.Linux-x86_64.tar.xz
tar xf PandoraBox-SDK-ralink-mt7621_gcc-5.5.0_uClibc-1.0.x.Linux-x86_64.tar.xz 
mv PandoraBox-SDK-ralink-mt7621_gcc-5.5.0_uClibc-1.0.x.Linux-x86_64 PandoraBox
export STAGING_DIR=/root/PandoraBox/staging_dir/
export PKG_CONFIG_PATH=/root/PandoraBox/staging_dir/target-mipsel_1004kc+dsp_uClibc-1.0.x/usr/lib/pkgconfig/
export PATH=$PATH:/root/PandoraBox/staging_dir/toolchain-mipsel_1004kc+dsp_gcc-5.5.0_uClibc-1.0.x/bin/
export CC=mipsel-openwrt-linux-gcc
export RANLIB=mipsel-openwrt-linux-ranlib
export AR=mipsel-openwrt-linux-ar
export LD=mipsel-openwrt-linux-ld

潘多拉SDK自带openssl版本为1.1.0,为使用tls1.3编译安装最新版openssl1.1.1:

wget https://www.openssl.org/source/openssl-1.1.1d.tar.gz
tar zxvf openssl-1.1.1d.tar.gz
 ./config no-asm shared --prefix=/usr/local/openssl-mipsel
sed -i 's/-m64//g' Makefile
make && make install

编译smartdns:

git clone https://github.com/pymumu/smartdns.git
cd smartdns/src/
CFLAGS=-I/usr/local/openssl-mipsel/include/ LDFLAGS=-L/usr/local/openssl-mipsel/lib/ make
#不额外安装openssl,使用sdk自带的openssl
#CFLAGS=-I/root/PandoraBox/staging_dir/target-mipsel_1004kc+dsp_uClibc-1.0.x/usr/include/ LDFLAGS=-L/root/PandoraBox/staging_dir/target-mipsel_1004kc+dsp_uClibc-1.0.x/usr/lib/ make

静态编译包含openssl,修改Makefile:

ifeq ($(STATIC), yes)
LDFLAGS += -Wl,-dn -lssl -lcrypto -Wl,-dy -lpthread -ldl -lc -lgcc_eh
#LDFLAGS += -Wl,-dn -lssl -lcrypto -Wl,-dy,--whole-archive -lpthread -Wl,--no-whole-archive -ldl -lc -lgcc_eh

静态编译:

STATIC=yes CFLAGS=-I/usr/local/openssl-mipsel/include/ LDFLAGS=-L/usr/local/openssl-mipsel/lib/ make 

如果以非root运行smartdns且使用ping测速,需设置cap_net_raw,不然不能发送icmp ping:

#setcap cap_net_raw+eip /usr/local/bin/smartdns 
#cap_net_bind_service允许非root监听53端口,ipset需要cap_net_admin权限
setcap cap_net_bind_service,cap_net_raw,cap_net_admin=+eip /usr/local/bin/smartdns

或直接使用systemd:

AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW

由于使用静态编译openssl1.1文件较大,不使用tls1.3可使用自带的openssl1.0动态编译:

CFLAGS=-I/root/PandoraBox/staging_dir/target-mipsel_1004kc+dsp_uClibc-1.0.x/usr/include/ LDFLAGS=-L/root/PandoraBox/staging_dir/target-mipsel_1004kc+dsp_uClibc-1.0.x/usr/lib/ make

参考:
https://www.boris1993.com/linux/allow-non-root-process-to-bind-low-numbered-ports.html

分类
最新文章
最近回复
  • opnfense: 谢谢博主!!!解决问题了!!!我之前一直以为内置的odhcp6就是唯一管理ipv6的方式
  • liyk: 这个方法获取的IPv6大概20分钟之后就会失效,默认路由先消失,然后Global IPV6再消失
  • 海运: 不好意思,没有。
  • zongboa: 您好,請問一下有immortalwrt設定guest Wi-Fi的GUI教學嗎?感謝您。
  • 海运: 恩山有很多。
  • swsend: 大佬可以分享一下固件吗,谢谢。
  • Jimmy: 方法一 nghtp3步骤需要改成如下才能编译成功: git clone https://git...
  • 海运: 地址格式和udpxy一样,udpxy和msd_lite能用这个就能用。
  • 1: 怎么用 编译后的程序在家里路由器内任意一台设备上运行就可以吗?比如笔记本电脑 m参数是笔记本的...
  • 孤狼: ups_status_set: seems that UPS [BK650M2-CH] is ...