├── .gitattributes ├── .github ├── ISSUE_TEMPLATE │ ├── config.yml │ └── help.yml └── workflows │ ├── docker-latest-schedule.yml │ ├── docker-prebuild-schedule.yml │ └── docker-test-amd64-dev.yml ├── Dockerfile ├── LICENSE ├── README.md ├── build_test.sh ├── docker-compose-qnap.yaml ├── docker-compose.yaml ├── img.jpg ├── local_test.sh ├── prebuild-paopaodns ├── Dockerfile └── build.sh └── src ├── build.sh ├── custom_env.ini ├── custom_mod.yaml ├── data_update.sh ├── debug.sh ├── force_dnscrypt_list.txt ├── force_forward_list.txt ├── force_recurse_list.txt ├── init.sh ├── mosdns.yaml ├── redis.conf ├── reload.sh ├── test.sh ├── ub_trace.sh ├── unbound.conf ├── unbound_custom.conf └── watch_list.sh /.gitattributes: -------------------------------------------------------------------------------- 1 | text eol=lf 2 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/config.yml: -------------------------------------------------------------------------------- 1 | blank_issues_enabled: false 2 | contact_links: 3 | - name: Share/分享讨论/配置求助 4 | url: "https://github.com/kkkgo/PaoPaoDNS/discussions?discussions_q=" 5 | about: 分享你的成功配置和其他问题建议 6 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/help.yml: -------------------------------------------------------------------------------- 1 | name: "Help need" 2 | description: "[请求帮助] 搭建失败?或者没有按照期望的效果?" 3 | title: "[Help] " 4 | labels: "help wanted" 5 | body: 6 | - type: markdown 7 | attributes: 8 | value: "描述越详细越有助于定位和解决问题,请及时提供有效信息的反馈。" 9 | 10 | - type: checkboxes 11 | id: pre-check 12 | attributes: 13 | label: "在提交之前,请确认" 14 | options: 15 | - label: "我已经尝试执行test.sh并搜索过Issue和discussions和文档,但没有找到相关问题。" 16 | required: true 17 | - label: "我正在使用最新的docker镜像版本(可以尝试`docker pull sliamb/paopaodns:latest`后重新创建容器)。" 18 | required: true 19 | 20 | - type: textarea 21 | id: log1 22 | attributes: 23 | label: test.sh脚本自检日志 24 | description: "在容器内执行`test.sh`" 25 | render: txt 26 | validations: 27 | required: true 28 | 29 | - type: textarea 30 | id: log2 31 | attributes: 32 | label: debug.sh脚本自检日志 33 | description: "在容器内执行debug.sh`,如有敏感信息可以用x代替最后一位" 34 | render: txt 35 | validations: 36 | required: true 37 | 38 | - type: textarea 39 | id: what-happened 40 | attributes: 41 | label: 问题描述和复现步骤 42 | description: "描述越详细越有助于定位和解决问题。" 43 | placeholder: "问题描述:" 44 | validations: 45 | required: true 46 | 47 | -------------------------------------------------------------------------------- /.github/workflows/docker-latest-schedule.yml: -------------------------------------------------------------------------------- 1 | name: Schedule Latest Build Docker 2 | 3 | on: 4 | # schedule: 5 | # - cron: '57 15 * * 4' 6 | workflow_dispatch: 7 | jobs: 8 | build: 9 | runs-on: ubuntu-latest 10 | steps: 11 | - name: Checkout code 12 | uses: actions/checkout@v4 13 | - name: build check 14 | run: bash build_test.sh 15 | - name: set check flag 16 | run: sed -i "s/#actions //g" Dockerfile 17 | - name: build again test 18 | run: docker build --no-cache -t ppdns . 19 | - name: Set up QEMU 20 | uses: docker/setup-qemu-action@v3 21 | - name: Set up Docker Buildx 22 | uses: docker/setup-buildx-action@v3 23 | - name: Login to Docker Hub 24 | uses: docker/login-action@v3 25 | with: 26 | username: ${{ secrets.DOCKERHUB_USERNAME }} 27 | password: ${{ secrets.DOCKERHUB_TOKEN }} 28 | - name: Build and push 29 | uses: docker/build-push-action@v5 30 | with: 31 | push: true 32 | platforms: linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8,linux/ppc64le,linux/s390x 33 | tags: sliamb/paopaodns:latest 34 | build-args: 35 | DEVLOG_SW=no 36 | push-ecr: 37 | needs: build 38 | runs-on: ubuntu-latest 39 | container: alpine:edge 40 | steps: 41 | - name: "Configure AWS Credentials" 42 | uses: aws-actions/configure-aws-credentials@v4.0.2 43 | with: 44 | aws-region: us-east-1 45 | aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} 46 | aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} 47 | - name: install skopeo and aws-cli 48 | run: apk update && apk upgrade && apk add skopeo aws-cli 49 | - name: login ecr 50 | run: aws ecr-public get-login-password --region us-east-1 | skopeo login --username AWS --password-stdin public.ecr.aws 51 | - name: push ecr 52 | run: skopeo copy --all docker://sliamb/paopaodns:latest docker://public.ecr.aws/sliamb/paopaodns:latest -------------------------------------------------------------------------------- /.github/workflows/docker-prebuild-schedule.yml: -------------------------------------------------------------------------------- 1 | name: Schedule Prebuild Docker 2 | 3 | on: 4 | schedule: 5 | - cron: '00 01 * * 3' 6 | workflow_dispatch: 7 | jobs: 8 | build: 9 | runs-on: ubuntu-latest 10 | steps: 11 | - name: Set up QEMU 12 | uses: docker/setup-qemu-action@v3 13 | - name: Set up Docker Buildx 14 | uses: docker/setup-buildx-action@v3 15 | - name: Login to Docker Hub 16 | uses: docker/login-action@v3 17 | with: 18 | username: ${{ secrets.DOCKERHUB_USERNAME }} 19 | password: ${{ secrets.DOCKERHUB_TOKEN }} 20 | - name: Build and push 21 | uses: docker/build-push-action@v5 22 | with: 23 | push: true 24 | context: "{{defaultContext}}:prebuild-paopaodns" 25 | platforms: linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8,linux/ppc64le,linux/s390x 26 | tags: sliamb/prebuild-paopaodns:latest 27 | -------------------------------------------------------------------------------- /.github/workflows/docker-test-amd64-dev.yml: -------------------------------------------------------------------------------- 1 | name: Test build AMD64 dev 2 | on: 3 | push: 4 | paths-ignore: 5 | - 'README.md' 6 | - '.github/**' 7 | - 'LICENSE' 8 | workflow_dispatch: 9 | jobs: 10 | build: 11 | runs-on: ubuntu-latest 12 | steps: 13 | - name: Set up QEMU 14 | uses: docker/setup-qemu-action@v3 15 | - name: Set up Docker Buildx 16 | uses: docker/setup-buildx-action@v3 17 | - name: Login to Docker Hub 18 | uses: docker/login-action@v3 19 | with: 20 | username: ${{ secrets.DOCKERHUB_USERNAME }} 21 | password: ${{ secrets.DOCKERHUB_TOKEN }} 22 | - name: Build and push 23 | uses: docker/build-push-action@v5 24 | with: 25 | push: true 26 | platforms: linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8 27 | tags: sliamb/paopaodns:dev 28 | build-args: 29 | DEVLOG_SW=yes 30 | push-ecr: 31 | needs: build 32 | runs-on: ubuntu-latest 33 | container: alpine:edge 34 | steps: 35 | - name: "Configure AWS Credentials" 36 | uses: aws-actions/configure-aws-credentials@v4.0.2 37 | with: 38 | aws-region: us-east-1 39 | aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} 40 | aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} 41 | - name: install skopeo and aws-cli 42 | run: apk update && apk upgrade && apk add skopeo aws-cli 43 | - name: login ecr 44 | run: aws ecr-public get-login-password --region us-east-1 | skopeo login --username AWS --password-stdin public.ecr.aws 45 | - name: push ecr 46 | run: skopeo copy --all docker://sliamb/paopaodns:dev docker://public.ecr.aws/sliamb/paopaodns:dev -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:edge AS builder 2 | RUN apk update && \ 3 | apk upgrade --no-cache 4 | #actions COPY build_test_ok / 5 | COPY --from=sliamb/prebuild-paopaodns /src/ /src/ 6 | COPY src/ /src/ 7 | RUN sh /src/build.sh 8 | # build file check 9 | RUN cp /src/Country-only-cn-private.mmdb.xz /tmp/ &&\ 10 | cp /src/global_mark.dat /tmp/ &&\ 11 | cp /src/data_update.sh /tmp/ &&\ 12 | cp /src/dnscrypt-resolvers/public-resolvers.md /tmp/ &&\ 13 | cp /src/dnscrypt-resolvers/public-resolvers.md.minisig /tmp/ &&\ 14 | cp /src/dnscrypt-resolvers/relays.md /tmp/ &&\ 15 | cp /src/dnscrypt-resolvers/relays.md.minisig /tmp/ &&\ 16 | cp /src/dnscrypt.toml /tmp/ &&\ 17 | cp /src/force_recurse_list.txt /tmp/ &&\ 18 | cp /src/force_dnscrypt_list.txt /tmp/ &&\ 19 | cp /src/init.sh /tmp/ &&\ 20 | cp /src/mosdns /tmp/ &&\ 21 | cp /src/mosdns.yaml /tmp/ &&\ 22 | cp /src/named.cache /tmp/ &&\ 23 | cp /src/redis.conf /tmp/ &&\ 24 | cp /src/repositories /tmp/ &&\ 25 | cp /src/unbound /tmp/ &&\ 26 | cp /src/unbound-checkconf /tmp/ &&\ 27 | cp /src/unbound.conf /tmp/ &&\ 28 | cp /src/unbound_custom.conf /tmp/ &&\ 29 | cp /src/custom_mod.yaml /tmp/ &&\ 30 | cp /src/custom_env.ini /tmp/ &&\ 31 | cp /src/trackerslist.txt.xz /tmp/ &&\ 32 | cp /src/watch_list.sh /tmp/ &&\ 33 | cp /src/redis-server /tmp/ 34 | # build binary check 35 | RUN apk add --no-cache hiredis libevent libgcc && apk upgrade --no-cache 36 | RUN if /src/mosdns version|grep kkkgo;then echo mosdns_check > /mosdns_check;else cp /mosdns_check /tmp/;fi 37 | RUN if /src/unbound -V|grep libhiredis;then echo unbound_check > /unbound_check;else cp /unbound_check /tmp/;fi 38 | RUN if /src/redis-server -v|grep build;then echo redis_check > /redis_check;else cp /redis_check /tmp/;fi 39 | 40 | FROM alpine:edge 41 | COPY --from=builder /src/ /usr/sbin/ 42 | RUN apk update && \ 43 | apk upgrade --no-cache && \ 44 | apk add --no-cache ca-certificates dcron tzdata hiredis libevent dnscrypt-proxy inotify-tools bind-tools libgcc xz && \ 45 | mkdir -p /etc/unbound && \ 46 | mv /usr/sbin/named.cache /etc/unbound/named.cache && \ 47 | adduser -D -H unbound && \ 48 | mv /usr/sbin/repositories /etc/apk/repositories && \ 49 | rm -rf /var/cache/apk/* 50 | ARG DEVLOG_SW 51 | ENV TZ=Asia/Shanghai \ 52 | DEVLOG=$DEVLOG_SW \ 53 | UPDATE=weekly \ 54 | DNS_SERVERNAME=PaoPaoDNS,blog.03k.org \ 55 | DNSPORT=53 \ 56 | CNAUTO=yes \ 57 | CNFALL=yes \ 58 | CN_TRACKER=yes \ 59 | USE_HOSTS=no \ 60 | IPV6=no \ 61 | SOCKS5=IP:PORT \ 62 | SERVER_IP=none \ 63 | CUSTOM_FORWARD=IP:PORT \ 64 | CUSTOM_FORWARD_TTL=0 \ 65 | AUTO_FORWARD=no \ 66 | AUTO_FORWARD_CHECK=yes \ 67 | USE_MARK_DATA=yes \ 68 | RULES_TTL=0 \ 69 | HTTP_FILE=no \ 70 | QUERY_TIME=2000ms \ 71 | ADDINFO=no \ 72 | SHUFFLE=no \ 73 | EXPIRED_FLUSH=yes 74 | VOLUME /data 75 | WORKDIR /data 76 | EXPOSE 53/udp 53/tcp 5304/udp 5304/tcp 7889/tcp 77 | CMD /usr/sbin/init.sh -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU General Public License is a free, copyleft license for 11 | software and other kinds of works. 12 | 13 | The licenses for most software and other practical works are designed 14 | to take away your freedom to share and change the works. By contrast, 15 | the GNU General Public License is intended to guarantee your freedom to 16 | share and change all versions of a program--to make sure it remains free 17 | software for all its users. We, the Free Software Foundation, use the 18 | GNU General Public License for most of our software; it applies also to 19 | any other work released this way by its authors. You can apply it to 20 | your programs, too. 21 | 22 | When we speak of free software, we are referring to freedom, not 23 | price. Our General Public Licenses are designed to make sure that you 24 | have the freedom to distribute copies of free software (and charge for 25 | them if you wish), that you receive source code or can get it if you 26 | want it, that you can change the software or use pieces of it in new 27 | free programs, and that you know you can do these things. 28 | 29 | To protect your rights, we need to prevent others from denying you 30 | these rights or asking you to surrender the rights. Therefore, you have 31 | certain responsibilities if you distribute copies of the software, or if 32 | you modify it: responsibilities to respect the freedom of others. 33 | 34 | For example, if you distribute copies of such a program, whether 35 | gratis or for a fee, you must pass on to the recipients the same 36 | freedoms that you received. You must make sure that they, too, receive 37 | or can get the source code. And you must show them these terms so they 38 | know their rights. 39 | 40 | Developers that use the GNU GPL protect your rights with two steps: 41 | (1) assert copyright on the software, and (2) offer you this License 42 | giving you legal permission to copy, distribute and/or modify it. 43 | 44 | For the developers' and authors' protection, the GPL clearly explains 45 | that there is no warranty for this free software. For both users' and 46 | authors' sake, the GPL requires that modified versions be marked as 47 | changed, so that their problems will not be attributed erroneously to 48 | authors of previous versions. 49 | 50 | Some devices are designed to deny users access to install or run 51 | modified versions of the software inside them, although the manufacturer 52 | can do so. This is fundamentally incompatible with the aim of 53 | protecting users' freedom to change the software. The systematic 54 | pattern of such abuse occurs in the area of products for individuals to 55 | use, which is precisely where it is most unacceptable. Therefore, we 56 | have designed this version of the GPL to prohibit the practice for those 57 | products. If such problems arise substantially in other domains, we 58 | stand ready to extend this provision to those domains in future versions 59 | of the GPL, as needed to protect the freedom of users. 60 | 61 | Finally, every program is threatened constantly by software patents. 62 | States should not allow patents to restrict development and use of 63 | software on general-purpose computers, but in those that do, we wish to 64 | avoid the special danger that patents applied to a free program could 65 | make it effectively proprietary. To prevent this, the GPL assures that 66 | patents cannot be used to render the program non-free. 67 | 68 | The precise terms and conditions for copying, distribution and 69 | modification follow. 70 | 71 | TERMS AND CONDITIONS 72 | 73 | 0. Definitions. 74 | 75 | "This License" refers to version 3 of the GNU General Public License. 76 | 77 | "Copyright" also means copyright-like laws that apply to other kinds of 78 | works, such as semiconductor masks. 79 | 80 | "The Program" refers to any copyrightable work licensed under this 81 | License. Each licensee is addressed as "you". "Licensees" and 82 | "recipients" may be individuals or organizations. 83 | 84 | To "modify" a work means to copy from or adapt all or part of the work 85 | in a fashion requiring copyright permission, other than the making of an 86 | exact copy. The resulting work is called a "modified version" of the 87 | earlier work or a work "based on" the earlier work. 88 | 89 | A "covered work" means either the unmodified Program or a work based 90 | on the Program. 91 | 92 | To "propagate" a work means to do anything with it that, without 93 | permission, would make you directly or secondarily liable for 94 | infringement under applicable copyright law, except executing it on a 95 | computer or modifying a private copy. Propagation includes copying, 96 | distribution (with or without modification), making available to the 97 | public, and in some countries other activities as well. 98 | 99 | To "convey" a work means any kind of propagation that enables other 100 | parties to make or receive copies. Mere interaction with a user through 101 | a computer network, with no transfer of a copy, is not conveying. 102 | 103 | An interactive user interface displays "Appropriate Legal Notices" 104 | to the extent that it includes a convenient and prominently visible 105 | feature that (1) displays an appropriate copyright notice, and (2) 106 | tells the user that there is no warranty for the work (except to the 107 | extent that warranties are provided), that licensees may convey the 108 | work under this License, and how to view a copy of this License. If 109 | the interface presents a list of user commands or options, such as a 110 | menu, a prominent item in the list meets this criterion. 111 | 112 | 1. Source Code. 113 | 114 | The "source code" for a work means the preferred form of the work 115 | for making modifications to it. "Object code" means any non-source 116 | form of a work. 117 | 118 | A "Standard Interface" means an interface that either is an official 119 | standard defined by a recognized standards body, or, in the case of 120 | interfaces specified for a particular programming language, one that 121 | is widely used among developers working in that language. 122 | 123 | The "System Libraries" of an executable work include anything, other 124 | than the work as a whole, that (a) is included in the normal form of 125 | packaging a Major Component, but which is not part of that Major 126 | Component, and (b) serves only to enable use of the work with that 127 | Major Component, or to implement a Standard Interface for which an 128 | implementation is available to the public in source code form. A 129 | "Major Component", in this context, means a major essential component 130 | (kernel, window system, and so on) of the specific operating system 131 | (if any) on which the executable work runs, or a compiler used to 132 | produce the work, or an object code interpreter used to run it. 133 | 134 | The "Corresponding Source" for a work in object code form means all 135 | the source code needed to generate, install, and (for an executable 136 | work) run the object code and to modify the work, including scripts to 137 | control those activities. However, it does not include the work's 138 | System Libraries, or general-purpose tools or generally available free 139 | programs which are used unmodified in performing those activities but 140 | which are not part of the work. For example, Corresponding Source 141 | includes interface definition files associated with source files for 142 | the work, and the source code for shared libraries and dynamically 143 | linked subprograms that the work is specifically designed to require, 144 | such as by intimate data communication or control flow between those 145 | subprograms and other parts of the work. 146 | 147 | The Corresponding Source need not include anything that users 148 | can regenerate automatically from other parts of the Corresponding 149 | Source. 150 | 151 | The Corresponding Source for a work in source code form is that 152 | same work. 153 | 154 | 2. Basic Permissions. 155 | 156 | All rights granted under this License are granted for the term of 157 | copyright on the Program, and are irrevocable provided the stated 158 | conditions are met. This License explicitly affirms your unlimited 159 | permission to run the unmodified Program. The output from running a 160 | covered work is covered by this License only if the output, given its 161 | content, constitutes a covered work. This License acknowledges your 162 | rights of fair use or other equivalent, as provided by copyright law. 163 | 164 | You may make, run and propagate covered works that you do not 165 | convey, without conditions so long as your license otherwise remains 166 | in force. You may convey covered works to others for the sole purpose 167 | of having them make modifications exclusively for you, or provide you 168 | with facilities for running those works, provided that you comply with 169 | the terms of this License in conveying all material for which you do 170 | not control copyright. Those thus making or running the covered works 171 | for you must do so exclusively on your behalf, under your direction 172 | and control, on terms that prohibit them from making any copies of 173 | your copyrighted material outside their relationship with you. 174 | 175 | Conveying under any other circumstances is permitted solely under 176 | the conditions stated below. Sublicensing is not allowed; section 10 177 | makes it unnecessary. 178 | 179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 180 | 181 | No covered work shall be deemed part of an effective technological 182 | measure under any applicable law fulfilling obligations under article 183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 184 | similar laws prohibiting or restricting circumvention of such 185 | measures. 186 | 187 | When you convey a covered work, you waive any legal power to forbid 188 | circumvention of technological measures to the extent such circumvention 189 | is effected by exercising rights under this License with respect to 190 | the covered work, and you disclaim any intention to limit operation or 191 | modification of the work as a means of enforcing, against the work's 192 | users, your or third parties' legal rights to forbid circumvention of 193 | technological measures. 194 | 195 | 4. Conveying Verbatim Copies. 196 | 197 | You may convey verbatim copies of the Program's source code as you 198 | receive it, in any medium, provided that you conspicuously and 199 | appropriately publish on each copy an appropriate copyright notice; 200 | keep intact all notices stating that this License and any 201 | non-permissive terms added in accord with section 7 apply to the code; 202 | keep intact all notices of the absence of any warranty; and give all 203 | recipients a copy of this License along with the Program. 204 | 205 | You may charge any price or no price for each copy that you convey, 206 | and you may offer support or warranty protection for a fee. 207 | 208 | 5. Conveying Modified Source Versions. 209 | 210 | You may convey a work based on the Program, or the modifications to 211 | produce it from the Program, in the form of source code under the 212 | terms of section 4, provided that you also meet all of these conditions: 213 | 214 | a) The work must carry prominent notices stating that you modified 215 | it, and giving a relevant date. 216 | 217 | b) The work must carry prominent notices stating that it is 218 | released under this License and any conditions added under section 219 | 7. This requirement modifies the requirement in section 4 to 220 | "keep intact all notices". 221 | 222 | c) You must license the entire work, as a whole, under this 223 | License to anyone who comes into possession of a copy. This 224 | License will therefore apply, along with any applicable section 7 225 | additional terms, to the whole of the work, and all its parts, 226 | regardless of how they are packaged. This License gives no 227 | permission to license the work in any other way, but it does not 228 | invalidate such permission if you have separately received it. 229 | 230 | d) If the work has interactive user interfaces, each must display 231 | Appropriate Legal Notices; however, if the Program has interactive 232 | interfaces that do not display Appropriate Legal Notices, your 233 | work need not make them do so. 234 | 235 | A compilation of a covered work with other separate and independent 236 | works, which are not by their nature extensions of the covered work, 237 | and which are not combined with it such as to form a larger program, 238 | in or on a volume of a storage or distribution medium, is called an 239 | "aggregate" if the compilation and its resulting copyright are not 240 | used to limit the access or legal rights of the compilation's users 241 | beyond what the individual works permit. Inclusion of a covered work 242 | in an aggregate does not cause this License to apply to the other 243 | parts of the aggregate. 244 | 245 | 6. Conveying Non-Source Forms. 246 | 247 | You may convey a covered work in object code form under the terms 248 | of sections 4 and 5, provided that you also convey the 249 | machine-readable Corresponding Source under the terms of this License, 250 | in one of these ways: 251 | 252 | a) Convey the object code in, or embodied in, a physical product 253 | (including a physical distribution medium), accompanied by the 254 | Corresponding Source fixed on a durable physical medium 255 | customarily used for software interchange. 256 | 257 | b) Convey the object code in, or embodied in, a physical product 258 | (including a physical distribution medium), accompanied by a 259 | written offer, valid for at least three years and valid for as 260 | long as you offer spare parts or customer support for that product 261 | model, to give anyone who possesses the object code either (1) a 262 | copy of the Corresponding Source for all the software in the 263 | product that is covered by this License, on a durable physical 264 | medium customarily used for software interchange, for a price no 265 | more than your reasonable cost of physically performing this 266 | conveying of source, or (2) access to copy the 267 | Corresponding Source from a network server at no charge. 268 | 269 | c) Convey individual copies of the object code with a copy of the 270 | written offer to provide the Corresponding Source. This 271 | alternative is allowed only occasionally and noncommercially, and 272 | only if you received the object code with such an offer, in accord 273 | with subsection 6b. 274 | 275 | d) Convey the object code by offering access from a designated 276 | place (gratis or for a charge), and offer equivalent access to the 277 | Corresponding Source in the same way through the same place at no 278 | further charge. You need not require recipients to copy the 279 | Corresponding Source along with the object code. If the place to 280 | copy the object code is a network server, the Corresponding Source 281 | may be on a different server (operated by you or a third party) 282 | that supports equivalent copying facilities, provided you maintain 283 | clear directions next to the object code saying where to find the 284 | Corresponding Source. Regardless of what server hosts the 285 | Corresponding Source, you remain obligated to ensure that it is 286 | available for as long as needed to satisfy these requirements. 287 | 288 | e) Convey the object code using peer-to-peer transmission, provided 289 | you inform other peers where the object code and Corresponding 290 | Source of the work are being offered to the general public at no 291 | charge under subsection 6d. 292 | 293 | A separable portion of the object code, whose source code is excluded 294 | from the Corresponding Source as a System Library, need not be 295 | included in conveying the object code work. 296 | 297 | A "User Product" is either (1) a "consumer product", which means any 298 | tangible personal property which is normally used for personal, family, 299 | or household purposes, or (2) anything designed or sold for incorporation 300 | into a dwelling. In determining whether a product is a consumer product, 301 | doubtful cases shall be resolved in favor of coverage. For a particular 302 | product received by a particular user, "normally used" refers to a 303 | typical or common use of that class of product, regardless of the status 304 | of the particular user or of the way in which the particular user 305 | actually uses, or expects or is expected to use, the product. A product 306 | is a consumer product regardless of whether the product has substantial 307 | commercial, industrial or non-consumer uses, unless such uses represent 308 | the only significant mode of use of the product. 309 | 310 | "Installation Information" for a User Product means any methods, 311 | procedures, authorization keys, or other information required to install 312 | and execute modified versions of a covered work in that User Product from 313 | a modified version of its Corresponding Source. The information must 314 | suffice to ensure that the continued functioning of the modified object 315 | code is in no case prevented or interfered with solely because 316 | modification has been made. 317 | 318 | If you convey an object code work under this section in, or with, or 319 | specifically for use in, a User Product, and the conveying occurs as 320 | part of a transaction in which the right of possession and use of the 321 | User Product is transferred to the recipient in perpetuity or for a 322 | fixed term (regardless of how the transaction is characterized), the 323 | Corresponding Source conveyed under this section must be accompanied 324 | by the Installation Information. But this requirement does not apply 325 | if neither you nor any third party retains the ability to install 326 | modified object code on the User Product (for example, the work has 327 | been installed in ROM). 328 | 329 | The requirement to provide Installation Information does not include a 330 | requirement to continue to provide support service, warranty, or updates 331 | for a work that has been modified or installed by the recipient, or for 332 | the User Product in which it has been modified or installed. Access to a 333 | network may be denied when the modification itself materially and 334 | adversely affects the operation of the network or violates the rules and 335 | protocols for communication across the network. 336 | 337 | Corresponding Source conveyed, and Installation Information provided, 338 | in accord with this section must be in a format that is publicly 339 | documented (and with an implementation available to the public in 340 | source code form), and must require no special password or key for 341 | unpacking, reading or copying. 342 | 343 | 7. Additional Terms. 344 | 345 | "Additional permissions" are terms that supplement the terms of this 346 | License by making exceptions from one or more of its conditions. 347 | Additional permissions that are applicable to the entire Program shall 348 | be treated as though they were included in this License, to the extent 349 | that they are valid under applicable law. If additional permissions 350 | apply only to part of the Program, that part may be used separately 351 | under those permissions, but the entire Program remains governed by 352 | this License without regard to the additional permissions. 353 | 354 | When you convey a copy of a covered work, you may at your option 355 | remove any additional permissions from that copy, or from any part of 356 | it. (Additional permissions may be written to require their own 357 | removal in certain cases when you modify the work.) You may place 358 | additional permissions on material, added by you to a covered work, 359 | for which you have or can give appropriate copyright permission. 360 | 361 | Notwithstanding any other provision of this License, for material you 362 | add to a covered work, you may (if authorized by the copyright holders of 363 | that material) supplement the terms of this License with terms: 364 | 365 | a) Disclaiming warranty or limiting liability differently from the 366 | terms of sections 15 and 16 of this License; or 367 | 368 | b) Requiring preservation of specified reasonable legal notices or 369 | author attributions in that material or in the Appropriate Legal 370 | Notices displayed by works containing it; or 371 | 372 | c) Prohibiting misrepresentation of the origin of that material, or 373 | requiring that modified versions of such material be marked in 374 | reasonable ways as different from the original version; or 375 | 376 | d) Limiting the use for publicity purposes of names of licensors or 377 | authors of the material; or 378 | 379 | e) Declining to grant rights under trademark law for use of some 380 | trade names, trademarks, or service marks; or 381 | 382 | f) Requiring indemnification of licensors and authors of that 383 | material by anyone who conveys the material (or modified versions of 384 | it) with contractual assumptions of liability to the recipient, for 385 | any liability that these contractual assumptions directly impose on 386 | those licensors and authors. 387 | 388 | All other non-permissive additional terms are considered "further 389 | restrictions" within the meaning of section 10. If the Program as you 390 | received it, or any part of it, contains a notice stating that it is 391 | governed by this License along with a term that is a further 392 | restriction, you may remove that term. If a license document contains 393 | a further restriction but permits relicensing or conveying under this 394 | License, you may add to a covered work material governed by the terms 395 | of that license document, provided that the further restriction does 396 | not survive such relicensing or conveying. 397 | 398 | If you add terms to a covered work in accord with this section, you 399 | must place, in the relevant source files, a statement of the 400 | additional terms that apply to those files, or a notice indicating 401 | where to find the applicable terms. 402 | 403 | Additional terms, permissive or non-permissive, may be stated in the 404 | form of a separately written license, or stated as exceptions; 405 | the above requirements apply either way. 406 | 407 | 8. Termination. 408 | 409 | You may not propagate or modify a covered work except as expressly 410 | provided under this License. Any attempt otherwise to propagate or 411 | modify it is void, and will automatically terminate your rights under 412 | this License (including any patent licenses granted under the third 413 | paragraph of section 11). 414 | 415 | However, if you cease all violation of this License, then your 416 | license from a particular copyright holder is reinstated (a) 417 | provisionally, unless and until the copyright holder explicitly and 418 | finally terminates your license, and (b) permanently, if the copyright 419 | holder fails to notify you of the violation by some reasonable means 420 | prior to 60 days after the cessation. 421 | 422 | Moreover, your license from a particular copyright holder is 423 | reinstated permanently if the copyright holder notifies you of the 424 | violation by some reasonable means, this is the first time you have 425 | received notice of violation of this License (for any work) from that 426 | copyright holder, and you cure the violation prior to 30 days after 427 | your receipt of the notice. 428 | 429 | Termination of your rights under this section does not terminate the 430 | licenses of parties who have received copies or rights from you under 431 | this License. If your rights have been terminated and not permanently 432 | reinstated, you do not qualify to receive new licenses for the same 433 | material under section 10. 434 | 435 | 9. Acceptance Not Required for Having Copies. 436 | 437 | You are not required to accept this License in order to receive or 438 | run a copy of the Program. Ancillary propagation of a covered work 439 | occurring solely as a consequence of using peer-to-peer transmission 440 | to receive a copy likewise does not require acceptance. However, 441 | nothing other than this License grants you permission to propagate or 442 | modify any covered work. These actions infringe copyright if you do 443 | not accept this License. Therefore, by modifying or propagating a 444 | covered work, you indicate your acceptance of this License to do so. 445 | 446 | 10. Automatic Licensing of Downstream Recipients. 447 | 448 | Each time you convey a covered work, the recipient automatically 449 | receives a license from the original licensors, to run, modify and 450 | propagate that work, subject to this License. You are not responsible 451 | for enforcing compliance by third parties with this License. 452 | 453 | An "entity transaction" is a transaction transferring control of an 454 | organization, or substantially all assets of one, or subdividing an 455 | organization, or merging organizations. If propagation of a covered 456 | work results from an entity transaction, each party to that 457 | transaction who receives a copy of the work also receives whatever 458 | licenses to the work the party's predecessor in interest had or could 459 | give under the previous paragraph, plus a right to possession of the 460 | Corresponding Source of the work from the predecessor in interest, if 461 | the predecessor has it or can get it with reasonable efforts. 462 | 463 | You may not impose any further restrictions on the exercise of the 464 | rights granted or affirmed under this License. For example, you may 465 | not impose a license fee, royalty, or other charge for exercise of 466 | rights granted under this License, and you may not initiate litigation 467 | (including a cross-claim or counterclaim in a lawsuit) alleging that 468 | any patent claim is infringed by making, using, selling, offering for 469 | sale, or importing the Program or any portion of it. 470 | 471 | 11. Patents. 472 | 473 | A "contributor" is a copyright holder who authorizes use under this 474 | License of the Program or a work on which the Program is based. The 475 | work thus licensed is called the contributor's "contributor version". 476 | 477 | A contributor's "essential patent claims" are all patent claims 478 | owned or controlled by the contributor, whether already acquired or 479 | hereafter acquired, that would be infringed by some manner, permitted 480 | by this License, of making, using, or selling its contributor version, 481 | but do not include claims that would be infringed only as a 482 | consequence of further modification of the contributor version. For 483 | purposes of this definition, "control" includes the right to grant 484 | patent sublicenses in a manner consistent with the requirements of 485 | this License. 486 | 487 | Each contributor grants you a non-exclusive, worldwide, royalty-free 488 | patent license under the contributor's essential patent claims, to 489 | make, use, sell, offer for sale, import and otherwise run, modify and 490 | propagate the contents of its contributor version. 491 | 492 | In the following three paragraphs, a "patent license" is any express 493 | agreement or commitment, however denominated, not to enforce a patent 494 | (such as an express permission to practice a patent or covenant not to 495 | sue for patent infringement). To "grant" such a patent license to a 496 | party means to make such an agreement or commitment not to enforce a 497 | patent against the party. 498 | 499 | If you convey a covered work, knowingly relying on a patent license, 500 | and the Corresponding Source of the work is not available for anyone 501 | to copy, free of charge and under the terms of this License, through a 502 | publicly available network server or other readily accessible means, 503 | then you must either (1) cause the Corresponding Source to be so 504 | available, or (2) arrange to deprive yourself of the benefit of the 505 | patent license for this particular work, or (3) arrange, in a manner 506 | consistent with the requirements of this License, to extend the patent 507 | license to downstream recipients. "Knowingly relying" means you have 508 | actual knowledge that, but for the patent license, your conveying the 509 | covered work in a country, or your recipient's use of the covered work 510 | in a country, would infringe one or more identifiable patents in that 511 | country that you have reason to believe are valid. 512 | 513 | If, pursuant to or in connection with a single transaction or 514 | arrangement, you convey, or propagate by procuring conveyance of, a 515 | covered work, and grant a patent license to some of the parties 516 | receiving the covered work authorizing them to use, propagate, modify 517 | or convey a specific copy of the covered work, then the patent license 518 | you grant is automatically extended to all recipients of the covered 519 | work and works based on it. 520 | 521 | A patent license is "discriminatory" if it does not include within 522 | the scope of its coverage, prohibits the exercise of, or is 523 | conditioned on the non-exercise of one or more of the rights that are 524 | specifically granted under this License. You may not convey a covered 525 | work if you are a party to an arrangement with a third party that is 526 | in the business of distributing software, under which you make payment 527 | to the third party based on the extent of your activity of conveying 528 | the work, and under which the third party grants, to any of the 529 | parties who would receive the covered work from you, a discriminatory 530 | patent license (a) in connection with copies of the covered work 531 | conveyed by you (or copies made from those copies), or (b) primarily 532 | for and in connection with specific products or compilations that 533 | contain the covered work, unless you entered into that arrangement, 534 | or that patent license was granted, prior to 28 March 2007. 535 | 536 | Nothing in this License shall be construed as excluding or limiting 537 | any implied license or other defenses to infringement that may 538 | otherwise be available to you under applicable patent law. 539 | 540 | 12. No Surrender of Others' Freedom. 541 | 542 | If conditions are imposed on you (whether by court order, agreement or 543 | otherwise) that contradict the conditions of this License, they do not 544 | excuse you from the conditions of this License. If you cannot convey a 545 | covered work so as to satisfy simultaneously your obligations under this 546 | License and any other pertinent obligations, then as a consequence you may 547 | not convey it at all. For example, if you agree to terms that obligate you 548 | to collect a royalty for further conveying from those to whom you convey 549 | the Program, the only way you could satisfy both those terms and this 550 | License would be to refrain entirely from conveying the Program. 551 | 552 | 13. Use with the GNU Affero General Public License. 553 | 554 | Notwithstanding any other provision of this License, you have 555 | permission to link or combine any covered work with a work licensed 556 | under version 3 of the GNU Affero General Public License into a single 557 | combined work, and to convey the resulting work. The terms of this 558 | License will continue to apply to the part which is the covered work, 559 | but the special requirements of the GNU Affero General Public License, 560 | section 13, concerning interaction through a network will apply to the 561 | combination as such. 562 | 563 | 14. Revised Versions of this License. 564 | 565 | The Free Software Foundation may publish revised and/or new versions of 566 | the GNU General Public License from time to time. Such new versions will 567 | be similar in spirit to the present version, but may differ in detail to 568 | address new problems or concerns. 569 | 570 | Each version is given a distinguishing version number. If the 571 | Program specifies that a certain numbered version of the GNU General 572 | Public License "or any later version" applies to it, you have the 573 | option of following the terms and conditions either of that numbered 574 | version or of any later version published by the Free Software 575 | Foundation. If the Program does not specify a version number of the 576 | GNU General Public License, you may choose any version ever published 577 | by the Free Software Foundation. 578 | 579 | If the Program specifies that a proxy can decide which future 580 | versions of the GNU General Public License can be used, that proxy's 581 | public statement of acceptance of a version permanently authorizes you 582 | to choose that version for the Program. 583 | 584 | Later license versions may give you additional or different 585 | permissions. However, no additional obligations are imposed on any 586 | author or copyright holder as a result of your choosing to follow a 587 | later version. 588 | 589 | 15. Disclaimer of Warranty. 590 | 591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 599 | 600 | 16. Limitation of Liability. 601 | 602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 610 | SUCH DAMAGES. 611 | 612 | 17. Interpretation of Sections 15 and 16. 613 | 614 | If the disclaimer of warranty and limitation of liability provided 615 | above cannot be given local legal effect according to their terms, 616 | reviewing courts shall apply local law that most closely approximates 617 | an absolute waiver of all civil liability in connection with the 618 | Program, unless a warranty or assumption of liability accompanies a 619 | copy of the Program in return for a fee. 620 | 621 | END OF TERMS AND CONDITIONS 622 | 623 | How to Apply These Terms to Your New Programs 624 | 625 | If you develop a new program, and you want it to be of the greatest 626 | possible use to the public, the best way to achieve this is to make it 627 | free software which everyone can redistribute and change under these terms. 628 | 629 | To do so, attach the following notices to the program. It is safest 630 | to attach them to the start of each source file to most effectively 631 | state the exclusion of warranty; and each file should have at least 632 | the "copyright" line and a pointer to where the full notice is found. 633 | 634 | 635 | Copyright (C) 636 | 637 | This program is free software: you can redistribute it and/or modify 638 | it under the terms of the GNU General Public License as published by 639 | the Free Software Foundation, either version 3 of the License, or 640 | (at your option) any later version. 641 | 642 | This program is distributed in the hope that it will be useful, 643 | but WITHOUT ANY WARRANTY; without even the implied warranty of 644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 645 | GNU General Public License for more details. 646 | 647 | You should have received a copy of the GNU General Public License 648 | along with this program. If not, see . 649 | 650 | Also add information on how to contact you by electronic and paper mail. 651 | 652 | If the program does terminal interaction, make it output a short 653 | notice like this when it starts in an interactive mode: 654 | 655 | Copyright (C) 656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 657 | This is free software, and you are welcome to redistribute it 658 | under certain conditions; type `show c' for details. 659 | 660 | The hypothetical commands `show w' and `show c' should show the appropriate 661 | parts of the General Public License. Of course, your program's commands 662 | might be different; for a GUI interface, you would use an "about box". 663 | 664 | You should also get your employer (if you work as a programmer) or school, 665 | if any, to sign a "copyright disclaimer" for the program, if necessary. 666 | For more information on this, and how to apply and follow the GNU GPL, see 667 | . 668 | 669 | The GNU General Public License does not permit incorporating your program 670 | into proprietary programs. If your program is a subroutine library, you 671 | may consider it more useful to permit linking proprietary applications with 672 | the library. If this is what you want to do, use the GNU Lesser General 673 | Public License instead of this License. But first, please read 674 | . -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # PaoPao DNS docker 2 | ![PaoPaoDNS](img.jpg) 3 | ![pull](https://img.shields.io/docker/pulls/sliamb/paopaodns.svg) ![size](https://img.shields.io/docker/image-size/sliamb/paopaodns) 4 | ![Docker Platforms](https://img.shields.io/badge/platforms-linux%2F386%20%7C%20linux%2Famd64%20%7C%20linux%2Farm%2Fv6%20%7C%20linux%2Farm%2Fv7%20%7C%20linux%2Farm64%2Fv8%20%7C%20linux%2Fppc64le%20%7C%20%20linux%2Fs390x-blue) 5 | 泡泡DNS是一个能一键部署递归DNS的docker镜像,它使用了unbound作为递归服务器程序,使用Redis作为底层缓存,此外针对China大陆,还有智能根据CN分流加密查询的功能,也可以自定义分流列表,可以自动更新IP库,分流使用了mosdns程序,加密查询使用dnscrypt程序,针对IPv4/IPv6双栈用户也有优化处理。 6 | 泡泡DNS适合的使用场景: 7 | - 场景一:仅作为一个纯粹准确的递归DNS服务器,作为你其他DNS服务程序的上游,替代`114.114.114.114`,`8.8.8.8.8`等公共DNS上游 8 | - 场景二:作为一个局域网内具备CN智能分流、解决污染问题和IPv6双栈优化的DNS服务器,或者你的局域网已经从IP层面解决了“科学”的问题,需要一个能智能分流的DNS服务器。 9 | ##### 如果对你有帮助,欢迎点`Star`,如果需要关注更新,可以点`Watch`。 10 | 11 | ## [→详细说明《为啥需要递归DNS》/运行逻辑](https://blog.03k.org/post/paopaodns.html) 12 | ## [更新日志](https://github.com/kkkgo/PaoPaoDNS/discussions/categories/%E6%9B%B4%E6%96%B0%E6%97%A5%E5%BF%97) 13 | ## 使用方法 14 | 简单来说,那么你可以运行: 15 | ```shell 16 | #拉取最新的docker镜像 17 | docker pull sliamb/paopaodns:latest 18 | #假设你的数据要放在/home/mydata 19 | docker run -d \ 20 | --name paopaodns \ 21 | -v /home/mydata:/data \ 22 | -e CNAUTO=yes \ 23 | --restart always \ 24 | -p 53:53/tcp -p 53:53/udp \ 25 | sliamb/paopaodns 26 | ``` 27 | 如果你需要容器运行在同一个局域网段而不是单独映射端口,除了一些NAS有现成的界面点点点,原生docker你可以考虑使用macvlan如下的配置(假设你的网络是192.168.1.0/24): 28 | ```shell 29 | # 启用eth0网卡混杂模式 30 | ip link set eth0 promisc on 31 | # 创建macvlan网络 32 | docker network create -d macvlan --subnet=192.168.1.0/24 --gateway=192.168.1.1 -o parent=eth0 macvlan_eth0 33 | #拉取最新的docker镜像 34 | docker pull sliamb/paopaodns:latest 35 | # 运行容器并指定IP 36 | docker run -d \ 37 | --name paopaodns \ 38 | -v /home/mydata:/data \ 39 | -e CNAUTO=yes \ 40 | --restart always \ 41 | --network macvlan_eth0 --ip 192.168.1.8 \ 42 | sliamb/paopaodns 43 | ``` 44 | ***如果你的网络端口没有冲突,也可以考虑使用docker host网络模式以获得最佳性能。*** 45 | *如条件允许建议使用**docker compose**部署* 46 | 如果你的网络环境访问Docker Hub镜像有困难,***可以尝试使用public.ecr.aws镜像:*** 47 | - 示例: `docker pull public.ecr.aws/sliamb/paopaodns` 48 | - 示例: `docker run -d public.ecr.aws/sliamb/paopaodns` 49 | 50 | 51 | 验证你的递归DNS正常运行(假设你的容器IP是192.168.1.8),可以执行以下命令: 52 | ```cmd 53 | >nslookup -type=TXT whoami.ds.akahelp.net 192.168.1.8 54 | 服务器: PaoPaoDNS,blog.03k.org 55 | Address: 192.168.1.8 56 | 57 | 非权威应答: 58 | whoami.ds.akahelp.net text = 59 | 60 | "ns" 61 | "116.31.123.234" #连接权威DNS服务器的IP=你的宽带IP 62 | Linux可使用dig命令: 63 | dig whoami.ds.akahelp.net @192.168.1.8 txt -p53 64 | ``` 65 | 或者,你可以使用03k.org的服务: 66 | ```cmd 67 | >nslookup whoami.03k.org 192.168.1.8 68 | 服务器: PaoPaoDNS,blog.03k.org 69 | Address: 192.168.1.8 70 | 71 | 非权威应答: 72 | 名称: whoami.03k.org 73 | Address: 116.31.123.234 #连接权威DNS服务器的IP=你的宽带IP 74 | ``` 75 | 如果返回的IP和你宽带的出口IP一致的话,说明你的递归DNS服务正常运作了。 76 | 77 | ***搭建完请简单验证所有DNS组件是否工作正常:*** 78 | ```rust 79 | # 在容器内置执行 test.sh 80 | docker exec paopaodns test.sh 81 | # 如果执行后输出 ALL TEST PASS,则所有组件都工作正常。 82 | # 如果显示 FAIL,可以执行 debug.sh 进一步分析原因。 83 | ``` 84 | 同时你可以查阅[更新日志](https://github.com/kkkgo/PaoPaoDNS/discussions/categories/%E6%9B%B4%E6%96%B0%E6%97%A5%E5%BF%97)的最新版本公告时间,检查输出的镜像版本时间是否大于等于当前最新版本。 85 | 需要注意的是,如果你的网络有“自动分流IP”的功能,请把容器的IP加入不分流的名单,因为权威DNS需要准确的IP去判断,IP分流会影响权威DNS的判断。此外,一些软路由存在劫持DNS请求的情况,解决办法参见[这个issue](https://github.com/kkkgo/PaoPaoDNS/issues/2#issuecomment-1504708367)。 86 | ***[DNS hijack]DNS劫持算是经常问的高频问题了,[请参考](https://github.com/kkkgo/PaoPaoDNS/discussions/111#discussioncomment-8872824)*** 87 | 88 | ## 参数说明 89 | 环境变量参数如下: 90 | 环境变量|默认值|可用值| 91 | -|-|-| 92 | CNAUTO|`yes`|`yes`,`no`| 93 | DNSPORT|`53`|端口值| 94 | DNS_SERVERNAME|`PaoPaoDNS,blog.03k.org`|不含空格的英文字符串| 95 | SERVER_IP|空,非必须。|IP地址,如`10.10.10.8`| 96 | SOCKS5|空,非必须。|如:`10.10.10.8:7890`| 97 | TZ|`Asia/Shanghai`|tzdata时区值| 98 | UPDATE|`weekly`|`no`,`daily`,`weekly`,`monthly`| 99 | IPV6|`no`|`no`,`yes`,`only6`,`yes_only6`,`raw`| 100 | CNFALL|`yes`|`no`,`yes`| 101 | EXPIRED_FLUSH|`yes`|`no`,`yes`| 102 | CUSTOM_FORWARD|空,可选功能|`IP:PORT`,如`10.10.10.3:53`| 103 | CUSTOM_FORWARD_TTL|`0`|`1-604800`| 104 | AUTO_FORWARD|`no`|`no`,`yes`| 105 | AUTO_FORWARD_CHECK|`yes`|`no`,`yes`| 106 | USE_MARK_DATA|`yes`|`no`,`yes`| 107 | RULES_TTL|`0`|`1-604800`| 108 | CN_TRACKER|`yes`|`no`,`yes`| 109 | USE_HOSTS|`no`|`no`,`yes`| 110 | HTTP_FILE|`no`|`no`,`yes`| 111 | SAFEMODE|`no`|`no`,`yes`| 112 | ADDINFO|`no`|`no`,`yes`| 113 | SHUFFLE|`no`|`no`,`yes`,`lite`,`trnc`| 114 | QUERY_TIME|`2000ms`|`time.Duration`| 115 | 116 | 用途说明: 117 | - CNAUTO:是否开启CN大陆智能分流,如果位于境外可配置为no。当`CNAUTO=no`时,除递归以外的功能(包括规则/列表等)将不会工作。 118 | - DNSPORT:设置DNS服务器端口,仅在CNAUTO=no时生效 119 | - DNS_SERVERNAME:DNS的服务器名称,你使用windows的nslookup的时候会看到它。 120 | - SERVER_IP:指定DNS服务器的外部IP。假设你的DNS容器是宿主`10.10.10.4`映射出来的端口而不是独立的IP,设置该项为`10.10.10.4`可以让你看到正确的`DNS_SERVERNAME`。同时会设定域名`paopao.dns`指向该IP地址`10.10.10.4`,可配合其他服务使用。 121 | - SOCKS5:为分流非CN IP的域名优先使用SOCKS5查询(如`10.10.10.8:7890`,强制使用socks5查询则加上@,比如`@10.10.10.8:7890`),但没有也能查,非必须项。仅在CNAUTO=yes时生效。SOCKS5初始化会有大概3分钟的延迟连接测试过程,期间的解析结果并非最优延迟。 122 | - TZ: 设置系统的运行时区,仅影响输出日志不影响程序运行 123 | - UPDATE: 检查更新根域数据和GEOIP数据的频率,no不检查,其中GEOIP更新仅在CNAUTO=yes时生效。注意:`daily`,`weekly`,`monthly`分别为alpine默认定义的每天凌晨2点、每周6凌晨3点、每月1号凌晨5点。更新数据后会瞬间完成重载。 124 | - IPV6: 仅在CNAUTO=yes时生效,是否返回IPv6的解析结果,默认为no,如果没有IPv6环境,选择no可以节省内存。设置为yes返回IPv6的查询(为分流优化,非大陆双栈域名仅返回A记录)。如果设置为`only6`,则只对IPv6 only的域名返回IPv6结果。如果设置为`yes_only6`,则对大陆域名返回IPv6的解析结果(相当于`yes`),对非大陆域名只对IPv6 only的域名返回IPv6结果(相当于`only6`)。如果设置为`raw`,则不对IPv6结果做任何处理,直接返回原始记录。 125 | - CNFALL: 仅在CNAUTO=yes时生效,在遇到本地递归网络质量较差的时候,递归查询是否回退到转发查询,默认为yes。配置为no可以保证更实时准确的解析,但要求网络质量稳定(尽量减少nat的层数),推荐部署在具备公网IP的一级路由下的时候设置为no; 配置为yes可以兼顾解析质量和网络质量的平衡,保证长期总体的准确解析的同时兼顾短时间内网络超时的回退处理。 126 | - EXPIRED_FLUSH: 该选项为`yes`,且在`CNAUTO`、`CNFALL`为`yes`时生效。该选项默认值为`yes`。当开启该选项时,将会主动监测递归结果中出现的乐观缓存,在乐观缓存返回后数秒后检查是否成功递归刷新了新的解析结果,如果递归失败(由两次ttl记录差值对比),将会主动回收清除该缓存。开启该选项可以有效避免乐观缓存因网络连接性不稳定而一直滞留过期记录的问题,提高DNS解析结果的实时性。 127 | - CUSTOM_FORWARD: 仅在CNAUTO=yes时生效,将`force_forward_list.txt`内的域名列表转发到到`CUSTOM_FORWARD`DNS服务器。该功能可以配合第三方旁网关的fakeip,域名嗅探sniffing等特性完成简单的域名分流效果。 128 | - CUSTOM_FORWARD_TTL:该项设置的值大于0的时候生效,设定CUSTOM_FORWARD的ttl的最小值。 129 | - AUTO_FORWARD:仅在CNAUTO=yes时生效,配合`CUSTOM_FORWARD`功能使用,默认值为no,当设置为yes的时候,解析非CN大陆IP的域名将会直接转发到`CUSTOM_FORWARD`。 130 | - AUTO_FORWARD_CHECK:在`AUTO_FORWARD=yes`时,转发前是否检查域名是否有效,避免产生无效查询。默认值为yes,设置为no则不检查。 131 | - USE_MARK_DATA:该项默认值为yes,当设置为yes的时候,将会自动更新下载预先标记处理的全球百万域名库,在判断大陆分流的时候优先使用该数据,该功能仅标记数据,后续如何处理取决你的设置(比如默认分流或者自动转发)。域名数据库来源于`paopao-pref`项目定期更新。该功能: 132 | - 优点:可以优化DNS泄漏问题、提供更快速精准高效的分流 133 | - 缺点:会占用更多内存 134 | - RULES_TTL:该项设置的值大于0的时候生效,将`/data/force_ttl_rules.txt`里面指定的域名转发到指定的DNS服务器,并修改其TTL值为`RULES_TTL`。该功能仅对A记录和AAAA记录生效,其他记录请参考*进阶自定义示例*一节。该功能可以适用于多种场景,比如想实现在异地的网络访问回家的DDNS域名的结果更实时一点,你可以把`RULES_TTL`设置为一个较低的值,然后把你的DDNS域名指定转发到对应的权威DNS服务器(也就是whois信息的NS服务器对应的IP地址,注意不要CNAME嵌套)即可。`force_ttl_rules`的规则格式为域名@服务器:端口,以下都是合法的格式: 135 | ```yaml 136 | # whois info 03k.org: 137 | # Name Servers: 138 | # cold.dnspod.net(129.211.176.224) 139 | # sunfish.dnspod.net(112.80.181.45) 140 | 141 | cncheck.03k.org@129.211.176.224 142 | cncheck.03k.org@129.211.176.224:53 143 | cncheck.03k.org@129.211.176.224,112.80.181.45 144 | cncheck.03k.org@129.211.176.224:53,112.80.181.45:53 145 | cncheck.03k.org@129.211.176.224,112.80.181.45:53 146 | 147 | # 注意,在该示例中,cncheck.03k.org和其子域名比如www.cncheck.03k.org都会被转发。 148 | ``` 149 | 此外,`RULES_TTL`功能也可以直接指定某个域名的A记录或者AAAA记录,或者“CNAME”到另一个域名。格式使用域名@@记录或者域名@@@记录,以下都是合法的格式: 150 | ```yaml 151 | # 重定向www.qq.com 152 | www.qq.com@@1.2.3.4 153 | www.qq.com@@5.6.7.8 #可以指定多项记录 154 | www.qq.com@@2404:6800:4008:c06::99 155 | 156 | # CNAME www.qq.com 到qq.03k.org 157 | www.qq.com@@qq.03k.org 158 | 159 | # 注意,使用@@为子域名匹配,上述示例会匹配*.www.qq.com和www.qq.com 160 | 161 | # 如果需要精确匹配,可以使用@@@: 162 | www.qq.com@@@1.2.3.4 163 | www.qq.com@@@2404:6800:4008:c06::99 164 | www.qq.com@@@qq.03k.org 165 | 166 | # 使用通配符匹配(同样适用于CNAME): 167 | # 注意,这不是正则匹配,参考[更新日志](https://github.com/kkkgo/PaoPaoDNS/discussions/187) 168 | k8s.*.qq.com@@1.2.3.4 # k8s.xxx.qq.com和k8s.aaa.xxx.xxx.com都会被匹配 169 | dl[0-8].qq.com@@1.2.3.4 # dl8.qq.com会被匹配,dl9.qq.com不会被匹配,dl88.qq.com不会被匹配 170 | ftp[a-c].qq.com@@1.2.3.4 # ftpc.qq.com会被匹配,ftpd.qq.com不会被匹配 171 | dl[0-8][2-4][x-z].qq.com@@1.2.3.4 # dl84z.qq.com会被匹配,dl11x.qq.com不会被匹配,dl23t.qq.com不会被匹配 172 | ``` 173 | 174 | - CN_TRACKER:仅在CNAUTO=yes时生效,默认值为yes,当设置为yes的时候,强制`trackerslist.txt`里面tracker的域名走dnscrypt解析。更新数据的时候会自动下载最新的trakcerlist。该功能在一些场景比较有用,比如`AUTO_FORWARD`配合fakeip的时候可以避免使用fakeip连接tracker。 175 | - USE_HOSTS: 当设置为yes的时候,在启动时读取容器/etc/hosts文件。可以配合docker的`-add-hosts`或者docker compose的`extra_hosts`使用。仅在CNAUTO=yes时生效。 176 | - HTTP_FILE: 当设置为yes的时候,会启动一个7889端口的http静态文件服务器映射`/data`目录。你可以利用此功能与其他服务程序共享文件配置。 177 | - SAFEMODE: 安全模式,仅作调试使用,内存环境存在问题无法正常启动的时候尝试启用。 178 | - ADDINFO: 默认为`no`,设置为`yes`时,在DNS查询结果中增加`ADDITIONAL SECTION`的调试信息,如结果来源、查询延迟、失败原因等,使用dig命令就可以实时追踪域名结果来源,详情参考更新日志( https://github.com/kkkgo/PaoPaoDNS/discussions/61 )。该功能仅对`CNAUTO=yes`生效。 179 | - SHUFFLE 默认为`no`,设置为`yes`时,对解析的结果进行洗牌实现`Round-robin DNS`(注:SHUFFLE功能是对每次查询都进行洗牌输出。即使设置为no,在DNS的ttl过期后重新提供的DNS记录本身是经过unbound洗牌过的)。当设置为`lite`,返回精简的仅与请求类型匹配的回应,参考更新日志( https://github.com/kkkgo/PaoPaoDNS/discussions/108 );当设置为`trnc`,在`lite`选项的基础之上,如果返回的记录大于3个,则每次洗牌完成后仅在ttl有效期内输出3个随机记录,参考更新日志( https://github.com/kkkgo/PaoPaoDNS/discussions/109 ) 180 | - QUERY_TIME:限制DNS转发最大时间,仅作调试使用,随意更改此值会导致你查不到DNS结果。 181 | 182 | 可映射TCP/UDP|端口用途 183 | |-|-| 184 | 53|提供DNS服务的端口,在CNAUTO=no时数据直接来自unbound,CNAUTO=yes时数据来自mosdns 185 | 5301|在CNAUTO=yes时,递归unbound的端口,可用于dig调试 186 | 5302|在CNAUTO=yes时,原生dnscrypt服务端口,可用于dig调试 187 | 5303|在CNAUTO=yes时并设置了SOCKS5时,走SOCKS5的dnscrypt服务端口,可用于dig调试 188 | 5304|在CNAUTO=yes时,dnscrypt的底层unbound实例缓存,可用于dig调试或者fakeip网关的上游 189 | 7889|HTTP_FILE=yes时,http静态文件服务器端口 190 | 191 | 挂载共享文件夹`/data`目录文件说明:存放redis数据、IP库、各种配置文件,在该目录中修改配置文件会覆盖脚本参数,如果你不清楚配置项的作用,**请不要删除任何注释**。如果修改任何配置出现了异常,把配置文件删除,重启容器即可生成默认文件。 192 | 注:[群晖等挂载权限问题参考](https://github.com/kkkgo/PaoPaoDNS/discussions/52) 193 | - `redis.conf`:redis服务器配置模板文件,修改它将会覆盖redis运行参数。除了调试用途,一般强烈建议不修改它。容器版本更新将会覆盖该文件。 194 | - `redis_dns_v2.rdb`:redis的缓存文件,容器重启后靠它读取DNS缓存。刚开始使用的时候因为递归DNS有一个积累的过程,一开始查询会比较慢(设置了CNFALL=no的话,如果CNFALL=yes查询速度不会低于公共DNS),等到这个文件体积起来了就很流畅了。容器版本更新不会覆盖该文件。 195 | 注意:redis_dns_v2.rdb文件生成需要累积达到redis的最持久化要求,取决于`redis.conf`的配置,默认最低2小时后才会进行一次持久化操作。如果你升级容器的镜像,可以删除其他所有配置文件而保留这个rdb文件。 196 | - `unbound.conf`:Unbound递归DNS的配置模板文件,除了调试用途,一般不要修改它。容器版本更新将会覆盖该文件。 197 | - `unbound_custom.conf`:Unbound的自定义配置文件,里面内置了一些高级自定义的示例。容器版本更新不会覆盖该文件。 198 | **以下文件仅在开启CNAUTO功能时出现:** 199 | - `dnscrypt-resolvers`文件夹:储存dnscrypt服务器信息和签名,自动动态更新。容器版本更新将会覆盖该文件。 200 | - `Country-only-cn-private.mmdb`:CN IP数据库,自动更新将会覆盖此文件。容器版本更新将会覆盖该文件。 201 | - `global_mark.dat`:`USE_MARK_DATA`功能的数据库,自动更新将会覆盖此文件。容器版本更新将会覆盖该文件。 202 | - `dnscrypt.toml`:dnscrypt配置模板文件,修改它将会覆盖dnscrypt运行参数。除了调试用途,一般不修改它。容器版本更新将会覆盖该文件。 203 | - `force_forward_list.txt`: 仅在配置`CUSTOM_FORWARD`有效值时生效,强制转发到`CUSTOM_FORWARD`DNS服务器的域名列表,容器版本更新不会覆盖该文件。一行一条,语法规则如下: 204 | 以`domain:`开头域匹配: `domain:03k.org`会匹配自身`03k.org`,以及其子域名`www.03k.org`, `blog.03k.org`等。 205 | 以`full:`开头,完整匹配,`full:03k.org` 只会匹配自身。完整匹配优先级更高。 206 | 以`regexp:`开头,正则匹配,如`regexp:.+\.03k\.org$`。[Go标准正则](https://github.com/google/re2/wiki/Syntax)。 207 | 以`keyword:`开头匹配域名关键字,如以`keyword: 03k.org`会匹配到`www.03k.org.cn` 208 | 尽量避免使用`regexp/keyword`会消耗更多资源。域名表达式省略前缀则为`domain:`。同一文本内匹配优先级:`full > domain > regexp > keyword` 209 | - `force_dnscrypt_list.txt`:强制使用dnscrypt加密查询结果的域名列表,匹配规则同上。容器版本更新不会覆盖该文件。 210 | - `force_recurse_list.txt`:强制使用本地递归服务器查询的域名列表,*一般不会用到该list,强制递归的域名不会被生效CNFALL功能*,匹配规则同上。容器版本更新不会覆盖该文件。 211 | - `force_ttl_rules.txt`: 参见`RULES_TTL`功能。修改将实时重载生效。容器版本更新不会覆盖该文件。 212 | - 修改`force_forward_list.txt`或`force_dnscrypt_list.txt`或`force_recurse_list.txt`或`force_ttl_rules.txt`将会实时重载生效。 213 | - 文本匹配优先级`(custom_mod功能seq: top)`>`force_forward_list` > `force_dnscrypt_list` > `force_recurse_list` > `force_ttl_rules`>`(custom_mod功能seq: list)`>`其他自动分流逻辑`。 214 | - **注意事项**:由于跨平台系统差异,不建议使用Windows自带记事本编辑。如果list出现了问题无法读取或者无法生效,可以直接删除list文件,重启容器会自动重建默认的list。如果你想解析的域名位于境外,并且没有境内CDN,而你又想获取原始记录(与`force_forward_list.txt`或者使用`AUTO_FORWARD`功能获取到的解析记录区分开),那么你应该把域名加进`force_dnscrypt_list.txt`而不是`force_recurse_list.txt`,因为基于个人网络环境差异,递归服务器位于境外的域名存在递归失败的可能。*`force_recurse_list.txt`的应用场景一般应仅限于特殊域名递归调试,大部分场景都不适用于`force_recurse_list.txt`。* 此外,你可以根据`文本匹配优先级`灵活设置同一个域名子域名走不同的list。([参考](https://github.com/kkkgo/PaoPaoDNS/discussions/122) )。 215 | - `trackerslist.txt`:bt trakcer列表文件,开启`CN_TRACKER`功能会出现,会增量自动更新,[更新数据来源](https://github.com/kkkgo/all-tracker-list) ,你也可以添加自己的trakcer到这个文件(或者向[该项目](https://github.com/kkkgo/all-tracker-list)提交),更新的时候会自动合并。修改将实时重载生效。容器版本更新不会覆盖该文件。 216 | - `custom_cn_mark.txt`: 在`USE_MARK_DATA`功能设置为`yes`的情况下,可以在`/data/custom_cn_mark.txt`中额外定义标记为`CN`的域名。填写格式与其他 `force_*_list.txt`一致。参考 https://github.com/kkkgo/PaoPaoDNS/discussions/122 。有限的使用场景:当域名被`USE_MARK_DATA`或者被IP库认定为非`CN`域名但你希望把他当成`CN`域名处理的时候。 参考[更新日志](https://github.com/kkkgo/PaoPaoDNS/discussions/187)。 217 | - `mosdns.yaml`:mosdns的配置模板文件,修改它将会覆盖mosdns运行参数。除了调试用途,一般强烈建议不修改它。容器版本更新将会覆盖该文件。 218 | - `custom_env.ini`可以自定义环境变量,会覆盖在容器在启动时的环境变量。在容器启动后修改该文件将会导致MosDNS重载,但在容器启动后修改的环境变量不会影响已经启动的其他组件。配置的格式为`key="value"`(注意英文双引号),错误格式的环境变量将会被忽略加载。容器版本更新不会覆盖该文件。 219 | - `custom_mod.yaml`可以自定义一些高级功能,参见下面的`custom_mod.yaml`文件说明。错误的配置可能导致服务运行异常。需要重启容器应用配置。容器版本更新不会覆盖该文件。 220 | **custom_mod.yaml配置说明** 221 | ```yaml 222 | # yaml配置格式请注意空格缩进和冒号,错误的配置将不会被加载。 223 | # Zones可以配置指定域名转发。可以配置多组。 224 | # 与`RULES_TLL`等功能不同,Zones配置的域名转发优先级默认最高,并且可以转发所有记录类型。 225 | Zones: 226 | - zone: company.local 227 | dns: udp://10.10.10.3:53,udp://10.10.10.4:53 228 | ttl: 0 229 | seq: top 230 | socks5: no 231 | # - zone: 此处填转发的域名。也可以是子域名,或者后缀。 232 | # dns: 可以逗号分隔指定多个DNS服务器、udp/tcp协议、端口。 233 | # 指定超过3个DNS服务器将随机选择3个。 234 | # ttl: 指定该域名的最大ttl值。当设置非0的时候生效。 235 | # 设置为0为不修改原来的ttl。 236 | # seq: top #缺省选项,优先级最高,直接进行转发所有类型记录 237 | # top6 #与top一样但应用全局的IPv6设置 238 | # list #优先级最低,在匹配所有list后匹配 239 | # socks5: 可以配置为yes或者no,是否使用socks5代理来查询。 240 | # 仅支持代理tcp协议的dns服务器。 241 | - zone: .corp 242 | dns: udp://10.10.10.3:53,udp://10.10.10.4:53 243 | ttl: 60 244 | seq: top6 245 | socks5: no 246 | - zone: ddns.example.com 247 | dns: tcp://172.64.32.176:53,tcp://108.162.192.176:53 248 | ttl: 3 249 | seq: list 250 | socks5: yes 251 | # zone可以一次性写入多个域名,也可以使用list的规则写法,也可以直接引用外部文件(必须以反斜杠`/`的绝对路径开头),以空格隔开,例如: 252 | - zone: a.com domain:b.com full:c.com regexp:dl[0-9]+\.qq\.com$ keyword:google /data/mylist.txt 253 | dns: udp://10.10.10.3:53,udp://10.10.10.4:53 254 | ttl: 0 255 | seq: top 256 | socks5: no 257 | # Swaps可以指定某个IP/CIDR段的解析结果替换为指定变量的结果。 258 | # 以最终解析结果为准匹配。与Zones格式类似可以配置多组。 259 | Swaps: 260 | - env_key: test_ip 261 | cidr_file: "/data/test_cidr.txt" 262 | # env_key:配置指定变量的解析结果。可以配合custom_env.ini使用。 263 | # cidr_file: 配置指定IP/CIDR段的文本文件。格式为每行一个IP/CIDR段。 264 | # Swaps的env_key可以对应多个cidr_file,一个cidr_file仅可以匹配一个env_key,详情参考[更新日志](https://github.com/kkkgo/PaoPaoDNS/discussions/187) 265 | # 注意:如果env_key或者cidr_file配置出错,容器日志会报错并忽略替换。 266 | # 注:`Swaps`应用场景参考:[替换指定IP段的解析结果为指定IP](https://github.com/kkkgo/PaoPaoDNS/discussions/57 ) 267 | 268 | Hosts: 269 | - env_key: test_ip 270 | zone: a.com domain:b.com full:c.com regexp:dl[0-9]+\.qq\.com$ keyword:google /data/mylist.txt 271 | # Hosts模块,可以自定义域名的解析直接映射为指定变量的结果。域名写法与Zones模块一样,支持引入外部文件。 272 | # Hosts模块将位于最高匹配优先级。 273 | ``` 274 | Tips : 275 | - `env_key`配合`custom_env.ini`使用可以实现变量改变的时候重新加载。 276 | - `custom_mod`功能引入的外部文件仅在容器启动的时候加载,如果不存在会跳过规则。`custom_mod`引入的外部文件不会被额外监测,发生变化的时候不会重新加载。如果需要重新加载所有外部文件,可以使用`reload.sh`命令,示例:`docker exec paopaodns reload.sh` 277 | 278 | ### 进阶自定义示例 279 | 280 | 1. 在企业内可能需要的一个功能,就是需要和AD域整合,转发指定域名到AD域服务器的方法: 281 | 打开`/data/custom_mod.yaml`编辑: 282 | ```yaml 283 | #Active Directory Forward Example 284 | # 在这个示例中,你公司的AD域名为company.local,有几个AD域DNS服务器。 285 | Zones: 286 | - zone: company.local 287 | dns: 10.111.222.11,10.111.222.12,10.111.222.13 288 | ``` 289 | 290 | 2. 添加除了A/AAAA记录以外类型的本地记录解析,可以通过编辑`unbound_custom.conf`实现,具体语法可以参考unbound官方文档,例如添加微软KMS服务器SRV记录 291 | 打开`/data/unbound_custom.conf`编辑: 292 | ```yaml 293 | #Example of setting up SRV records for KMS server VLMCS. 294 | #假设你的内网后缀是.lan,KMS服务器地址是192.168.1.2或者kms.ad.local 295 | 296 | server: 297 | local-zone: "_vlmcs._tcp.lan." static 298 | local-data: "_vlmcs._tcp.lan. IN SRV 0 0 1688 kms.ad.local." 299 | local-data: "_vlmcs._tcp.lan. IN SRV 0 0 1688 192.168.1.2." 300 | 301 | ``` 302 | 303 | 如果有其他高级的自定义需求,欢迎在[discussions](https://github.com/kkkgo/PaoPaoDNS/discussions)里面参与讨论。 304 | 305 | ## 附赠:PaoPao-Pref 306 | 这是一个让DNS服务器预读取缓存或者压力测试的简单工具,配合[PaoPaoDNS](https://github.com/kkkgo/PaoPaoDNS)使用可以快速生成`redis_dns_v2.rdb`缓存。从指定的文本读取域名列表并查询A/AAAA记录,docker镜像默认自带了全球前100万热门域名(经过无效域名筛选)。 307 | 详情:https://github.com/kkkgo/PaoPao-Pref 308 | 309 | ## 相关项目:PaoPaoGateWay 310 | PaoPao GateWay是一个体积小巧、稳定强大的FakeIP网关,支持`Full Cone NAT` ,支持多种方式下发配置,支持多种出站方式,包括自定义socks5、自定义yaml节点、订阅模式和自由出站,支持节点测速自动选择、节点排除等功能,并附带web面板可供查看日志连接信息等。PaoPao GateWay配合PaoPaoDNS的`CUSTOM_FORWARD`功能就可以完成简单精巧的分流。 311 | 详情:https://github.com/kkkgo/PaoPaoGateWay 312 | 313 | ## 构建说明 314 | `sliamb/paopaodns`Docker镜像由Github Actions自动构建本仓库代码构建推送,你可以在[Actions](https://github.com/kkkgo/PaoPaoDNS/actions)查看构建日志,或者自行下载源码进行构建,只需要执行docker build即可,或者可以fork仓库然后使用Actions进行自动构建。 315 | 316 | ## 附录:使用到的程序 317 | unbound: 318 | - https://nlnetlabs.nl/projects/unbound/about/ 319 | - https://www.nlnetlabs.nl/documentation/unbound/howto-optimise/ 320 | - https://unbound.docs.nlnetlabs.nl/en/latest/ 321 | 322 | redis: https://hub.docker.com/_/redis 323 | dnscrypt: 324 | - https://github.com/DNSCrypt/dnscrypt-proxy 325 | - https://github.com/DNSCrypt/dnscrypt-resolvers 326 | - https://dnscrypt.info/ 327 | 328 | mosdns: 329 | - https://github.com/kkkgo/mosdns 330 | 331 | Country-only-cn-private.mmdb: 332 | - https://github.com/kkkgo/Country-only-cn-private.mmdb 333 | -------------------------------------------------------------------------------- /build_test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | IPREX4='([0-9]{1,2}|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.([0-9]{1,2}|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.([0-9]{1,2}|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.([0-9]{1,2}|1[0-9][0-9]|2[0-4][0-9]|25[0-5])' 3 | 4 | # build 5 | docker build -t ppdns . 6 | 7 | v4check() { 8 | if echo "$1" | grep -v "timed out" | grep -v "127.0.0.1" | grep -E "$IPREX4"; then 9 | echo "$2" pass. 10 | else 11 | echo "$2" failed:"$1" 12 | exit 13 | fi 14 | } 15 | 16 | docker run -d --name test1 \ 17 | -e HTTP_FILE=yes \ 18 | -e USE_HOSTS=yes \ 19 | -e RULES_TTL=1 \ 20 | --add-host host.paopaodns:111.111.111.111 \ 21 | ppdns 22 | 23 | sleep 5 24 | docker exec test1 sh -c "echo "force_ttl_rules.paopaodns@@1.2.3.4" > /data/force_ttl_rules.txt" 25 | # base test 26 | t1=$(docker exec test1 dig www.taobao.com @127.0.0.1 -p53 A +short) 27 | v4check "$t1" CN-53 28 | t2=$(docker exec test1 dig www.taobao.com @127.0.0.1 -p5301 A +short) 29 | v4check "$t2" CN-5301 30 | t3=$(docker exec test1 dig www.taobao.com @127.0.0.1 -p5302 A +short) 31 | v4check "$t3" CN-5302 32 | docker exec test1 dig www.taobao.com @127.0.0.1 -p5304 A 33 | sleep 5 34 | t4=$(docker exec test1 dig www.taobao.com @127.0.0.1 -p5304 A +short) 35 | v4check "$t4" CN-5304 36 | t5=$(docker exec test1 dig www.google.com @127.0.0.1 -p53 A +short) 37 | v4check "$t5" NOCN-53 38 | t6=$(docker exec test1 dig www.google.com @127.0.0.1 -p5301 A +short) 39 | v4check "$t6" NOCN-5301 40 | t7=$(docker exec test1 dig www.google.com @127.0.0.1 -p5302 A +short) 41 | v4check "$t7" NOCN-5302 42 | t8=$(docker exec test1 dig www.google.com @127.0.0.1 -p5304 A +short) 43 | v4check "$t8" NOCN-5304 44 | t9=$(docker exec test1 dig host.paopaodns @127.0.0.1 -p53 A +short) 45 | v4check "$t9" USE_HOSTS 46 | t10=$(docker exec test1 dig force_ttl_rules.paopaodns @127.0.0.1 -p53 A +short) 47 | v4check "$t10" force_ttl_rules 48 | if docker exec test1 mosdns curl http://127.0.0.1:7889 | grep -q Country-only-cn-private.mmdb; then 49 | echo HTTP_FILE pass. 50 | else 51 | exit 52 | fi 53 | docker exec test1 apk add socat 54 | docker exec test1 sh -c "echo 'example.com' | socat - UNIX-CONNECT:/tmp/flush.sock && echo flush_ok_flag >>/etc/os-release" 55 | if docker exec test1 cat /etc/os-release | grep -q flush_ok_flag; then 56 | echo flush_ok_flag pass. 57 | else 58 | exit 59 | fi 60 | docker rm -f test1 61 | docker run --name test2 \ 62 | -e USE_MARK_DATA=yes \ 63 | -e AUTO_FORWARD=yes \ 64 | -e CUSTOM_FORWARD=8.8.8.8:53 \ 65 | ppdns & 66 | sleep 15 67 | t11=$(docker exec test2 dig www.youtube.com @127.0.0.1 -p53 A +short) 68 | v4check "$t11" AUTO_FORWARD_OK 69 | docker rm -f test2 70 | docker run --name test3 \ 71 | -e USE_MARK_DATA=yes \ 72 | -e AUTO_FORWARD=yes \ 73 | -e ADDINFO=yes \ 74 | -e CUSTOM_FORWARD=9.8.7.6:53 \ 75 | ppdns & 76 | sleep 15 77 | t12=$(docker exec test3 dig www.youtube.com @127.0.0.1 -p53 A) 78 | if echo "$t12" | grep REFUSED; then 79 | echo CUSTOM_FORWARD_BAD pass. 80 | else 81 | echo CUSTOM_FORWARD_BAD failed:"$t12" 82 | exit 83 | fi 84 | if docker exec test3 redis-cli -s /tmp/redis.sock info | grep -q human; then 85 | echo redis pass. 86 | else 87 | echo redis failed. 88 | exit 89 | fi 90 | docker rm -f test3 91 | # pass check 92 | echo ALL TEST PASSED. 93 | touch build_test_ok -------------------------------------------------------------------------------- /docker-compose-qnap.yaml: -------------------------------------------------------------------------------- 1 | version: "3" 2 | 3 | services: 4 | paopaodns: 5 | image: sliamb/paopaodns:latest 6 | container_name: PaoPaoDNS 7 | restart: always 8 | volumes: 9 | - /share/Container/paopaodns:/data 10 | environment: 11 | - TZ=Asia/Shanghai 12 | - UPDATE=weekly 13 | - DNS_SERVERNAME=PaoPaoDNS,blog.03k.org 14 | - DNSPORT=53 15 | - SOCKS5=10.10.10.3:7890 16 | - CNAUTO=yes 17 | - IPV6=no 18 | - CNFALL=yes 19 | - CUSTOM_FORWARD=10.10.10.3:53 20 | - AUTO_FORWARD=no 21 | - CN_TRACKER=yes 22 | - SAFEMODE=no 23 | networks: 24 | default: 25 | ipv4_address: 10.10.10.6 26 | networks: 27 | default: 28 | external: true 29 | name: qnet-static-eth0-ce61ba 30 | # name from qnap ssh: docker network ls -------------------------------------------------------------------------------- /docker-compose.yaml: -------------------------------------------------------------------------------- 1 | version: "3" 2 | 3 | services: 4 | paopaodns: 5 | image: sliamb/paopaodns:latest 6 | container_name: PaoPaoDNS 7 | restart: always 8 | volumes: 9 | - /share/Container/paopaodns:/data 10 | environment: 11 | - TZ=Asia/Shanghai 12 | - UPDATE=weekly 13 | - DNS_SERVERNAME=PaoPaoDNS,blog.03k.org 14 | - DNSPORT=53 15 | - SOCKS5=no 16 | - CNAUTO=yes 17 | - IPV6=no 18 | - CNFALL=yes 19 | - CUSTOM_FORWARD=10.10.10.3:53 20 | - AUTO_FORWARD=no 21 | - CN_TRACKER=yes 22 | - SAFEMODE=no 23 | ports: 24 | - "53:53/udp" 25 | - "53:53/tcp" 26 | - "5304:5304/udp" 27 | - "5304:5304/tcp" 28 | - "7889:7889/tcp" -------------------------------------------------------------------------------- /img.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kkkgo/PaoPaoDNS/a8da2e62a73026c9594b7edc36447538e51000ee/img.jpg -------------------------------------------------------------------------------- /local_test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | cd prebuild-paopaodns||exit 3 | docker build --no-cache -t sliamb/prebuild-paopaodns . 4 | cd ..||exit 5 | docker build --no-cache -t sliamb/paopaodns . 6 | docker rm -f paopaodns 7 | docker run --name paopaodns --rm -d -e USE_MARK_DATA=yes -e ADDINFO=yes sliamb/paopaodns 8 | docker exec -it paopaodns sh -------------------------------------------------------------------------------- /prebuild-paopaodns/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:edge AS builder 2 | COPY build.sh /src/ 3 | RUN sh /src/build.sh 4 | # JUST CHECK 5 | RUN cp /src/mosdns /tmp/ 6 | RUN cp /src/unbound /tmp/ 7 | RUN cp /src/unbound-checkconf /tmp/ 8 | FROM scratch 9 | COPY --from=builder /src/ /src/ 10 | -------------------------------------------------------------------------------- /prebuild-paopaodns/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # add tools 4 | apk update 5 | apk upgrade 6 | apk add build-base flex byacc musl-dev gcc make git python3-dev swig libevent-dev openssl-dev expat-dev hiredis-dev go grep bind-tools 7 | 8 | # build unbound 9 | #git clone https://github.com/NLnetLabs/unbound.git --depth 1 /unbound -b release-1.19.3 10 | git clone https://github.com/NLnetLabs/unbound.git --depth 1 /unbound 11 | cd /unbound || exit 12 | export CFLAGS="-O3" 13 | ./configure --with-libevent --with-pthreads --with-libhiredis --enable-cachedb \ 14 | --disable-rpath --without-pythonmodule --disable-documentation \ 15 | --disable-flto --disable-maintainer-mode --disable-option-checking --disable-rpath \ 16 | --with-pidfile=/tmp/unbound.pid \ 17 | --prefix=/usr --sysconfdir=/etc --localstatedir=/tmp --with-username=root --with-chroot-dir="" 18 | make 19 | make install 20 | mv /usr/sbin/unbound /src/ 21 | mv /usr/sbin/unbound-checkconf /src/ 22 | 23 | # build mosdns 24 | mkdir -p /mosdns-build 25 | git clone https://github.com/kkkgo/mosdns --depth 1 /mosdns-build 26 | cd /mosdns-build || exit 27 | go build -ldflags "-s -w" -trimpath -o /src/mosdns 28 | 29 | #clean 30 | rm /src/build.sh 31 | -------------------------------------------------------------------------------- /src/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # add tools 4 | apk update 5 | apk upgrade 6 | apk add curl redis git 7 | 8 | # redis 9 | rm -rf /usr/bin/redis-benchmark 10 | mv /usr/bin/redis* /src/ 11 | 12 | # named 13 | curl -sLo /src/named.cache https://www.internic.net/domain/named.cache 14 | named_hash=$(curl -4Ls https://www.internic.net/domain/named.cache.md5 | grep -Eo "[a-zA-Z0-9]{32}" | head -1) 15 | named_down_hash=$(md5sum /src/named.cache | grep -Eo "[a-zA-Z0-9]{32}" | head -1) 16 | if [ "$named_down_hash" != "$named_hash" ]; then 17 | cp /named_down_hash_error . 18 | exit 19 | fi 20 | 21 | # mmdb 22 | git clone https://github.com/kkkgo/Country-only-cn-private.mmdb --depth 1 /Country-only-cn-private 23 | mmdb_hash=$(sha256sum /Country-only-cn-private/Country-only-cn-private.mmdb.xz | grep -Eo "[a-zA-Z0-9]{64}" | head -1) 24 | mmdb_down_hash=$(grep -Eo "[a-zA-Z0-9]{64}" /Country-only-cn-private/Country-only-cn-private.mmdb.xz.sha256sum | head -1) 25 | if [ "$mmdb_down_hash" != "$mmdb_hash" ]; then 26 | cp /mmdb_down_hash_error . 27 | exit 28 | else 29 | cp /Country-only-cn-private/Country-only-cn-private.mmdb.xz /src/Country-only-cn-private.mmdb.xz 30 | fi 31 | 32 | # mark_data 33 | git clone https://github.com/kkkgo/PaoPao-Pref --depth 1 /PaoPao-Pref 34 | global_mark_hash=$(sha256sum /PaoPao-Pref/global_mark.dat | grep -Eo "[a-zA-Z0-9]{64}" | head -1) 35 | global_mark_down_hash=$(grep -Eo "[a-zA-Z0-9]{64}" /PaoPao-Pref/global_mark.dat.sha256sum | head -1) 36 | if [ "$global_mark_down_hash" != "$global_mark_hash" ]; then 37 | cp /global_mark_down_hash_error . 38 | exit 39 | else 40 | cp /PaoPao-Pref/global_mark.dat /src/global_mark.dat 41 | fi 42 | 43 | # config dnscrypt 44 | #gen dns toml 45 | git clone https://github.com/kkkgo/dnscrypt-proxy --depth 1 /dnscrypt-proxy 46 | grep -v "#" /dnscrypt-proxy/dnscrypt-proxy/example-dnscrypt-proxy.toml | grep . >/dnscrypt-proxy/dnsex.toml 47 | sed -i -r 's/log_level.+/log_level = 6/g' /dnscrypt-proxy/dnsex.toml 48 | sed -i -r 's/require_dnssec.+/require_dnssec = true/g' /dnscrypt-proxy/dnsex.toml 49 | sed -i -r 's/cache_min_ttl .+/cache_min_ttl = 1/g' /dnscrypt-proxy/dnsex.toml 50 | sed -i -r 's/cache_neg_min_ttl .+/cache_neg_min_ttl = 1/g' /dnscrypt-proxy/dnsex.toml 51 | sed -i -r 's/reject_ttl.+/reject_ttl = 1/g' /dnscrypt-proxy/dnsex.toml 52 | sed -i -r 's/cache_max_ttl .+/cache_max_ttl = 600/g' /dnscrypt-proxy/dnsex.toml 53 | sed -i -r 's/cache_neg_max_ttl .+/cache_neg_max_ttl = 600/g' /dnscrypt-proxy/dnsex.toml 54 | sed -i -r 's/require_nolog.+/require_nolog = false/g' /dnscrypt-proxy/dnsex.toml 55 | sed -i -r 's/odoh_servers.+/odoh_servers = true/g' /dnscrypt-proxy/dnsex.toml 56 | sed -i -r "s/netprobe_address.+/netprobe_address = '223.5.5.5:53'/g" /dnscrypt-proxy/dnsex.toml 57 | sed -i -r "s/bootstrap_resolvers.+/bootstrap_resolvers = ['127.0.0.1:5301','1.0.0.1:53','8.8.8.8:53','223.5.5.5:53']/g" /dnscrypt-proxy/dnsex.toml 58 | sed -i -r "s/listen_addresses.+/listen_addresses = ['0.0.0.0:5302']/g" /dnscrypt-proxy/dnsex.toml 59 | sed -i "s|'https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md',|'https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://cdn.jsdelivr.net/gh/DNSCrypt/dnscrypt-resolvers/v3/public-resolvers.md','https://cdn.statically.io/gh/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://dnsr.evilvibes.com/v3/public-resolvers.md',|g" /dnscrypt-proxy/dnsex.toml 60 | sed -i "s|'https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md',|'https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://cdn.jsdelivr.net/gh/DNSCrypt/dnscrypt-resolvers/v3/relays.md','https://cdn.statically.io/gh/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://dnsr.evilvibes.com/v3/relays.md',|g" /dnscrypt-proxy/dnsex.toml 61 | 62 | # git clone https://github.com/kkkgo/PaoPao-Pref --depth 1 /PaoPao-Pref 63 | server_names="" 64 | while read line; do 65 | if [ -z "$server_names" ]; then 66 | server_names="'$line'" 67 | else 68 | server_names="$server_names, '$line'" 69 | fi 70 | done <"/PaoPao-Pref/dnscrypt_resolver/ban_list.txt" 71 | 72 | sed -i "s/^disabled_server_names.*/disabled_server_names = [ $server_names ]/" /dnscrypt-proxy/dnsex.toml 73 | 74 | echo "#socksokproxy = 'socks5://{SOCKS5}'" >/src/dnscrypt.toml 75 | echo "#ttl_rule_okforwarding_rules = '/tmp/force_ttl_rules.toml'" >>/src/dnscrypt.toml 76 | echo "#ttl_rule_okcloaking_rules = '/tmp/force_ttl_rules_cloaking.toml'" >>/src/dnscrypt.toml 77 | cat /dnscrypt-proxy/dnsex.toml >>/src/dnscrypt.toml 78 | git clone https://github.com/DNSCrypt/dnscrypt-resolvers.git --depth 1 /dnscrypt 79 | mkdir -p /src/dnscrypt-resolvers 80 | mv /dnscrypt/v3/relays.m* /src/dnscrypt-resolvers/ 81 | mv /dnscrypt/v3/public-resolvers.m* /src/dnscrypt-resolvers/ 82 | 83 | # trackerlist 84 | git clone https://github.com/kkkgo/all-tracker-list.git --depth 1 /all-tracker-list 85 | tracker_hash=$(sha256sum /all-tracker-list/trackerslist.txt.xz | grep -Eo "[a-zA-Z0-9]{64}" | head -1) 86 | tracker_down_hash=$(grep -Eo "[a-zA-Z0-9]{64}" /all-tracker-list/trackerslist.txt.xz.sha256sum | head -1) 87 | if [ "$tracker_hash" != "$tracker_down_hash" ]; then 88 | cp /tracker_down_hash_error . 89 | exit 90 | else 91 | cp /all-tracker-list/trackerslist.txt.xz /src/trackerslist.txt.xz 92 | fi 93 | 94 | # apk mirrors 95 | mkdir -p /src/ 96 | touch /src/repositories 97 | add_repo() { 98 | sed "s/dl-cdn.alpinelinux.org/$1/g" /etc/apk/repositories >>/src/repositories 99 | } 100 | add_repo mirrors.ustc.edu.cn 101 | add_repo mirrors.nju.edu.cn 102 | add_repo mirrors.aliyun.com 103 | add_repo mirrors.tuna.tsinghua.edu.cn 104 | add_repo dl-cdn.alpinelinux.org 105 | 106 | # build time 107 | bt=$(date +"%Y-%m-%d %H:%M:%S %Z") 108 | sed -i "s/{bulidtime}/$bt/g" /src/init.sh 109 | sed -i "s/{bulidtime}/$bt/g" /src/debug.sh 110 | sed -i "s/{bulidtime}/$bt/g" /src/test.sh 111 | sed -i "s/{bulidtime}/$bt/g" /src/ub_trace.sh 112 | 113 | #clean 114 | chmod +x /src/*.sh 115 | rm /src/build.sh 116 | -------------------------------------------------------------------------------- /src/custom_env.ini: -------------------------------------------------------------------------------- 1 | # Variables configured here 2 | # override the ENV at docker startup. 3 | # MosDNS reload if Modifying this file. 4 | # Format: key="value" 5 | 6 | #ADDINFO="yes" 7 | #SHUFFLE="yes" 8 | #IPV6="no" 9 | #MORE_ENV="VALUE"... 10 | #test_ip="1.1.1.1 2.2.2.2 2000::1 2002::2" -------------------------------------------------------------------------------- /src/custom_mod.yaml: -------------------------------------------------------------------------------- 1 | #Zones: 2 | #- zone: company.local 3 | # dns: udp://10.10.10.3:53,udp://10.10.10.4:53 4 | # ttl: 0 5 | # seq: top 6 | # socks5: no 7 | #- zone: .corp 8 | # dns: udp://10.10.10.4:53,udp://10.10.10.5:53,udp://10.10.10.3 9 | # ttl: 60 10 | # seq: top6 11 | # socks5: no 12 | #- zone: ddns.example.com 13 | # dns: tcp://172.64.32.176:53,tcp://108.162.192.176:53 14 | # ttl: 3 15 | # seq: list 16 | # socks5: yes 17 | #Swaps: 18 | #- env_key: test_ip 19 | # cidr_file: "/data/test_cidr.txt" -------------------------------------------------------------------------------- /src/data_update.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | comp_trackerslist() { 3 | mkdir -p /tmp/trackerslist 4 | cp /usr/sbin/trackerslist.txt.xz /tmp/trackerslist/ 5 | cd /tmp/trackerslist/ || exit 6 | xz -df trackerslist.txt.xz 7 | if [ -f /data/trackerslist.txt ]; then 8 | echo "" >>/tmp/trackerslist/trackerslist.txt 9 | cat /data/trackerslist.txt >>/tmp/trackerslist/trackerslist.txt 10 | update_file_wait="/data/trackerslist.txt" 11 | wait_apply 12 | fi 13 | sort -u /tmp/trackerslist/trackerslist.txt | grep -Eo "^[a-z]+://.+" > /data/trackerslist.txt 14 | rm -rf /tmp/trackerslist/ 15 | return 0 16 | } 17 | 18 | ex_mmdb() { 19 | mkdir -p /tmp/mmdb 20 | cp /usr/sbin/Country-only-cn-private.mmdb.xz /tmp/mmdb/ 21 | cd /tmp/mmdb/ || exit 22 | xz -df Country-only-cn-private.mmdb.xz 23 | cat /tmp/mmdb/Country-only-cn-private.mmdb >/data/Country-only-cn-private.mmdb 24 | rm -rf /tmp/mmdb/ 25 | return 0 26 | } 27 | 28 | wait_apply() { 29 | while ! ps -ef | grep inotifywait | grep -q $update_file_wait; do 30 | sleep 1 31 | echo "$update_file_wait"": Waiting to apply the update..." 32 | done 33 | } 34 | 35 | if [ "$1" = "comp_trackerslist" ]; then 36 | comp_trackerslist 37 | exit 38 | fi 39 | 40 | if [ "$1" = "ex_mmdb" ]; then 41 | ex_mmdb 42 | exit 43 | fi 44 | 45 | sleep $((1 + $RANDOM % 300)) 46 | export no_proxy="" 47 | export http_proxy="" 48 | file_update() { 49 | date +"%Y-%m-%d %H:%M:%S %Z" 50 | touch $update_file 51 | oldsum=$($hashcmd $update_file | grep -Eo "$update_reg") 52 | newsum=$(mosdns curl "$newsum_url" $(if [ -n "$SOCKS5ON" ]; then echo "$SOCKS5"; fi) | grep -Eo "$update_reg" | head -1) 53 | if echo "$newsum" | grep -qvE "$update_reg"; then 54 | echo "Network error: ""$SOCKS5ON" "$newsum_url" 55 | return 1 56 | fi 57 | if [ "$newsum" = "$oldsum" ]; then 58 | echo "$update_file" "Same hash, skip update." 59 | return 2 60 | fi 61 | echo $update_file "diff sha256sum, update..." 62 | echo newsum:"$newsum" 63 | echo oldsum:"$oldsum" 64 | mosdns curl "$down_url" $(if [ -n "$SOCKS5ON" ]; then echo "$SOCKS5"; fi) $update_file_down 65 | downsum=$($hashcmd "$update_file_down" | grep -Eo "$update_reg") 66 | if [ "$newsum" = "$downsum" ]; then 67 | echo "$update_file_down" "Download OK." 68 | wait_apply 69 | echo "ok" >"/tmp/""$update_flag" 70 | cat "$update_file_down" >"$update_file" 71 | rm "$update_file_down" 72 | echo "$update_file" "Update OK." 73 | sleep 5 74 | return 0 75 | else 76 | echo "$update_file_down" "Download error." 77 | rm "$update_file_down" 78 | fi 79 | return 1 80 | } 81 | 82 | file_update_try() { 83 | if [ "$1" = "failed" ]; then 84 | echo "Download failed. Attempting to change the download link..." 85 | echo $newsum_url 86 | fi 87 | if echo "$SOCKS5" | grep -Eoq ":[0-9]+"; then 88 | SOCKS5ON="$SOCKS5" 89 | SOCKS5=$(echo "$SOCKS5" | sed 's/"//g') 90 | fi 91 | file_update 92 | if [ "$?" = "1" ]; then 93 | SOCKS5ON="" 94 | file_update 95 | return $? 96 | else 97 | return 0 98 | fi 99 | } 100 | 101 | update-ca-certificates >/dev/null 2>&1 102 | apk update >/dev/null 2>&1 103 | apk add --upgrade ca-certificates >/dev/null 2>&1 104 | 105 | update_file="/etc/unbound/named.cache" 106 | update_file_down="/tmp/named.cache" 107 | update_flag="named.flag" 108 | update_file_wait=$update_file 109 | update_reg="[0-9A-Za-z]{32}" 110 | hashcmd="md5sum" 111 | newsum_url=https://www.internic.net/domain/named.cache.md5 112 | down_url=https://www.internic.net/domain/named.cache 113 | file_update_try 114 | redis-cli -s /tmp/redis.sock info | grep used_memory_human 115 | 116 | if [ "$CNAUTO" != "no" ]; then 117 | update_file="/usr/sbin/Country-only-cn-private.mmdb.xz" 118 | update_file_down="/tmp/Country-only-cn-private.mmdb" 119 | update_flag="Country-only-cn-private.flag" 120 | update_file_wait="/data/Country-only-cn-private.mmdb" 121 | update_reg="[0-9A-Za-z]{64}" 122 | hashcmd="sha256sum" 123 | newsum_url=https://raw.githubusercontent.com/kkkgo/Country-only-cn-private.mmdb/main/Country-only-cn-private.mmdb.xz.sha256sum 124 | down_url=https://raw.githubusercontent.com/kkkgo/Country-only-cn-private.mmdb/main/Country-only-cn-private.mmdb.xz 125 | file_update_try 126 | if [ "$?" = "1" ]; then 127 | newsum_url=https://cdn.jsdelivr.net/gh/kkkgo/Country-only-cn-private.mmdb/Country-only-cn-private.mmdb.xz.sha256sum 128 | down_url=https://cdn.jsdelivr.net/gh/kkkgo/Country-only-cn-private.mmdb/Country-only-cn-private.mmdb.xz 129 | file_update_try failed 130 | if [ "$?" = "1" ]; then 131 | newsum_url=https://cdn.statically.io/gh/kkkgo/Country-only-cn-private.mmdb/main/Country-only-cn-private.mmdb.xz.sha256sum 132 | down_url=https://cdn.statically.io/gh/kkkgo/Country-only-cn-private.mmdb/main/Country-only-cn-private.mmdb.xz 133 | file_update_try failed 134 | fi 135 | fi 136 | if [ -f /tmp/Country-only-cn-private.flag ]; then 137 | update_file_wait="/data/Country-only-cn-private.mmdb" 138 | wait_apply 139 | ex_mmdb 140 | rm /tmp/Country-only-cn-private.flag 141 | fi 142 | fi 143 | 144 | # Update trackerlist data 145 | if [ "$CNAUTO" != "no" ]; then 146 | if [ "$CN_TRACKER" = "yes" ]; then 147 | update_file="/usr/sbin/trackerslist.txt.xz" 148 | update_file_down="/tmp/trackerslist.txt.xz.download" 149 | update_flag="trackerslist.flag" 150 | update_file_wait="/data/trackerslist.txt" 151 | update_reg="[0-9A-Za-z]{64}" 152 | hashcmd="sha256sum" 153 | newsum_url=https://raw.githubusercontent.com/kkkgo/all-tracker-list/main/trackerslist.txt.xz.sha256sum 154 | down_url=https://raw.githubusercontent.com/kkkgo/all-tracker-list/main/trackerslist.txt.xz 155 | file_update_try 156 | if [ "$?" = "1" ]; then 157 | newsum_url=https://cdn.jsdelivr.net/gh/kkkgo/all-tracker-list/trackerslist.txt.xz.sha256sum 158 | down_url=https://cdn.jsdelivr.net/gh/kkkgo/all-tracker-list/trackerslist.txt.xz 159 | file_update_try failed 160 | if [ "$?" = "1" ]; then 161 | newsum_url=https://cdn.statically.io/gh/kkkgo/all-tracker-list/main/trackerslist.txt.xz.sha256sum 162 | down_url=https://cdn.statically.io/gh/kkkgo/all-tracker-list/main/trackerslist.txt.xz 163 | file_update_try failed 164 | fi 165 | fi 166 | if [ -f /tmp/trackerslist.flag ]; then 167 | comp_trackerslist 168 | rm /tmp/trackerslist.flag 169 | fi 170 | fi 171 | fi 172 | 173 | # Update global mark data 174 | if [ "$CNAUTO" != "no" ]; then 175 | if [ "$USE_MARK_DATA" = "yes" ]; then 176 | update_file="/data/global_mark.dat" 177 | update_file_down="/tmp/global_mark.dat.download" 178 | update_flag="global_mark.flag" 179 | update_file_wait=$update_file 180 | update_reg="[0-9A-Za-z]{64}" 181 | hashcmd="sha256sum" 182 | newsum_url=https://raw.githubusercontent.com/kkkgo/PaoPao-Pref/main/global_mark.dat.sha256sum 183 | down_url=https://raw.githubusercontent.com/kkkgo/PaoPao-Pref/main/global_mark.dat 184 | file_update_try 185 | if [ "$?" = "1" ]; then 186 | newsum_url=https://cdn.jsdelivr.net/gh/kkkgo/PaoPao-Pref/global_mark.dat.sha256sum 187 | down_url=https://cdn.jsdelivr.net/gh/kkkgo/PaoPao-Pref/global_mark.dat 188 | file_update_try failed 189 | if [ "$?" = "1" ]; then 190 | newsum_url=https://cdn.statically.io/gh/kkkgo/PaoPao-Pref/main/global_mark.dat.sha256sum 191 | down_url=https://cdn.statically.io/gh/kkkgo/PaoPao-Pref/main/global_mark.dat 192 | file_update_try failed 193 | fi 194 | fi 195 | fi 196 | fi 197 | -------------------------------------------------------------------------------- /src/debug.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | blank() { 3 | echo "*********************************************************************************" 4 | echo 5 | } 6 | export no_proxy="" 7 | export http_proxy="" 8 | ping whoami.03k.org -c1 -W 1 -w 1 -i 1 -4 >/dev/null 9 | IPREX4='([0-9]{1,2}|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.([0-9]{1,2}|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.([0-9]{1,2}|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.([0-9]{1,2}|1[0-9][0-9]|2[0-4][0-9]|25[0-5])' 10 | 11 | echo "### == debug.sh : docker exec -it paopaodns sh ==" 12 | echo "-> debug start \`$(date +%s)\`" 13 | echo "\`\`\`rust" 14 | echo "[INFO]" images build time : {bulidtime} 15 | if [ -w /data ]; then 16 | echo "[OK]DATA_writeable" 17 | else 18 | echo "[ERROR]DATA_not_writeable" 19 | fi 20 | 21 | if [ -r /data ]; then 22 | echo "[OK]DATA_readable" 23 | else 24 | echo "[ERROR]DATA_not_readable" 25 | fi 26 | #sleep 1 27 | echo "[INFO]" NETWORK 28 | blank 29 | ip a | grep -E "UP|inet" 30 | ip r 31 | traceroute -m4 -w1 120.53.53.53 32 | ping 223.5.5.5 -c1 33 | ping 119.29.29.29 -c1 34 | nslookup www.taobao.com 223.5.5.5 35 | nslookup www.qq.com 119.29.29.29 36 | blank 37 | #sleep 1 38 | echo "[INFO]" ENV 39 | blank 40 | cat /tmp/env.conf 41 | ls -shan /data 42 | blank 43 | #sleep 5 44 | echo "[INFO]" PS 45 | blank 46 | ps -ef 47 | if ps -ef | grep -v grep | grep unbound_raw; then 48 | echo unbound OK. 49 | else 50 | echo Try to run unbound... 51 | unbound -c /tmp/unbound_raw.conf -p -v -d & 52 | grep -E "(num-threads: |outgoing-range: |outgoing-num-tcp: |incoming-num-tcp: |msg-cache-size: |msg-cache-slabs: |num-queries-per-thread: |rrset-cache-size: |rrset-cache-slabs: )" /tmp/unbound_raw.conf 53 | echo RealCore:"$(grep -c ^processor /proc/cpuinfo)" 54 | echo ulimit:$(ulimit -n) 55 | fi 56 | 57 | if [ "$CNAUTO" != "no" ]; then 58 | if ps -ef | grep -v grep | grep unbound_forward; then 59 | echo unbound_forward OK. 60 | else 61 | echo Try to run unbound_forward... 62 | unbound -c /tmp/unbound_forward.conf -p -v -d & 63 | grep -E "(num-threads: |outgoing-range: |outgoing-num-tcp: |incoming-num-tcp: |msg-cache-size: |msg-cache-slabs: |num-queries-per-thread: |rrset-cache-size: |rrset-cache-slabs: )" /tmp/unbound_forward.conf 64 | echo RealCore:"$(grep -c ^processor /proc/cpuinfo)" 65 | echo ulimit:$(ulimit -n) 66 | fi 67 | fi 68 | 69 | blank 70 | echo "[INFO]" TOP 71 | blank 72 | top -n1 | grep "%" 73 | blank 74 | #sleep 5 75 | echo "[INFO]" REDIS 76 | blank 77 | redis-cli -s /tmp/redis.sock info | grep human 78 | redis-cli -s /tmp/redis.sock dbsize 79 | blank 80 | #sleep 5 81 | echo "[TEST]" IP ROUTE 82 | blank 83 | echo CN IP URL: 84 | mosdns curl http://test.ipw.cn | grep -Eo "$IPREX4" | tail -1 85 | echo - 86 | mosdns curl http://ipsu.03k.org/cdn-cgi/trace | grep -Eo "$IPREX4" | tail -1 87 | echo -- 88 | mosdns curl https://cf-ns.com/cdn-cgi/trace | grep -Eo "$IPREX4" | tail -1 89 | echo CN RAW-IP URL: 90 | mosdns curl http://182.242.62.199/cdn-cgi/trace | grep "ip=" | grep -Eo "$IPREX4" | tail -1 91 | echo ------------------ 92 | echo Non-CN IP URL: 93 | mosdns curl https://www.cloudflare.com/cdn-cgi/trace | grep -Eo "$IPREX4" | tail -1 94 | echo - 95 | mosdns curl http://checkip.synology.com/ | grep -Eo "$IPREX4" | tail -1 96 | echo -- 97 | mosdns curl https://v4.ident.me/ | grep -Eo "$IPREX4" | tail -1 98 | echo Non-CN RAW-IP URL: 99 | mosdns curl https://1.0.0.3/cdn-cgi/trace | grep -Eo "$IPREX4" | tail -1 100 | echo - 101 | mosdns curl http://172.67.150.201/cdn-cgi/trace | grep -Eo "$IPREX4" | tail -1 102 | echo -- 103 | mosdns curl https://1.0.0.2/cdn-cgi/trace | grep -Eo "$IPREX4" | tail -1 104 | echo --- 105 | mosdns curl http://104.16.124.96/cdn-cgi/trace | grep -Eo "$IPREX4" | tail -1 106 | echo ------------------ 107 | #sleep 5 108 | echo IP INFO: 109 | mosdns curl http://ip.03k.org 110 | echo 111 | #sleep 1 112 | echo "[INFO]" force_recurse_list 113 | grep whoami /data/force_recurse_list.txt 114 | echo MOSDNS WHOAMI : 115 | echo -n "MOSDNS akahelp: " 116 | dig +short whoami.ds.akahelp.net @127.0.0.1 txt -p53 117 | echo -n "MOSDNS 03k: " 118 | dig +short whoami.03k.org @127.0.0.1 a -p53 119 | echo UNBOUND WHOAMI: 120 | echo -n "UNBOUND akahelp: " 121 | dig +short whoami.ds.akahelp.net @127.0.0.1 txt -p5301 122 | echo -n "UNBOUND 03k: " 123 | dig +short whoami.03k.org @127.0.0.1 a -p5301 124 | #sleep 1 125 | blank 126 | echo "[TEST]" HIJACK 127 | blank 128 | dig +short www.qq.com @9.8.7.5 +retry=0 +timeout=1 129 | dig +short whoami.ds.akahelp.net @9.8.7.6 txt -p53 +retry=0 +timeout=1 130 | echo -n "HIJACK 127.0.0.1 = " 131 | dig +short whether.114dns.com @114.114.114.114 132 | blank 133 | #sleep 1 134 | echo "[TEST]" DIG-CN "[taobao]" 135 | blank 136 | echo MOSDNS CN: 137 | dig +short www.taobao.com @127.0.0.1 -p53 138 | echo UNBOUND CN: 139 | test_unbound_raw=$(dig +short www.taobao.com @127.0.0.1 -p5301) 140 | if echo "$test_unbound_raw" | grep -v "refused" | grep -qEo "$IPREX4"; then 141 | echo "$test_unbound_raw" 142 | else 143 | echo unbound_raw FAILED. 144 | if [ "$DEVLOG" = "yes" ]; then 145 | blank 146 | echo "[TEST]Run unbound trace test..." 147 | echo kill unbound and reload to debug mode... 148 | unbound_id=$(ps | grep -v "grep" | grep "unbound_raw" | grep -Eo "[0-9]+" | head -1) 149 | kill "$unbound_id" 150 | sed -i "s/verbosity:.*/verbosity: 2/g" /tmp/unbound_raw.conf 151 | unbound -c /tmp/unbound_raw.conf -p -d & 152 | dig www.jd.com @127.0.0.1 -p5301 153 | dig www.taobao.com @127.0.0.1 -p5301 154 | unbound_id=$(ps | grep -v "grep" | grep "unbound_raw" | grep -Eo "[0-9]+" | head -1) 155 | kill "$unbound_id" 156 | sed -i "s/verbosity:.*/verbosity: 0/g" /tmp/unbound_raw.conf 157 | unbound -c /tmp/unbound_raw.conf -p 158 | fi 159 | blank 160 | fi 161 | #sleep 3 162 | echo "[TEST]" DIG-NOCN "[youtube]" 163 | echo MOSDNS NOCN: 164 | dig +short www.youtube.com @127.0.0.1 -p53 | head -3 165 | echo DNSCRYPT-UNBOUND NOCN: 166 | dig +short www.youtube.com @127.0.0.1 -p5304 | head -3 167 | #sleep 1 168 | echo DNSCRYPT NOCN: 169 | dig +short www.youtube.com @127.0.0.1 -p5302 | head -3 170 | #sleep 1 171 | echo DNSCRYPT-SOCKS5 NOCN: 172 | dig +short www.youtube.com @127.0.0.1 -p5303 +retry=0 | head -3 173 | #sleep 1 174 | blank 175 | if echo "$CUSTOM_FORWARD" | grep -Eoq ":[0-9]+"; then 176 | CUSTOM_FORWARD=$(echo "$CUSTOM_FORWARD" | sed 's/"//g') 177 | if echo "$CUSTOM_FORWARD" | grep -q '\['; then 178 | CUSTOM_FORWARD_SERVER=$(echo "$CUSTOM_FORWARD" | sed 's/\[//' | cut -d']' -f1) 179 | CUSTOM_FORWARD_PORT=$(echo "$CUSTOM_FORWARD" | sed 's/.*\]://' | sed 's/[^0-9]*//') 180 | else 181 | CUSTOM_FORWARD_SERVER=$(echo "$CUSTOM_FORWARD" | cut -d':' -f1) 182 | CUSTOM_FORWARD_PORT=$(echo "$CUSTOM_FORWARD" | cut -d':' -f2) 183 | fi 184 | echo "CUSTOM_FORWARD TEST [youtube]": 185 | dig +short www.youtube.com @"$CUSTOM_FORWARD_SERVER" -p"$CUSTOM_FORWARD_PORT" 186 | echo "CUSTOM_FORWARD TEST [taobao]": 187 | dig +short www.taobao.com @"$CUSTOM_FORWARD_SERVER" -p"$CUSTOM_FORWARD_PORT" 188 | blank 189 | fi 190 | echo "[TEST]" DUAL CN "[IPv6=YES will have aaaa,taobao]" 191 | blank 192 | dig +short www.taobao.com @127.0.0.1 aaaa -p53 193 | 194 | echo "[TEST]" DUAL NOCN "[IPv6=YES will block aaaa,youtube]" 195 | 196 | dig +short www.youtube.com @127.0.0.1 aaaa -p53 197 | 198 | echo "[TEST]" ONLY6 "[IPv6=only6 will block aaaa if a ok]" 199 | echo -n "checkipv6.synology.com : " 200 | dig +short checkipv6.synology.com @127.0.0.1 aaaa -p53 201 | echo -n "ip6.03k.org : " 202 | dig +short ip6.03k.org @127.0.0.1 aaaa -p53 203 | echo -n "6.ipw.cn : " 204 | dig +short 6.ipw.cn @127.0.0.1 aaaa -p53 205 | echo 206 | blank 207 | echo "[info]" ALL TEST FINISH. 208 | echo "\`\`\`" 209 | echo "-> debug end \`$(date +%s)\`" 210 | -------------------------------------------------------------------------------- /src/force_dnscrypt_list.txt: -------------------------------------------------------------------------------- 1 | # Read https://github.com/kkkgo/PaoPaoDNS/discussions/122 2 | 3 | domain:ip.03k.org 4 | domain:msftncsi.com 5 | domain:msftconnecttest.com 6 | domain:time.windows.com 7 | domain:ntp.msn.com 8 | domain:time-ios.apple.com 9 | domain:time.apple.com 10 | domain:pool.ntp.org 11 | 12 | # Skip proxy... 13 | # https://github.com/kkkgo/PaoPaoDNS/discussions/47 14 | #domain:steamcontent.com 15 | #domain:steamserver.net 16 | #domain:download.epicgames.com 17 | #domain:xboxlive.com 18 | #domain:akamaihd.net 19 | #domain:akamaized.net 20 | 21 | # xbox net test 22 | domain:xbox.ipv6.microsoft.com 23 | domain:xncsi.xboxlive.com 24 | domain:x1ds.xboxlive.com 25 | 26 | # netflix hard-coded DNS 27 | # https://github.com/kkkgo/PaoPaoGateWay/discussions/98 28 | #domain:dns.google 29 | #domain:dns.google.com -------------------------------------------------------------------------------- /src/force_forward_list.txt: -------------------------------------------------------------------------------- 1 | # Read https://github.com/kkkgo/PaoPaoDNS/discussions/122 2 | 3 | #focre forward your domains to $CUSTOM_FORWARD DNS server. 4 | #Here are some examples. 5 | 6 | # Global bing 7 | domain:bing.com 8 | 9 | # Google play download issues 10 | domain:googleapis.cn 11 | domain:xn--ngstr-lra8j.com 12 | domain:gvt1.com 13 | domain:android.googleapis.com 14 | domain:play.googleapis.com -------------------------------------------------------------------------------- /src/force_recurse_list.txt: -------------------------------------------------------------------------------- 1 | # Read https://github.com/kkkgo/PaoPaoDNS/discussions/122 2 | 3 | domain:whoami.ds.akahelp.net 4 | domain:whoami.03k.org 5 | domain:nstool.netease.com 6 | domain:nstool.zhuanzfx.com 7 | domain:nstool.laiqukankan.com 8 | domain:nstool.321fenx.com 9 | domain:nstool.haowu.link 10 | domain:nstool.yqkk.link 11 | domain:ntp.aliyun.com 12 | domain:time.edu.cn 13 | domain:ntp.org.cn 14 | domain:localhost.ptlogin2.qq.com 15 | domain:localhost.sec.qq.com -------------------------------------------------------------------------------- /src/init.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | mkdir -p /data 3 | chmod -R 777 /data 4 | 5 | if [ -w /data ]; then 6 | export DATA_W="[OK]DATA_writeable" 7 | else 8 | export DATA_W="[ERROR]DATA_not_writeable" 9 | fi 10 | 11 | if [ -r /data ]; then 12 | export DATA_R="[OK]DATA_readable" 13 | else 14 | export DATA_R="[ERROR]DATA_not_readable" 15 | fi 16 | 17 | rm /tmp/*.conf >/dev/null 2>&1 18 | rm /tmp/*.toml >/dev/null 2>&1 19 | 20 | if [ ! -f /data/custom_env.ini ]; then 21 | cp /usr/sbin/custom_env.ini /data/ 22 | fi 23 | grep -Eo "^[_a-zA-Z0-9]+=\".+\"" /data/custom_env.ini >/tmp/custom_env.ini 24 | if [ -f "/tmp/custom_env.ini" ]; then 25 | while IFS= read -r line; do 26 | line=$(echo "$line" | sed 's/"//g' | sed "s/'//g") 27 | export "$line" 28 | done <"/tmp/custom_env.ini" 29 | fi 30 | echo =====PaoPaoDNS docker start===== 31 | echo images build time : {bulidtime} 32 | if [ ! -f /new.lock ]; then 33 | echo New version install ! Try clean... 34 | rm -rf /data/redis.conf >/dev/null 2>&1 35 | rm -rf /data/unbound.conf >/dev/null 2>&1 36 | rm -rf /data/mosdns.yaml >/dev/null 2>&1 37 | rm -rf /data/dnscrypt.toml >/dev/null 2>&1 38 | rm -rf /data/Country-only-cn-private.mmdb >/dev/null 2>&1 39 | rm -rf /data/global_mark.dat >/dev/null 2>&1 40 | rm -rf /data/dnscrypt-resolvers >/dev/null 2>&1 41 | touch /new.lock 42 | fi 43 | 44 | if [ ! -f /data/unbound.conf ]; then 45 | cp /usr/sbin/unbound.conf /data/ 46 | fi 47 | if [ ! -f /data/unbound_custom.conf ]; then 48 | cp /usr/sbin/unbound_custom.conf /data/ 49 | fi 50 | if [ ! -f /data/custom_mod.yaml ]; then 51 | cp /usr/sbin/custom_mod.yaml /data/ 52 | fi 53 | 54 | if [ ! -f /data/redis.conf ]; then 55 | cp /usr/sbin/redis.conf /data/ 56 | fi 57 | if [ "$UPDATE" != "no" ]; then 58 | crond 59 | if [ ! -f /etc/periodic/"$UPDATE" ]; then 60 | rm -rf /etc/periodic/* 61 | mkdir -p /etc/periodic/"$UPDATE" 62 | cp /usr/sbin/data_update.sh /etc/periodic/"$UPDATE" 63 | fi 64 | fi 65 | 66 | free -m 67 | free -h 68 | if grep -q 'MemAvailable' /proc/meminfo; then 69 | available=$(grep 'MemAvailable' /proc/meminfo | grep -Eo "[0-9]+" | head -1) 70 | else 71 | available=$(grep 'MemFree' /proc/meminfo | grep -Eo "[0-9]+" | head -1) 72 | fi 73 | MEMSIZE=$(echo "scale=0; $available / 1024" | bc) 74 | prefPC=1 75 | echo MEMSIZE:"$MEMSIZE" 76 | # min:50m suggest:16G 77 | MEM1=100k 78 | MEM2=200k 79 | MEM3=200 80 | MEM4=16mb 81 | MSCACHE=1024 82 | safemem=yes 83 | MAXCORE=1 84 | if [ "$SAFEMODE" = "yes" ]; then 85 | echo safemode enable! 86 | FDLIM=1 87 | else 88 | if [ "$MEMSIZE" -gt 500 ]; then 89 | MEM1=50m 90 | MEM2=100m 91 | MEM4=100mb 92 | prefPC=9 93 | fi 94 | if [ "$MEMSIZE" -gt 2000 ]; then 95 | MAXCORE=2 96 | safemem=no 97 | MEM1=200m 98 | MEM2=400m 99 | MEM4=450mb 100 | MSCACHE=10240 101 | prefPC=41 102 | fi 103 | if [ "$MEMSIZE" -gt 2500 ]; then 104 | MEM1=220m 105 | MEM2=450m 106 | MEM3=500000 107 | MEM4=750mb 108 | prefPC=68 109 | fi 110 | if [ "$MEMSIZE" -gt 4000 ]; then 111 | MEM1=400m 112 | MEM2=800m 113 | MEM4=900mb 114 | prefPC=82 115 | fi 116 | if [ "$MEMSIZE" -gt 6000 ]; then 117 | MAXCORE=4 118 | MEM1=500m 119 | MEM2=1000m 120 | MEM4=1500mb 121 | MSCACHE=102400 122 | prefPC=100 123 | fi 124 | if [ "$MEMSIZE" -gt 8000 ]; then 125 | MAXCORE=6 126 | MEM1=800m 127 | MEM2=1600m 128 | MEM3=1000000 129 | MEM4=1800mb 130 | MSCACHE=1024000 131 | fi 132 | if [ "$MEMSIZE" -gt 12000 ]; then 133 | MAXCORE=8 134 | MEM1=1000m 135 | MEM2=2000m 136 | MEM3=1000000 137 | MEM4=3000mb 138 | fi 139 | if [ "$MEMSIZE" -gt 16000 ]; then 140 | MAXCORE=12 141 | MEM1=1500m 142 | MEM2=3000m 143 | MEM3=10000000 144 | MEM4=4500mb 145 | fi 146 | fi 147 | 148 | if [ "$(ulimit -n)" -gt 999999 ]; then 149 | echo "ulimit adbove 1000000." 150 | else 151 | ulimit -SHn 1048576 152 | echo ulimit:$(ulimit -n) 153 | fi 154 | 155 | lim=$(ulimit -n) 156 | CORES=$(grep -c ^processor /proc/cpuinfo) 157 | if [ "$CORES" -gt "$MAXCORE" ]; then 158 | CORES=$MAXCORE 159 | fi 160 | POWCORES=2 161 | if [ "$CORES" -gt 3 ]; then 162 | POWCORES=4 163 | fi 164 | if [ "$CORES" -gt 6 ]; then 165 | POWCORES=8 166 | fi 167 | REALCORES=$(grep -c ^processor /proc/cpuinfo) 168 | if [ "$REALCORES" -lt "$CORES" ]; then 169 | REALCORES="$CORES" 170 | fi 171 | if [ "$REALCORES" -gt "12" ]; then 172 | REALCORES=12 173 | fi 174 | FDLIM=$((lim / (2 * REALCORES) - REALCORES * 3)) 175 | if [ "$FDLIM" -gt 4096 ]; then 176 | FDLIM=4096 177 | fi 178 | 179 | if [ "$MEM1" = "100k" ]; then 180 | echo "[Warning] LOW MEMORY!" 181 | CORES=1 182 | POWCORES=1 183 | FDLIM=1 184 | fi 185 | if [ "$safemem" = "yes" ]; then 186 | echo "[Warning] use safemem!" 187 | CORES=1 188 | POWCORES=1 189 | FDLIM=1 190 | fi 191 | IPREX4='([0-9]{1,2}|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.([0-9]{1,2}|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.([0-9]{1,2}|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.([0-9]{1,2}|1[0-9][0-9]|2[0-4][0-9]|25[0-5])' 192 | ETHIP=$(ip -o -4 route get 1.0.0.1 | grep -Eo "$IPREX4" | tail -1) 193 | if [ -z "$ETHIP" ]; then 194 | ETHIP="127.0.0.2" 195 | fi 196 | if [ -z "$DNS_SERVERNAME" ]; then 197 | DNS_SERVERNAME="PaoPaoDNS,blog.03k.org" 198 | fi 199 | if [ -z "$DNSPORT" ]; then 200 | DNSPORT="53" 201 | fi 202 | export no_proxy="" 203 | export http_proxy="" 204 | echo ====ENV TEST==== >/tmp/env.conf 205 | echo "$DATA_W""-" >>/tmp/env.conf 206 | echo "$DATA_R""-" >>/tmp/env.conf 207 | echo MEM:"$MEM1" "$MEM2" "$MEM3" "$MEM4" >>/tmp/env.conf 208 | echo prefPC:"$prefPC" >>/tmp/env.conf 209 | echo CORES:-"$CORES""-" >>/tmp/env.conf 210 | echo POWCORES:-"$POWCORES""-" >>/tmp/env.conf 211 | echo ulimit :-"$(ulimit -n)""-" >>/tmp/env.conf 212 | echo FDLIM :-"$FDLIM""-" >>/tmp/env.conf 213 | echo TZ:-"$TZ""-" >>/tmp/env.conf 214 | echo UPDATE:-"$UPDATE""-" >>/tmp/env.conf 215 | echo DNS_SERVERNAME:-"$DNS_SERVERNAME""-" >>/tmp/env.conf 216 | echo SERVER_IP:-"$SERVER_IP""-" >>/tmp/env.conf 217 | echo ETHIP:-"$ETHIP""-" >>/tmp/env.conf 218 | echo DNSPORT:-"$DNSPORT""-" >>/tmp/env.conf 219 | echo SOCKS5:-"$SOCKS5""-" >>/tmp/env.conf 220 | echo CNAUTO:-"$CNAUTO""-" >>/tmp/env.conf 221 | echo IPV6:-"$IPV6""-" >>/tmp/env.conf 222 | echo CNFALL:-"$CNFALL""-" >>/tmp/env.conf 223 | echo CUSTOM_FORWARD:-"$CUSTOM_FORWARD""-" >>/tmp/env.conf 224 | echo AUTO_FORWARD:-"$AUTO_FORWARD""-" >>/tmp/env.conf 225 | echo AUTO_FORWARD_CHECK:-"$AUTO_FORWARD_CHECK""-" >>/tmp/env.conf 226 | echo USE_MARK_DATA:-"$USE_MARK_DATA""-" >>/tmp/env.conf 227 | echo RULES_TTL:-"$RULES_TTL""-" >>/tmp/env.conf 228 | echo CUSTOM_FORWARD_TTL:-"$CUSTOM_FORWARD_TTL""-" >>/tmp/env.conf 229 | echo SHUFFLE:-"$SHUFFLE""-" >>/tmp/env.conf 230 | echo EXPIRED_FLUSH:-"$EXPIRED_FLUSH""-" >>/tmp/env.conf 231 | echo CN_TRACKER:-"$CN_TRACKER""-" >>/tmp/env.conf 232 | echo USE_HOSTS:-"$USE_HOSTS""-" >>/tmp/env.conf 233 | echo HTTP_FILE:-"$HTTP_FILE""-" >>/tmp/env.conf 234 | echo SAFEMODE:-"$SAFEMODE""-" >>/tmp/env.conf 235 | echo QUERY_TIME:-"$QUERY_TIME""-" >>/tmp/env.conf 236 | echo ADDINFO:-"$ADDINFO""-" >>/tmp/env.conf 237 | echo PLATFORM:-"$(uname -a)""-" >>/tmp/env.conf 238 | echo ====ENV TEST==== >>/tmp/env.conf 239 | echo mosdns "$(mosdns version)" >>/tmp/env.conf 240 | cat /tmp/env.conf 241 | if [ "$AUTO_FORWARD" != "yes" ] && [ "$AUTO_FORWARD" != "no" ]; then 242 | if [ -n "$AUTO_FORWARD" ]; then 243 | echo "Warning: AUTO_FORWARD has an invalid value: [ $AUTO_FORWARD ], Disable AUTO_FORWARD." 244 | fi 245 | AUTO_FORWARD="no" 246 | fi 247 | sed "s/{MEM4}/$MEM4/g" /data/redis.conf >/tmp/redis.conf 248 | redis-server /tmp/redis.conf 249 | if ! ps -ef | grep -v grep | grep -q redis-server; then 250 | redis-server /tmp/redis.conf --ignore-warnings ARM64-COW-BUG 251 | fi 252 | while true; do 253 | loading=$(redis-cli -s /tmp/redis.sock info | grep loading | grep -oE "[0-9]" | tr -d '\n') 254 | if [ "$loading" = "00" ]; then 255 | echo "Redis rdb has finished loading." 256 | break 257 | else 258 | echo "Waiting for Redis rdb to load..." 259 | sleep 1 260 | fi 261 | done 262 | sed "s/{CORES}/$CORES/g" /data/unbound.conf | sed "s/{POWCORES}/$POWCORES/g" | sed "s/{FDLIM}/$FDLIM/g" | sed "s/{MEM1}/$MEM1/g" | sed "s/{MEM2}/$MEM2/g" | sed "s/{MEM3}/$MEM3/g" | sed "s/{ETHIP}/$ETHIP/g" | sed "s/{DNS_SERVERNAME}/$DNS_SERVERNAME/g" >/tmp/unbound.conf 263 | # if [ "$DEVLOG" = "yes" ]; then 264 | # sed -i "s/verbosity: 0/verbosity: 2/g" /tmp/unbound.conf 265 | # fi 266 | if [ "$safemem" = "no" ]; then 267 | sed -i "s/#safemem//g" /tmp/unbound.conf 268 | else 269 | sed -i "s/#lowrmem//g" /tmp/unbound.conf 270 | fi 271 | if echo "$SERVER_IP" | grep -Eoq "[.0-9]+"; then 272 | sed -i "s/{SERVER_IP}/$SERVER_IP/g" /tmp/unbound.conf 273 | sed -i "s/#serverip-enable//g" /tmp/unbound.conf 274 | fi 275 | if [ "$FDLIM" -gt 1 ] && [ "$SAFEMODE" != "yes" ]; then 276 | calc_r=$(mosdns eat calc "$lim" "$REALCORES" "r") 277 | calc_f=$(mosdns eat calc "$lim" "$REALCORES" "f") 278 | r_outgoing=$(echo "$calc_r" | cut -d':' -f2) 279 | f_outgoing=$(echo "$calc_f" | cut -d':' -f2) 280 | r_outgoing_half=$(echo "$calc_r" | cut -d':' -f4) 281 | f_outgoing_half=$(echo "$calc_f" | cut -d':' -f4) 282 | r_numQueriesPerThread=$(echo "$calc_r" | cut -d':' -f6) 283 | f_numQueriesPerThread=$(echo "$calc_f" | cut -d':' -f6) 284 | sed -i "s/{r_outgoing}/$r_outgoing/g" /tmp/unbound.conf 285 | sed -i "s/{f_outgoing}/$f_outgoing/g" /tmp/unbound.conf 286 | sed -i "s/{r_outgoing_half}/$r_outgoing_half/g" /tmp/unbound.conf 287 | sed -i "s/{f_outgoing_half}/$f_outgoing_half/g" /tmp/unbound.conf 288 | sed -i "s/{r_numQueriesPerThread}/$r_numQueriesPerThread/g" /tmp/unbound.conf 289 | sed -i "s/{f_numQueriesPerThread}/$f_numQueriesPerThread/g" /tmp/unbound.conf 290 | sed -i "s/#safeoff//g" /tmp/unbound.conf 291 | fi 292 | if [ "$CNAUTO" != "no" ]; then 293 | DNSPORT="5301" 294 | if [ ! -f /data/mosdns.yaml ]; then 295 | cp /usr/sbin/mosdns.yaml /data/ 296 | fi 297 | if [ ! -f /data/Country-only-cn-private.mmdb ]; then 298 | /usr/sbin/data_update.sh ex_mmdb 299 | fi 300 | cat /data/Country-only-cn-private.mmdb >/tmp/Country.mmdb 301 | if [ ! -f /data/dnscrypt.toml ]; then 302 | cp /usr/sbin/dnscrypt.toml /data/ 303 | fi 304 | if [ ! -f /data/dnscrypt-resolvers/public-resolvers.md ]; then 305 | mkdir -p /data/dnscrypt-resolvers/ 306 | cp /usr/sbin/dnscrypt-resolvers/* /data/dnscrypt-resolvers/ 307 | fi 308 | if [ ! -f /data/force_dnscrypt_list.txt ]; then 309 | cp /usr/sbin/force_dnscrypt_list.txt /data/ 310 | fi 311 | if [ ! -f /data/force_recurse_list.txt ]; then 312 | cp /usr/sbin/force_recurse_list.txt /data/ 313 | fi 314 | if echo "$SOCKS5" | grep -Eoq ":[0-9]+"; then 315 | SOCKS5=$(echo "$SOCKS5" | sed 's/"//g') 316 | if echo "$SOCKS5" | grep -Eoq "^@"; then 317 | SOCKS5=$(echo "$SOCKS5" | sed 's/@//g') 318 | if [ "$AUTO_FORWARD" = "no" ]; then 319 | sed -i "s/ forward-addr: 127.0.0.1@5302//g" /tmp/unbound.conf 320 | fi 321 | fi 322 | sed "s/#socksok//g" /data/dnscrypt.toml | sed "s/{SOCKS5}/$SOCKS5/g" | sed -r "s/listen_addresses.+/listen_addresses = ['0.0.0.0:5303']/g" | sed -r "s/^force_tcp.+/force_tcp = true/g" >/data/dnscrypt-resolvers/dnscrypt_socks.toml 323 | sed "s/{DNSPORT}/5304/g" /tmp/unbound.conf | sed "s/#CNAUTO//g" | sed "s/#socksok//g" >/tmp/unbound_forward.conf 324 | sed "s/#socksok//g" /data/mosdns.yaml >/tmp/mosdns.yaml 325 | else 326 | sed "s/{DNSPORT}/5304/g" /tmp/unbound.conf | sed "s/#CNAUTO//g" | sed "s/#nosocks//g" >/tmp/unbound_forward.conf 327 | sed "s/#nosocks//g" /data/mosdns.yaml >/tmp/mosdns.yaml 328 | fi 329 | if [ "$IPV6" = "no" ]; then 330 | sed -i "s/#ipv6no//g" /tmp/mosdns.yaml 331 | fi 332 | if [ "$IPV6" = "yes" ]; then 333 | sed -i "s/#ipv6yes//g" /tmp/mosdns.yaml 334 | fi 335 | if [ "$IPV6" = "only6" ]; then 336 | sed -i "s/#ipv6only6//g" /tmp/mosdns.yaml 337 | fi 338 | if [ "$IPV6" = "yes_only6" ]; then 339 | sed -i "s/#ipv6cn_only6//g" /tmp/mosdns.yaml 340 | fi 341 | if [ "$CNFALL" = "yes" ]; then 342 | sed -i "s/#cnfall//g" /tmp/mosdns.yaml 343 | if [ "$EXPIRED_FLUSH" = "yes" ]; then 344 | sed -i "s/#flushd_un_yes//g" /tmp/mosdns.yaml 345 | fi 346 | else 347 | sed -i "s/#nofall//g" /tmp/mosdns.yaml 348 | fi 349 | if echo "$CUSTOM_FORWARD" | grep -Eoq ":[0-9]+"; then 350 | CUSTOM_FORWARD=$(echo "$CUSTOM_FORWARD" | sed 's/"//g') 351 | sed -i "s/#customforward-seted//g" /tmp/mosdns.yaml 352 | if echo "$CUSTOM_FORWARD" | grep -q '\['; then 353 | CUSTOM_FORWARD_SERVER=$(echo "$CUSTOM_FORWARD" | sed 's/\[//' | cut -d']' -f1) 354 | CUSTOM_FORWARD_PORT=$(echo "$CUSTOM_FORWARD" | sed 's/.*\]://' | sed 's/[^0-9]*//') 355 | else 356 | CUSTOM_FORWARD_SERVER=$(echo "$CUSTOM_FORWARD" | cut -d':' -f1) 357 | CUSTOM_FORWARD_PORT=$(echo "$CUSTOM_FORWARD" | cut -d':' -f2) 358 | fi 359 | sed -i "s/{CUSTOM_FORWARD}/$CUSTOM_FORWARD/g" /tmp/mosdns.yaml 360 | sed -i "s/{CUSTOM_FORWARD_SERVER}/$CUSTOM_FORWARD_SERVER/g" /tmp/mosdns.yaml 361 | sed -i "s/{CUSTOM_FORWARD_PORT}/$CUSTOM_FORWARD_PORT/g" /tmp/mosdns.yaml 362 | if [ ! -f /data/force_forward_list.txt ]; then 363 | cp /usr/sbin/force_forward_list.txt /data/ 364 | fi 365 | if [ "$AUTO_FORWARD" = "yes" ]; then 366 | sed -i "s/#autoforward-yes//g" /tmp/mosdns.yaml 367 | if [ "$AUTO_FORWARD_CHECK" = "yes" ]; then 368 | sed -i "s/#autoforward-check//g" /tmp/mosdns.yaml 369 | else 370 | sed -i "s/#autoforward-nocheck//g" /tmp/mosdns.yaml 371 | fi 372 | fi 373 | else 374 | echo "Bad CUSTOM_FORWARD=""$CUSTOM_FORWARD"", IP:port. Disable AUTO_FORWARD." 375 | AUTO_FORWARD="no" 376 | fi 377 | if [ "$AUTO_FORWARD" = "no" ]; then 378 | sed -i "s/#autoforward-no//g" /tmp/mosdns.yaml 379 | fi 380 | if [ "$CN_TRACKER" = "yes" ]; then 381 | sed -i "s/#cntracker-yes//g" /tmp/mosdns.yaml 382 | /usr/sbin/watch_list.sh load_trackerslist 383 | fi 384 | if [ "$ADDINFO" = "yes" ]; then 385 | sed -i "s/#addinfo//g" /tmp/mosdns.yaml 386 | fi 387 | if [ "$SHUFFLE" = "yes" ]; then 388 | sed -i "s/#shuffle//g" /tmp/mosdns.yaml 389 | fi 390 | if [ "$SHUFFLE" = "lite" ]; then 391 | sed -i "s/#liteshuffle//g" /tmp/mosdns.yaml 392 | fi 393 | if [ "$SHUFFLE" = "trnc" ]; then 394 | sed -i "s/#trncshuffle//g" /tmp/mosdns.yaml 395 | fi 396 | if [ "$USE_MARK_DATA" = "yes" ]; then 397 | sed -i "s/#global_mark_yes//g" /tmp/mosdns.yaml 398 | if [ ! -f /data/global_mark.dat ]; then 399 | cp /usr/sbin/global_mark.dat /data/ 400 | fi 401 | /usr/sbin/watch_list.sh load_mark_data 402 | else 403 | sed -i "s/#global_mark_no//g" /tmp/mosdns.yaml 404 | fi 405 | #convert hosts 406 | if [ "$USE_HOSTS" = "yes" ]; then 407 | mosdns eat hosts 408 | sed -i "s/#usehosts-yes//g" /tmp/mosdns.yaml 409 | sed -i "s/#usehosts-enable//g" /tmp/mosdns.yaml 410 | fi 411 | if echo "$SERVER_IP" | grep -Eoq "[.0-9]+"; then 412 | sed -i "s/#usehosts-yes//g" /tmp/mosdns.yaml 413 | sed -i "s/#serverip-enable//g" /tmp/mosdns.yaml 414 | sed -i "s/{SERVER_IP}/$SERVER_IP/g" /tmp/mosdns.yaml 415 | fi 416 | if [ -f /data/force_dnscrypt_list.txt ]; then 417 | mosdns eat list /tmp/force_dnscrypt_list.txt /data/force_dnscrypt_list.txt /data/force_nocn_list.txt 418 | fi 419 | if [ -f /data/force_recurse_list.txt ]; then 420 | mosdns eat list /tmp/force_recurse_list.txt /data/force_recurse_list.txt /data/force_cn_list.txt 421 | fi 422 | if [ -f /data/force_forward_list.txt ]; then 423 | mosdns eat list /tmp/force_forward_list.txt /data/force_forward_list.txt 424 | fi 425 | RULES_TTL=$(echo "$RULES_TTL" | grep -Eo "[0-9]+|head -1") 426 | if [ -z "$RULES_TTL" ]; then 427 | RULES_TTL=0 428 | fi 429 | CUSTOM_FORWARD_TTL=$(echo "$CUSTOM_FORWARD_TTL" | grep -Eo "[0-9]+|head -1") 430 | if [ -z "$CUSTOM_FORWARD_TTL" ]; then 431 | CUSTOM_FORWARD_TTL=0 432 | fi 433 | if [ "$RULES_TTL" -gt 0 ]; then 434 | sed "s/#ttl_rule_ok//g" /data/dnscrypt.toml >/data/dnscrypt-resolvers/dnscrypt.toml 435 | sed -i "s/#ttl_rule_ok//g" /tmp/mosdns.yaml 436 | sed -i "s/{RULES_TTL}/$RULES_TTL/g" /tmp/mosdns.yaml 437 | /usr/sbin/watch_list.sh load_ttl_rules 438 | else 439 | cp /data/dnscrypt.toml /data/dnscrypt-resolvers/dnscrypt.toml 440 | fi 441 | if [ "$CUSTOM_FORWARD_TTL" -gt 0 ]; then 442 | sed -i "s/#CUSTOM_FORWARD_TTL//g" /tmp/mosdns.yaml 443 | sed -i "s/{CUSTOM_FORWARD_TTL}/$CUSTOM_FORWARD_TTL/g" /tmp/mosdns.yaml 444 | fi 445 | if [ "$HTTP_FILE" = "yes" ]; then 446 | sed -i "s/#http_file_yes//g" /tmp/mosdns.yaml 447 | fi 448 | sed -i "s/{MSCACHE}/$MSCACHE/g" /tmp/mosdns.yaml 449 | dnscrypt-proxy -config /data/dnscrypt-resolvers/dnscrypt.toml >/dev/null 2>&1 & 450 | dnscrypt-proxy -config /data/dnscrypt-resolvers/dnscrypt_socks.toml >/dev/null 2>&1 & 451 | unbound -c /tmp/unbound_forward.conf -p 452 | # Add Mods 453 | touch /data/custom_mod.yaml 454 | cp /tmp/mosdns.yaml /tmp/mosdns_base.yaml 455 | mosdns AddMod 456 | if [ -f /tmp/mosdns_mod.yaml ]; then 457 | cat /tmp/mosdns_mod.yaml >/tmp/mosdns.yaml 458 | fi 459 | sed -i '/^#/d' /tmp/mosdns.yaml 460 | mosdns start -d /tmp -c /tmp/mosdns.yaml & 461 | fi 462 | sed "s/{DNSPORT}/$DNSPORT/g" /tmp/unbound.conf | sed "s/#RAWDNS//g" >/tmp/unbound_raw.conf 463 | if [ "$CNAUTO" = "yes" ] && [ "$CNFALL" = "yes" ]; then 464 | sed -i "s/#neg_fetch//g" /tmp/unbound_raw.conf 465 | else 466 | sed -i "s/#pos_fetch//g" /tmp/unbound_raw.conf 467 | fi 468 | unbound -c /tmp/unbound_raw.conf -p 469 | 470 | #Unexpected fallback while updating data 471 | echo "nameserver 127.0.0.1" >/etc/resolv.conf 472 | echo "nameserver 223.5.5.5" >>/etc/resolv.conf 473 | echo "nameserver 1.0.0.1" >>/etc/resolv.conf 474 | /usr/sbin/watch_list.sh & 475 | if [ "$UPDATE" != "no" ]; then 476 | /usr/sbin/data_update.sh & 477 | fi 478 | ps 479 | tail -f /dev/null 480 | -------------------------------------------------------------------------------- /src/mosdns.yaml: -------------------------------------------------------------------------------- 1 | log: 2 | file: "" 3 | level: error 4 | 5 | plugins: 6 | 7 | ##zones_dns_start## 8 | ##zones_dns_end## 9 | 10 | ##zones_seq_start## 11 | ##zones_seq_end## 12 | 13 | #usehosts-yes - tag: "usehosts" 14 | #usehosts-yes type: "hosts" 15 | #usehosts-yes args: 16 | #usehosts-yes#serverip-enable entries: 17 | #usehosts-yes#serverip-enable - "paopao.dns {SERVER_IP}" 18 | #usehosts-yes#usehosts-enable files: 19 | #usehosts-yes#usehosts-enable - "/tmp/hosts.txt" 20 | 21 | - tag: "force_recurse_list" 22 | type: "domain_set" 23 | args: 24 | files: 25 | - "/tmp/force_recurse_list.txt" 26 | 27 | - tag: "force_dnscrypt_list" 28 | type: "domain_set" 29 | args: 30 | files: 31 | - "/tmp/force_dnscrypt_list.txt" 32 | #cntracker-yes - "/tmp/cn_tracker_list.txt" 33 | 34 | #ttl_rule_ok - tag: "force_ttl_rules" 35 | #ttl_rule_ok type: "domain_set" 36 | #ttl_rule_ok args: 37 | #ttl_rule_ok files: 38 | #ttl_rule_ok - "/tmp/force_ttl_rules.txt" 39 | 40 | #global_mark_yes - tag: "global_mark" 41 | #global_mark_yes type: "domain_set" 42 | #global_mark_yes args: 43 | #global_mark_yes files: 44 | #global_mark_yes - "/tmp/global_mark.dat" 45 | 46 | #global_mark_yes - tag: "cn_mark" 47 | #global_mark_yes type: "domain_set" 48 | #global_mark_yes args: 49 | #global_mark_yes files: 50 | #global_mark_yes - "/tmp/cn_mark.dat" 51 | #global_mark_yes - "/tmp/custom_cn_mark.txt" 52 | 53 | #global_mark_yes - tag: "global_mark_cn" 54 | #global_mark_yes type: "domain_set" 55 | #global_mark_yes args: 56 | #global_mark_yes files: 57 | #global_mark_yes - "/tmp/global_mark_cn.dat" 58 | #global_mark_yes - "/tmp/custom_cn_mark.txt" 59 | 60 | #customforward-seted - tag: "force_forward_list" 61 | #customforward-seted type: "domain_set" 62 | #customforward-seted args: 63 | #customforward-seted files: 64 | #customforward-seted - "/tmp/force_forward_list.txt" 65 | 66 | #cnfall - tag: cn_test 67 | #cnfall type: forward 68 | #cnfall args: 69 | #cnfall concurrent: 3 70 | #cnfall upstreams: 71 | #cnfall - addr: "udp://127.0.0.1:5301" 72 | #cnfall - addr: "udp://223.5.5.5" 73 | #cnfall - addr: "udp://119.29.29.29" 74 | 75 | - tag: local_unbound 76 | type: forward 77 | args: 78 | allowcode: 23 79 | upstreams: 80 | - addr: "udp://127.0.0.1:5301" 81 | 82 | #cnfall - tag: local_unbound_fall 83 | #cnfall type: forward 84 | #cnfall args: 85 | #cnfall qtime: 3 86 | #flushd_un_yes#cnfall flush: 1 87 | #cnfall upstreams: 88 | #cnfall - addr: "udp://127.0.0.1:5301" 89 | 90 | #customforward-seted - tag: force_forward 91 | #customforward-seted type: forward 92 | #customforward-seted args: 93 | #customforward-seted allowcode: 23 94 | #customforward-seted upstreams: 95 | #customforward-seted - addr: "udp://{CUSTOM_FORWARD}" 96 | 97 | - tag: forward_unbound 98 | type: forward 99 | args: 100 | allowcode: 23 101 | concurrent: 2 102 | upstreams: 103 | - addr: "udp://127.0.0.1:5304" 104 | #nosocks - addr: "udp://127.0.0.1:5302" 105 | #socksok - addr: "udp://127.0.0.1:5303" 106 | 107 | - tag: forward_dnscrypt 108 | type: forward 109 | args: 110 | upstreams: 111 | - addr: "udp://127.0.0.1:5302" 112 | 113 | - tag: cnip 114 | type: mmdb 115 | args: 116 | file: "/tmp/Country.mmdb" 117 | 118 | - tag: accept 119 | type: sequence 120 | args: 121 | #liteshuffle - exec: shuffle 2 122 | #trncshuffle - exec: shuffle 4 123 | ##swaps_match_start## 124 | ##swaps_match_end## 125 | - exec: ok 126 | 127 | - tag: not_a_aaaa 128 | type: sequence 129 | args: 130 | - exec: $local_unbound 131 | #addinfo - exec: addinfo not_a_aaaa -> local_unbound 132 | - matches: has_wanted_ans 133 | exec: goto accept 134 | - exec: drop_resp 135 | - exec: $forward_unbound 136 | #addinfo - exec: addinfo not_a_aaaa -> forward_unbound 137 | - matches: has_wanted_ans 138 | exec: goto accept 139 | - exec: drop_resp 140 | 141 | #customforward-seted - tag: f_force_forward_list 142 | #customforward-seted type: sequence 143 | #customforward-seted args: 144 | #customforward-seted - exec: drop_resp 145 | #customforward-seted - exec: $force_forward 146 | #addinfo#customforward-seted - exec: addinfo forward -> {CUSTOM_FORWARD_SERVER}@{CUSTOM_FORWARD_PORT} 147 | #CUSTOM_FORWARD_TTL#customforward-seted - exec: ttl {CUSTOM_FORWARD_TTL}-0 148 | #customforward-seted - exec: goto accept 149 | 150 | - tag: f_force_dnscrypt_list 151 | type: sequence 152 | args: 153 | - exec: drop_resp 154 | #ipv6cn_only6 - matches: 155 | #ipv6cn_only6 - qtype 28 156 | #ipv6cn_only6 exec: prefer_ipv4 157 | - exec: $forward_unbound 158 | 159 | #addinfo - exec: addinfo nocn forward_unbound 160 | - matches: has_wanted_ans 161 | exec: goto accept 162 | - exec: $forward_dnscrypt 163 | #addinfo - exec: addinfo nocn forward_dnscrypt 164 | - matches: has_wanted_ans 165 | exec: goto accept 166 | - exec: pongerr END by f_force_dnscrypt_list. 167 | 168 | - tag: f_local_unbound 169 | type: sequence 170 | args: 171 | - exec: $local_unbound 172 | #addinfo - exec: addinfo local_unbound 173 | - matches: has_wanted_ans 174 | exec: goto accept 175 | - exec: pongerr END by f_local_unbound. 176 | 177 | #ttl_rule_ok - tag: f_force_ttl_rules 178 | #ttl_rule_ok type: sequence 179 | #ttl_rule_ok args: 180 | #ttl_rule_ok - exec: $forward_dnscrypt 181 | #ttl_rule_ok - exec: ttl 0-{RULES_TTL} 182 | #addinfo#ttl_rule_ok - exec: addinfo force_ttl_rules 183 | #ttl_rule_ok - exec: goto accept 184 | 185 | #cnfall - tag: try_cn_fall 186 | #cnfall type: sequence 187 | #cnfall args: 188 | #cnfall - exec: drop_resp 189 | #cnfall - exec: $cn_test 190 | #cnfall#addinfo - exec: addinfo try_cn_fall 191 | 192 | #autoforward-yes#autoforward-check - tag: try_auto_check 193 | #autoforward-yes#autoforward-check type: sequence 194 | #autoforward-yes#autoforward-check args: 195 | #autoforward-yes#autoforward-check - exec: drop_resp 196 | #autoforward-yes#autoforward-check - exec: $forward_unbound 197 | #addinfo#autoforward-yes#autoforward-check - exec: addinfo AUTO_FORWARD_CHECK forward_unbound PRIVATE 198 | #autoforward-yes#autoforward-check - matches: resp_ip_mmdb $cnip PRIVATE 199 | #autoforward-yes#autoforward-check exec: goto accept 200 | #autoforward-yes#autoforward-check - matches: "has_wanted_ans" 201 | #autoforward-yes#autoforward-check exec: goto f_force_forward_list 202 | #autoforward-yes#autoforward-check - exec: pongerr END by try_auto_check. 203 | 204 | #global_mark_yes - tag: f_global_mark 205 | #global_mark_yes type: sequence 206 | #global_mark_yes args: 207 | #global_mark_yes - matches: qname $global_mark_cn 208 | #global_mark_yes exec: return 209 | 210 | #global_mark_yes#ipv6yes - matches: 211 | #global_mark_yes#ipv6yes - qtype 28 212 | #global_mark_yes#ipv6yes exec: pong END by IPv6=yes, MARK_DATA block aaaa. 213 | #global_mark_yes#ipv6cn_only6 - matches: 214 | #global_mark_yes#ipv6cn_only6 - qtype 28 215 | #global_mark_yes#ipv6cn_only6 exec: prefer_ipv4 216 | #global_mark_yes#autoforward-yes#autoforward-check - exec: goto try_auto_check 217 | #global_mark_yes#autoforward-yes#autoforward-nocheck - exec: $force_forward 218 | #global_mark_yes#autoforward-no - exec: goto f_force_dnscrypt_list 219 | 220 | 221 | #usehosts-yes - tag: accept_hosts 222 | #usehosts-yes type: sequence 223 | #usehosts-yes args: 224 | #usehosts-yes - exec: $usehosts 225 | #usehosts-yes - matches: has_wanted_ans 226 | #usehosts-yes exec: goto accept 227 | 228 | - tag: main_sequence 229 | type: sequence 230 | args: 231 | 232 | ##zones_qname_top_start## 233 | ##zones_qname_top_end## 234 | 235 | #usehosts-yes - exec: jump accept_hosts 236 | - matches: "qtype 64 65" 237 | exec: pong END by block qtype 64/65. 238 | 239 | #ipv6no - matches: 240 | #ipv6no - qtype 28 241 | #ipv6no exec: pong END by IPv6=no. 242 | 243 | #ipv6yes - matches: 244 | #ipv6yes - qname $force_dnscrypt_list 245 | #ipv6yes - qtype 28 246 | #ipv6yes exec: pong END by IPv6=yes, force_dnscrypt_list block aaaa. 247 | 248 | #ipv6only6 - exec: prefer_ipv4 249 | 250 | ##zones_qname_top6_start## 251 | ##zones_qname_top6_end## 252 | 253 | - matches: 254 | - "!qtype 1 28" 255 | exec: jump not_a_aaaa 256 | #customforward-seted - matches: qname $force_forward_list 257 | #customforward-seted exec: goto f_force_forward_list 258 | - matches: qname $force_dnscrypt_list 259 | exec: goto f_force_dnscrypt_list 260 | - matches: qname $force_recurse_list 261 | exec: goto f_local_unbound 262 | 263 | #ttl_rule_ok - matches: qname $force_ttl_rules 264 | #ttl_rule_ok exec: goto f_force_ttl_rules 265 | 266 | ##zones_qname_list_start## 267 | ##zones_qname_list_end## 268 | 269 | #global_mark_yes - matches: qname $global_mark 270 | #global_mark_yes exec: jump f_global_mark 271 | 272 | #nofall - exec: $local_unbound 273 | #cnfall - exec: $local_unbound_fall 274 | #cnfall - matches: "!rcode 0" 275 | #cnfall exec: jump try_cn_fall 276 | #global_mark_yes#addinfo - exec: addinfo cn_mark 277 | #global_mark_yes - matches: qname $cn_mark 278 | #global_mark_yes exec: goto accept 279 | #addinfo - exec: addinfo mmdb CN IP 280 | - matches: resp_ip_mmdb $cnip CN 281 | exec: goto accept 282 | 283 | #ipv6yes - matches: 284 | #ipv6yes - qtype 28 285 | #ipv6yes exec: pong END by IPv6=yes, NO CN IP block aaaa. 286 | 287 | #ipv6cn_only6 - matches: 288 | #ipv6cn_only6 - qtype 28 289 | #ipv6cn_only6 exec: prefer_ipv4 290 | 291 | #autoforward-yes#autoforward-check - matches: 292 | #autoforward-yes#autoforward-check - "!resp_ip_mmdb $cnip PRIVATE" 293 | #autoforward-yes#autoforward-check - "has_wanted_ans" 294 | #autoforward-yes#autoforward-check exec: goto f_force_forward_list 295 | #autoforward-yes#autoforward-check - exec: goto try_auto_check 296 | #autoforward-yes#autoforward-nocheck - exec: goto f_force_forward_list 297 | 298 | #autoforward-no - exec: goto f_force_dnscrypt_list 299 | 300 | 301 | - tag: respond 302 | type: sequence 303 | args: 304 | #shuffle - exec: shuffle 305 | #liteshuffle - exec: shuffle 3 306 | #trncshuffle - exec: shuffle 3 307 | #addinfo - exec: addinfo respond mosdns cache 308 | - exec: ok 309 | - tag: check_cache 310 | type: sequence 311 | args: 312 | - exec: cache {MSCACHE} 313 | - matches: has_wanted_ans 314 | exec: goto respond 315 | - exec: jump main_sequence 316 | 317 | - tag: udp_server 318 | type: udp_server 319 | args: 320 | entry: check_cache 321 | listen: :53 322 | - tag: "tcp_server" 323 | type: "tcp_server" 324 | args: 325 | entry: check_cache 326 | listen: :53 327 | idle_timeout: 5 328 | #flushd_un_yes - tag: "flushd_server" 329 | #flushd_un_yes type: "flushd_server" 330 | #http_file_yes - tag: "httpd_server" 331 | #http_file_yes type: "httpd_server" -------------------------------------------------------------------------------- /src/redis.conf: -------------------------------------------------------------------------------- 1 | # Redis configuration file 2 | # 3 | # Redis must be started with the file path as first argument: 4 | # 5 | # ./redis-server /path/to/redis.conf 6 | 7 | # Note on units: Memory size can be specified as 1k 5GB 4M and so forth. Units 8 | # are case insensitive so 1GB 1Gb 1gB are all the same 9 | 10 | ################################## INCLUDES ################################### 11 | 12 | # Include one or more other config files here. Useful if you have a standard 13 | # template that goes to all Redis servers but also need to customize few per 14 | # server settings. To override config options, use include as the last line 15 | # 16 | # include /path/to/other.conf 17 | 18 | ################################## MODULES ##################################### 19 | 20 | # Load modules at startup. 21 | # 22 | # loadmodule /path/to/other_module.so 23 | 24 | ################################## NETWORK ##################################### 25 | 26 | port 0 27 | unixsocket /tmp/redis.sock 28 | unixsocketperm 700 29 | protected-mode yes 30 | tcp-backlog 511 31 | timeout 0 32 | tcp-keepalive 300 33 | 34 | ################################# GENERAL ##################################### 35 | 36 | daemonize yes 37 | supervised no 38 | pidfile /tmp/redis-server.pid 39 | # Log verbosity level. (debug, verbose, notice, warning) 40 | loglevel warning 41 | #logfile /var/log/redis/redis-server.log 42 | syslog-enabled no 43 | # Set the number of databases 44 | databases 2 45 | always-show-logo no 46 | 47 | ################################ SNAPSHOTTING ################################ 48 | 49 | # RDB (Redis Database) Persistence 50 | # 51 | # Save the DB to disk - "save [ ...]" 52 | # Below option will save the DB: 53 | # * After 43200 secs (12 hrs) if at least 1 change was performed 54 | # * After 7200 secs (2 hrs) if at least 100 changes were performed 55 | # save "" - Disable snapshotting with empty string 56 | save 43200 1 7200 100 57 | # By default Redis will stop accepting writes if RDB snapshots are enabled and 58 | # the latest background save failed 59 | stop-writes-on-bgsave-error no 60 | # By default compression is enabled. If you want to save some CPU in the saving 61 | # child set it to 'no' 62 | rdbcompression no 63 | # Checksum is placed at the end of the file. Makes it resistant to corruption 64 | # but has performance hit (around 10%) when saving and loading RDB files. It 65 | # can be disabled for maximum performances 66 | rdbchecksum no 67 | # The filename where to dump the DB 68 | dbfilename redis_dns_v2.rdb 69 | # Remove RDB files used by replication in instances without persistence 70 | # enabled. Default is disabled. It ONLY WORKS in instances that have both AOF 71 | # and RDB persistence disabled, otherwise is completely ignored. 72 | rdb-del-sync-files no 73 | # The working directory. DB will be written inside this dir, with the filename 74 | # specified above using dbfilename directive. The Append Only File will also be 75 | # created inside this directory. 76 | dir /data 77 | 78 | ################################# REPLICATION ################################# 79 | 80 | replica-serve-stale-data yes 81 | replica-read-only yes 82 | repl-diskless-sync yes 83 | repl-diskless-sync-delay 5 84 | repl-diskless-load disabled 85 | repl-disable-tcp-nodelay no 86 | replica-priority 100 87 | 88 | ################################## SECURITY ################################### 89 | 90 | # The ACL Log tracks failed commands and authentication events associated with 91 | # ACLs. ACL Log is stored in memory. Define max entry length of ACL Log below 92 | acllog-max-len 128 93 | 94 | ############################## MEMORY MANAGEMENT ################################ 95 | 96 | # Memory usage limit. When limit is reached Redis will try to remove keys based 97 | # on selected eviction policy 98 | maxmemory {MEM4} 99 | # Maxmemory policy decides how Redis will select what to remove when maxmemory 100 | # is reached. LRU means Least Recently Used 101 | maxmemory-policy allkeys-lru 102 | # LRU, LFU and minimal TTL sample size. Default of 5 produces good enough 103 | # results. 10 Approximates very closely true LRU but costs more CPU. 3 is 104 | # faster but not very accurate. 105 | # maxmemory-samples 5 106 | 107 | ############################# LAZY FREEING #################################### 108 | 109 | lazyfree-lazy-eviction no 110 | lazyfree-lazy-expire no 111 | lazyfree-lazy-server-del no 112 | replica-lazy-flush no 113 | lazyfree-lazy-user-del no 114 | lazyfree-lazy-user-flush no 115 | 116 | ############################ KERNEL OOM CONTROL ############################## 117 | 118 | oom-score-adj no 119 | oom-score-adj-values 0 200 800 120 | 121 | #################### KERNEL transparent hugepage CONTROL ###################### 122 | 123 | disable-thp yes 124 | 125 | ############################## APPEND ONLY MODE ############################### 126 | 127 | # AOF (Append Only File) Persistence 128 | # 129 | appendonly no 130 | appendfilename "appendonly.aof" 131 | appenddirname "appendonlydir" 132 | appendfsync everysec 133 | no-appendfsync-on-rewrite no 134 | auto-aof-rewrite-percentage 100 135 | auto-aof-rewrite-min-size 64mb 136 | aof-load-truncated yes 137 | aof-use-rdb-preamble yes 138 | aof-timestamp-enabled no 139 | 140 | ################################## SLOW LOG ################################### 141 | 142 | slowlog-log-slower-than 10000 143 | slowlog-max-len 16 144 | 145 | ################################ LATENCY MONITOR ############################## 146 | 147 | # Default is disabled 148 | latency-monitor-threshold 0 149 | 150 | ############################# EVENT NOTIFICATION ############################## 151 | 152 | # Default is disabled 153 | notify-keyspace-events "" 154 | 155 | ############################### ADVANCED CONFIG ############################### 156 | 157 | hash-max-ziplist-entries 512 158 | hash-max-ziplist-value 64 159 | list-max-ziplist-size -2 160 | list-compress-depth 0 161 | set-max-intset-entries 512 162 | zset-max-ziplist-entries 128 163 | zset-max-ziplist-value 64 164 | hll-sparse-max-bytes 3000 165 | stream-node-max-bytes 4096 166 | stream-node-max-entries 100 167 | activerehashing yes 168 | client-output-buffer-limit normal 0 0 0 169 | client-output-buffer-limit replica 256mb 64mb 60 170 | client-output-buffer-limit pubsub 32mb 8mb 60 171 | hz 10 172 | dynamic-hz yes 173 | aof-rewrite-incremental-fsync yes 174 | rdb-save-incremental-fsync yes 175 | 176 | ########################### ACTIVE DEFRAGMENTATION ####################### 177 | 178 | # Jemalloc background thread for purging will be enabled by default 179 | jemalloc-bg-thread yes 180 | -------------------------------------------------------------------------------- /src/reload.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | . /etc/profile 3 | if [ -f /data/custom_env.ini ]; then 4 | grep -Eo "^[_a-zA-Z0-9]+=\".+\"" /data/custom_env.ini >/tmp/custom_env.ini 5 | if [ -f "/tmp/custom_env.ini" ]; then 6 | while IFS= read -r line; do 7 | line=$(echo "$line" | sed 's/"//g' | sed "s/'//g") 8 | export "$line" 9 | done <"/tmp/custom_env.ini" 10 | fi 11 | fi 12 | /usr/sbin/mosdns version 13 | /usr/sbin/mosdns AddMod 14 | if [ -f /tmp/mosdns_mod.yaml ]; then 15 | cat /tmp/mosdns_mod.yaml >/tmp/mosdns.yaml 16 | sed -i '/^#/d' /tmp/mosdns.yaml 17 | fi 18 | /usr/sbin/watch_list.sh reload_dns 19 | -------------------------------------------------------------------------------- /src/test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | blank() { 3 | echo "*********************************************************************************" 4 | echo 5 | } 6 | export no_proxy="" 7 | export http_proxy="" 8 | ping whoami.03k.org -c1 -W 1 -w 1 -i 1 -4 >/dev/null 9 | IPREX4='([0-9]{1,2}|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.([0-9]{1,2}|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.([0-9]{1,2}|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.([0-9]{1,2}|1[0-9][0-9]|2[0-4][0-9]|25[0-5])' 10 | v4check() { 11 | if echo "$1" | grep -v "timed out" | grep -v "127.0.0.1" | grep -qE "$IPREX4"; then 12 | echo y 13 | else 14 | echo "$2" failed:"$1" 15 | exit 16 | fi 17 | } 18 | blank 19 | echo images build time : {bulidtime} 20 | echo "check for the latest version ," 21 | echo "go to https://github.com/kkkgo/PaoPaoDNS/discussions " 22 | echo "-> test start \`$(date +%s)\`" 23 | echo "\`\`\`rust" 24 | if [ -w /data ]; then 25 | t1=y 26 | else 27 | t1="[ERROR]DATA_not_writeable" 28 | fi 29 | 30 | if [ -r /data ]; then 31 | t2=y 32 | else 33 | t2="[ERROR]DATA_not_readable" 34 | fi 35 | t3t=$(dig +short whether.114dns.com @114.114.114.114) 36 | if echo "$t3t" | grep -q "127.0.0.1"; then 37 | t3="[DNS hijack]""$t3t" 38 | else 39 | t3=y 40 | fi 41 | t4t=$(dig +short whoami.ds.akahelp.net @9.8.7.6 txt -p53 +retry=0 +timeout=1) 42 | if echo "$t4t" | grep -q timed; then 43 | t4=y 44 | else 45 | t4="[DNS hijack]""$t4t" 46 | fi 47 | dig www.taobao.com @127.0.0.1 -p5301 A +short >/dev/null 48 | dig www.taobao.com @127.0.0.1 -p5301 A +short >/dev/null 49 | dig www.taobao.com @127.0.0.1 -p5301 A +short >/dev/null 50 | dig www.taobao.com @127.0.0.1 -p5301 A +short >/dev/null 51 | dig www.taobao.com @127.0.0.1 -p5301 A +short >/dev/null 52 | t5t=$(dig www.taobao.com @127.0.0.1 -p53 A +short) 53 | t5=$(v4check "$t5t" CN-53) 54 | if redis-cli -s /tmp/redis.sock info | grep -q human; then 55 | tredis=y 56 | else 57 | tredis=n 58 | fi 59 | if ps -ef | grep -v grep | grep -q mosdns.yaml; then 60 | t6t=$(dig www.taobao.com @127.0.0.1 -p5301 A +short) 61 | t6=$(v4check "$t6t" CN-5301) 62 | t7t=$(dig www.taobao.com @127.0.0.1 -p5302 A +short) 63 | t7=$(v4check "$t7t" CN-5302) 64 | t8t=$(dig www.taobao.com @127.0.0.1 -p5304 A +short) 65 | t8=$(v4check "$t8t" CN-5304) 66 | t9t=$(dig www.google.com @127.0.0.1 -p53 A +short) 67 | t9=$(v4check "$t9t" NOCN-53) 68 | t10t=$(dig www.google.com @127.0.0.1 -p5301 A +short) 69 | t10=$(v4check "$t10t" NOCN-5301) 70 | t11t=$(dig www.google.com @127.0.0.1 -p5302 A +short) 71 | t11=$(v4check "$t11t" NOCN-5302) 72 | t12t=$(dig www.google.com @127.0.0.1 -p5304 A +short) 73 | t12=$(v4check "$t12t" NOCN-5304) 74 | 75 | result=$t1$t2$t3$t4$t5$t6$t7$t8$t9$t10$t11$t12$tredis 76 | if echo $result | grep -q "yyyyyyyyyyyyy"; then 77 | echo "[INFO]" ALL TEST PASS.✅ 78 | else 79 | echo $result 80 | echo "[INFO]" TEST FAIL.❌ 81 | fi 82 | echo "\`\`\`" 83 | echo "-> test end \`$(date +%s)\`" 84 | echo 85 | else 86 | if [ "$CNAUTO" != "no" ]; then 87 | echo "DNS NOT READY.❌" 88 | echo "Please wait until the DNS server has fully started before attempting to execute test.sh." 89 | else 90 | echo "UNBOUND MODE TEST." 91 | result=$t1$t2$t3$t4$t5$tredis 92 | if echo $result | grep -q "yyyyyy"; then 93 | echo "[INFO]" ALL TEST PASS.✅ 94 | else 95 | echo $result 96 | echo "[INFO]" TEST FAIL.❌ 97 | fi 98 | echo "\`\`\`" 99 | echo "-> test end \`$(date +%s)\`" 100 | echo 101 | fi 102 | fi 103 | blank 104 | -------------------------------------------------------------------------------- /src/ub_trace.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | echo images build time : {bulidtime} 3 | echo "-> test start \`$(date +%s)\`" 4 | echo "\`\`\`rust" 5 | echo "[TEST]Run unbound trace test..." 6 | echo kill unbound and reload to debug mode... 7 | unbound_id=$(ps | grep -v "grep" | grep "unbound_raw" | grep -Eo "[0-9]+" | head -1) 8 | kill "$unbound_id" 9 | sed -i "s/verbosity:.*/verbosity: 4/g" /tmp/unbound_raw.conf 10 | unbound -c /tmp/unbound_raw.conf -p -d -v & 11 | dig www.jd.com @127.0.0.1 -p5301 12 | dig www.taobao.com @127.0.0.1 -p5301 13 | echo unbound trace finish. 14 | echo "\`\`\`" 15 | echo "-> test end \`$(date +%s)\`" 16 | echo 17 | unbound_id=$(ps | grep -v "grep" | grep "unbound_raw" | grep -Eo "[0-9]+" | head -1) 18 | kill "$unbound_id" 19 | sed -i "s/verbosity:.*/verbosity: 0/g" /tmp/unbound_raw.conf 20 | unbound -c /tmp/unbound_raw.conf -p -------------------------------------------------------------------------------- /src/unbound.conf: -------------------------------------------------------------------------------- 1 | # 2 | # Example configuration file. 3 | # 4 | # See unbound.conf(5) man page, version 1.17.1. 5 | # 6 | # this is a comment. 7 | 8 | # Use this anywhere in the file to include other text into this file. 9 | #include: "otherfile.conf" 10 | 11 | # Use this anywhere in the file to include other text, that explicitly starts a 12 | # clause, into this file. Text after this directive needs to start a clause. 13 | #include-toplevel: "otherfile.conf" 14 | 15 | # The server clause sets the main parameters. 16 | server: 17 | # whitespace is not necessary, but looks cleaner. 18 | 19 | # verbosity number, 0 is least verbose. 1 is default. 20 | verbosity: 0 21 | 22 | # print statistics to the log (for every thread) every N seconds. 23 | # Set to "" or 0 to disable. Default is disabled. 24 | # statistics-interval: 0 25 | 26 | # enable shm for stats, default no. if you enable also enable 27 | # statistics-interval, every time it also writes stats to the 28 | # shared memory segment keyed with shm-key. 29 | # shm-enable: no 30 | 31 | # shm for stats uses this key, and key+1 for the shared mem segment. 32 | # shm-key: 11777 33 | 34 | # enable cumulative statistics, without clearing them after printing. 35 | # statistics-cumulative: no 36 | 37 | # enable extended statistics (query types, answer codes, status) 38 | # printed from unbound-control. Default off, because of speed. 39 | # extended-statistics: no 40 | 41 | # Inhibits selected extended statistics (qtype, qclass, qopcode, rcode, 42 | # rpz-actions) from printing if their value is 0. 43 | # Default on. 44 | # statistics-inhibit-zero: yes 45 | 46 | # number of threads to create. 1 disables threading. 47 | #RAWDNS num-threads: {CORES} 48 | # specify the interfaces to answer queries from by ip-address. 49 | # The default is to listen to localhost (127.0.0.1 and ::1). 50 | # specify 0.0.0.0 and ::0 to bind to all available interfaces. 51 | # specify every interface[@port] on a new 'interface:' labelled line. 52 | # The listen interfaces are not changed on reload, only on restart. 53 | # interface: 192.0.2.153 54 | # interface: 192.0.2.154 55 | # interface: 192.0.2.154@5003 56 | # interface: 2001:DB8::5 57 | # interface: eth0@5003 58 | interface: 0.0.0.0 59 | # interface: ::0 60 | # enable this feature to copy the source address of queries to reply. 61 | # Socket options are not supported on all platforms. experimental. 62 | # interface-automatic: no 63 | 64 | # instead of the default port, open additional ports separated by 65 | # spaces when interface-automatic is enabled, by listing them here. 66 | # interface-automatic-ports: "" 67 | 68 | # port to answer queries from 69 | port: {DNSPORT} 70 | 71 | # specify the interfaces to send outgoing queries to authoritative 72 | # server from by ip-address. If none, the default (all) interface 73 | # is used. Specify every interface on a 'outgoing-interface:' line. 74 | # outgoing-interface: 192.0.2.153 75 | # outgoing-interface: 2001:DB8::5 76 | # outgoing-interface: 2001:DB8::6 77 | 78 | # Specify a netblock to use remainder 64 bits as random bits for 79 | # upstream queries. Uses freebind option (Linux). 80 | # outgoing-interface: 2001:DB8::/64 81 | # Also (Linux:) ip -6 addr add 2001:db8::/64 dev lo 82 | # And: ip -6 route add local 2001:db8::/64 dev lo 83 | # And set prefer-ip6: yes to use the ip6 randomness from a netblock. 84 | # Set this to yes to prefer ipv6 upstream servers over ipv4. 85 | # prefer-ip6: no 86 | 87 | # Prefer ipv4 upstream servers, even if ipv6 is available. 88 | # prefer-ip4: no 89 | 90 | # number of ports to allocate per thread, determines the size of the 91 | # port range that can be open simultaneously. About double the 92 | # num-queries-per-thread, or, use as many as the OS will allow you. 93 | #safemem#RAWDNS#safeoff outgoing-range: {r_outgoing} 94 | #safemem#CNAUTO#safeoff outgoing-range: {f_outgoing} 95 | #lowrmem outgoing-range: 60 96 | 97 | # permit Unbound to use this port number or port range for 98 | # making outgoing queries, using an outgoing interface. 99 | # outgoing-port-permit: 32768 100 | 101 | # deny Unbound the use this of port number or port range for 102 | # making outgoing queries, using an outgoing interface. 103 | # Use this to make sure Unbound does not grab a UDP port that some 104 | # other server on this computer needs. The default is to avoid 105 | # IANA-assigned port numbers. 106 | # If multiple outgoing-port-permit and outgoing-port-avoid options 107 | # are present, they are processed in order. 108 | # outgoing-port-avoid: "3200-3208" 109 | 110 | # number of outgoing simultaneous tcp buffers to hold per thread. 111 | #RAWDNS#safeoff outgoing-num-tcp: {r_outgoing_half} 112 | #CNAUTO#safeoff outgoing-num-tcp: {f_outgoing_half} 113 | 114 | # number of incoming simultaneous tcp buffers to hold per thread. 115 | #RAWDNS#safeoff incoming-num-tcp: {r_outgoing_half} 116 | #CNAUTO#safeoff incoming-num-tcp: {f_outgoing_half} 117 | 118 | # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). 119 | # 0 is system default. Use 4m to catch query spikes for busy servers. 120 | # so-rcvbuf: 4m 121 | 122 | # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option). 123 | # 0 is system default. Use 4m to handle spikes on very busy servers. 124 | # so-sndbuf: 4m 125 | 126 | # use SO_REUSEPORT to distribute queries over threads. 127 | # at extreme load it could be better to turn it off to distribute even. 128 | #safemem so-reuseport: yes 129 | 130 | # use IP_TRANSPARENT so the interface: addresses can be non-local 131 | # and you can config non-existing IPs that are going to work later on 132 | # (uses IP_BINDANY on FreeBSD). 133 | # ip-transparent: no 134 | 135 | # use IP_FREEBIND so the interface: addresses can be non-local 136 | # and you can bind to nonexisting IPs and interfaces that are down. 137 | # Linux only. On Linux you also have ip-transparent that is similar. 138 | # ip-freebind: no 139 | 140 | # the value of the Differentiated Services Codepoint (DSCP) 141 | # in the differentiated services field (DS) of the outgoing 142 | # IP packets 143 | # ip-dscp: 0 144 | 145 | # EDNS reassembly buffer to advertise to UDP peers (the actual buffer 146 | # is set with msg-buffer-size). 147 | # edns-buffer-size: 1232 148 | 149 | # Maximum UDP response size (not applied to TCP response). 150 | # Suggested values are 512 to 4096. Default is 4096. 65536 disables it. 151 | # max-udp-size: 4096 152 | 153 | # max memory to use for stream(tcp and tls) waiting result buffers. 154 | # stream-wait-size: 4m 155 | 156 | # buffer size for handling DNS data. No messages larger than this 157 | # size can be sent or received, by UDP or TCP. In bytes. 158 | # msg-buffer-size: 65552 159 | #lowrmem msg-buffer-size: 8192 160 | # the amount of memory to use for the message cache. 161 | # plain value in bytes or you can append k, m or G. default is "4Mb". 162 | #RAWDNS msg-cache-size: {MEM1} 163 | 164 | # the number of slabs to use for the message cache. 165 | # the number of slabs must be a power of 2. 166 | # more slabs reduce lock contention, but fragment memory usage. 167 | #RAWDNS msg-cache-slabs: {POWCORES} 168 | 169 | # the number of queries that a thread gets to service. 170 | #safemem#RAWDNS#safeoff num-queries-per-thread: {r_numQueriesPerThread} 171 | #safemem#CNAUTO#safeoff num-queries-per-thread: {f_numQueriesPerThread} 172 | #lowrmem num-queries-per-thread: 30 173 | # if very busy, 50% queries run to completion, 50% get timeout in msec 174 | # jostle-timeout: 200 175 | 176 | # msec to wait before close of port on timeout UDP. 0 disables. 177 | # delay-close: 0 178 | 179 | # perform connect for UDP sockets to mitigate ICMP side channel. 180 | # udp-connect: yes 181 | 182 | # The number of retries, per upstream nameserver in a delegation, when 183 | # a throwaway response (also timeouts) is received. 184 | #neg_fetch outbound-msg-retry: 2 185 | #CNAUTO outbound-msg-retry: 2 186 | 187 | # Hard limit on the number of outgoing queries Unbound will make while 188 | # resolving a name, making sure large NS sets do not loop. 189 | # It resets on query restarts (e.g., CNAME) and referrals. 190 | # max-sent-count: 32 191 | 192 | # Hard limit on the number of times Unbound is allowed to restart a 193 | # query upon encountering a CNAME record. 194 | # max-query-restarts: 11 195 | 196 | # msec for waiting for an unknown server to reply. Increase if you 197 | # are behind a slow satellite link, to eg. 1128. 198 | # unknown-server-time-limit: 376 199 | 200 | # the amount of memory to use for the RRset cache. 201 | # plain value in bytes or you can append k, m or G. default is "4Mb". 202 | #RAWDNS rrset-cache-size: {MEM2} 203 | 204 | # the number of slabs to use for the RRset cache. 205 | # the number of slabs must be a power of 2. 206 | # more slabs reduce lock contention, but fragment memory usage. 207 | #RAWDNS rrset-cache-slabs: {POWCORES} 208 | 209 | # the time to live (TTL) value lower bound, in seconds. Default 0. 210 | # If more than an hour could easily give trouble due to stale data. 211 | # cache-min-ttl: 0 212 | 213 | # the time to live (TTL) value cap for RRsets and messages in the 214 | # cache. Items are not cached for longer. In seconds. 215 | cache-max-ttl: 600 216 | 217 | # the time to live (TTL) value cap for negative responses in the cache 218 | cache-max-negative-ttl: 2 219 | 220 | # the time to live (TTL) value for cached roundtrip times, lameness and 221 | # EDNS version information for hosts. In seconds. 222 | # infra-host-ttl: 900 223 | 224 | # minimum wait time for responses, increase if uplink is long. In msec. 225 | # infra-cache-min-rtt: 50 226 | 227 | # maximum wait time for responses. In msec. 228 | # infra-cache-max-rtt: 120000 229 | 230 | # enable to make server probe down hosts more frequently. 231 | # infra-keep-probing: no 232 | 233 | # the number of slabs to use for the Infrastructure cache. 234 | # the number of slabs must be a power of 2. 235 | # more slabs reduce lock contention, but fragment memory usage. 236 | #RAWDNS infra-cache-slabs: {POWCORES} 237 | 238 | # the maximum number of hosts that are cached (roundtrip, EDNS, lame). 239 | #RAWDNS infra-cache-numhosts: {MEM3} 240 | 241 | # define a number of tags here, use with local-zone, access-control, 242 | # interface-*. 243 | # repeat the define-tag statement to add additional tags. 244 | # define-tag: "tag1 tag2 tag3" 245 | 246 | # Enable IPv4, "yes" or "no". 247 | # do-ip4: yes 248 | 249 | # Enable IPv6, "yes" or "no". 250 | # do-ip6: yes 251 | 252 | # Enable UDP, "yes" or "no". 253 | # do-udp: yes 254 | 255 | # Enable TCP, "yes" or "no". 256 | # do-tcp: yes 257 | 258 | # upstream connections use TCP only (and no UDP), "yes" or "no" 259 | # useful for tunneling scenarios, default no. 260 | # tcp-upstream: no 261 | 262 | # upstream connections also use UDP (even if do-udp is no). 263 | # useful if if you want UDP upstream, but don't provide UDP downstream. 264 | # udp-upstream-without-downstream: no 265 | 266 | # Maximum segment size (MSS) of TCP socket on which the server 267 | # responds to queries. Default is 0, system default MSS. 268 | # tcp-mss: 0 269 | 270 | # Maximum segment size (MSS) of TCP socket for outgoing queries. 271 | # Default is 0, system default MSS. 272 | # outgoing-tcp-mss: 0 273 | 274 | # Idle TCP timeout, connection closed in milliseconds 275 | # tcp-idle-timeout: 30000 276 | 277 | # Enable EDNS TCP keepalive option. 278 | # edns-tcp-keepalive: no 279 | 280 | # Timeout for EDNS TCP keepalive, in msec. 281 | # edns-tcp-keepalive-timeout: 120000 282 | 283 | # Use systemd socket activation for UDP, TCP, and control sockets. 284 | # use-systemd: no 285 | 286 | # Detach from the terminal, run in background, "yes" or "no". 287 | # Set the value to "no" when Unbound runs as systemd service. 288 | # do-daemonize: yes 289 | 290 | # control which clients are allowed to make (recursive) queries 291 | # to this server. Specify classless netblocks with /size and action. 292 | # By default everything is refused, except for localhost. 293 | # Choose deny (drop message), refuse (polite error reply), 294 | # allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on), 295 | # allow_snoop (recursive and nonrecursive ok) 296 | # deny_non_local (drop queries unless can be answered from local-data) 297 | # refuse_non_local (like deny_non_local but polite error reply). 298 | # access-control: 127.0.0.0/8 allow 299 | # access-control: ::1 allow 300 | # access-control: ::ffff:127.0.0.1 allow 301 | access-control: 0.0.0.0/0 allow 302 | # access-control: ::/0 allow 303 | 304 | # tag access-control with list of tags (in "" with spaces between) 305 | # Clients using this access control element use localzones that 306 | # are tagged with one of these tags. 307 | # access-control-tag: 192.0.2.0/24 "tag2 tag3" 308 | 309 | # set action for particular tag for given access control element. 310 | # if you have multiple tag values, the tag used to lookup the action 311 | # is the first tag match between access-control-tag and local-zone-tag 312 | # where "first" comes from the order of the define-tag values. 313 | # access-control-tag-action: 192.0.2.0/24 tag3 refuse 314 | 315 | # set redirect data for particular tag for access control element 316 | # access-control-tag-data: 192.0.2.0/24 tag2 "A 127.0.0.1" 317 | 318 | # Set view for access control element 319 | # access-control-view: 192.0.2.0/24 viewname 320 | 321 | # Similar to 'access-control:' but for interfaces. 322 | # Control which listening interfaces are allowed to accept (recursive) 323 | # queries for this server. 324 | # The specified interfaces should be the same as the ones specified in 325 | # 'interface:' followed by the action. 326 | # The actions are the same as 'access-control:' above. 327 | # By default all the interfaces configured are refused. 328 | # Note: any 'access-control*:' setting overrides all 'interface-*:' 329 | # settings for targeted clients. 330 | # interface-action: 192.0.2.153 allow 331 | # interface-action: 192.0.2.154 allow 332 | # interface-action: 192.0.2.154@5003 allow 333 | # interface-action: 2001:DB8::5 allow 334 | # interface-action: eth0@5003 allow 335 | 336 | # Similar to 'access-control-tag:' but for interfaces. 337 | # Tag interfaces with a list of tags (in "" with spaces between). 338 | # Interfaces using these tags use localzones that are tagged with one 339 | # of these tags. 340 | # The specified interfaces should be the same as the ones specified in 341 | # 'interface:' followed by the list of tags. 342 | # Note: any 'access-control*:' setting overrides all 'interface-*:' 343 | # settings for targeted clients. 344 | # interface-tag: eth0@5003 "tag2 tag3" 345 | 346 | # Similar to 'access-control-tag-action:' but for interfaces. 347 | # Set action for particular tag for a given interface element. 348 | # If you have multiple tag values, the tag used to lookup the action 349 | # is the first tag match between interface-tag and local-zone-tag 350 | # where "first" comes from the order of the define-tag values. 351 | # The specified interfaces should be the same as the ones specified in 352 | # 'interface:' followed by the tag and action. 353 | # Note: any 'access-control*:' setting overrides all 'interface-*:' 354 | # settings for targeted clients. 355 | # interface-tag-action: eth0@5003 tag3 refuse 356 | 357 | # Similar to 'access-control-tag-data:' but for interfaces. 358 | # Set redirect data for a particular tag for an interface element. 359 | # The specified interfaces should be the same as the ones specified in 360 | # 'interface:' followed by the tag and the redirect data. 361 | # Note: any 'access-control*:' setting overrides all 'interface-*:' 362 | # settings for targeted clients. 363 | # interface-tag-data: eth0@5003 tag2 "A 127.0.0.1" 364 | 365 | # Similar to 'access-control-view:' but for interfaces. 366 | # Set view for an interface element. 367 | # The specified interfaces should be the same as the ones specified in 368 | # 'interface:' followed by the view name. 369 | # Note: any 'access-control*:' setting overrides all 'interface-*:' 370 | # settings for targeted clients. 371 | # interface-view: eth0@5003 viewname 372 | 373 | # if given, a chroot(2) is done to the given directory. 374 | # i.e. you can chroot to the working directory, for example, 375 | # for extra security, but make sure all files are in that directory. 376 | # 377 | # If chroot is enabled, you should pass the configfile (from the 378 | # commandline) as a full path from the original root. After the 379 | # chroot has been performed the now defunct portion of the config 380 | # file path is removed to be able to reread the config after a reload. 381 | # 382 | # All other file paths (working dir, logfile, roothints, and 383 | # key files) can be specified in several ways: 384 | # o as an absolute path relative to the new root. 385 | # o as a relative path to the working directory. 386 | # o as an absolute path relative to the original root. 387 | # In the last case the path is adjusted to remove the unused portion. 388 | # 389 | # The pid file can be absolute and outside of the chroot, it is 390 | # written just prior to performing the chroot and dropping permissions. 391 | # 392 | # Additionally, Unbound may need to access /dev/urandom (for entropy). 393 | # How to do this is specific to your OS. 394 | # 395 | # If you give "" no chroot is performed. The path must not end in a /. 396 | chroot: "" 397 | 398 | # if given, user privileges are dropped (after binding port), 399 | # and the given username is assumed. Default is user "unbound". 400 | # If you give "" no privileges are dropped. 401 | username: "root" 402 | 403 | # the working directory. The relative files in this config are 404 | # relative to this directory. If you give "" the working directory 405 | # is not changed. 406 | # If you give a server: directory: dir before include: file statements 407 | # then those includes can be relative to the working directory. 408 | # directory: "" 409 | 410 | # the log file, "" means log to stderr. 411 | # Use of this option sets use-syslog to "no". 412 | logfile: "" 413 | 414 | # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to 415 | # log to. If yes, it overrides the logfile. 416 | use-syslog: no 417 | 418 | # Log identity to report. if empty, defaults to the name of argv[0] 419 | # (usually "unbound"). 420 | # log-identity: "" 421 | 422 | # print UTC timestamp in ascii to logfile, default is epoch in seconds. 423 | # log-time-ascii: no 424 | 425 | # print one line with time, IP, name, type, class for every query. 426 | # log-queries: no 427 | 428 | # print one line per reply, with time, IP, name, type, class, rcode, 429 | # timetoresolve, fromcache and responsesize. 430 | # log-replies: no 431 | 432 | # log with tag 'query' and 'reply' instead of 'info' for 433 | # filtering log-queries and log-replies from the log. 434 | # log-tag-queryreply: no 435 | 436 | # log the local-zone actions, like local-zone type inform is enabled 437 | # also for the other local zone types. 438 | # log-local-actions: no 439 | 440 | # print log lines that say why queries return SERVFAIL to clients. 441 | # log-servfail: no 442 | 443 | # file to read root hints from. 444 | # get one from https://www.internic.net/domain/named.cache 445 | root-hints: "/etc/unbound/named.cache" 446 | 447 | # enable to not answer id.server and hostname.bind queries. 448 | hide-identity: yes 449 | 450 | # enable to not answer version.server and version.bind queries. 451 | hide-version: yes 452 | 453 | # enable to not answer trustanchor.unbound queries. 454 | # hide-trustanchor: no 455 | 456 | # enable to not set the User-Agent HTTP header. 457 | # hide-http-user-agent: no 458 | 459 | # the identity to report. Leave "" or default to return hostname. 460 | identity: {DNS_SERVERNAME} 461 | 462 | # the version to report. Leave "" or default to return package version. 463 | # version: "" 464 | 465 | # NSID identity (hex string, or "ascii_somestring"). default disabled. 466 | # nsid: "aabbccdd" 467 | 468 | # User-Agent HTTP header to use. Leave "" or default to use package name 469 | # and version. 470 | # http-user-agent: "" 471 | 472 | # the target fetch policy. 473 | # series of integers describing the policy per dependency depth. 474 | # The number of values in the list determines the maximum dependency 475 | # depth the recursor will pursue before giving up. Each integer means: 476 | # -1 : fetch all targets opportunistically, 477 | # 0: fetch on demand, 478 | # positive value: fetch that many targets opportunistically. 479 | # Enclose the list of numbers between quotes (""). 480 | #neg_fetch target-fetch-policy: "0 0 0 0 0" 481 | #pos_fetch target-fetch-policy: "-1 -1 -1 -1 -1" 482 | 483 | # Harden against very small EDNS buffer sizes. 484 | # harden-short-bufsize: yes 485 | 486 | # Harden against unseemly large queries. 487 | #lowrmem harden-large-queries: yes 488 | 489 | # Harden against out of zone rrsets, to avoid spoofing attempts. 490 | # harden-glue: yes 491 | 492 | # Harden against receiving dnssec-stripped data. If you turn it 493 | # off, failing to validate dnskey data for a trustanchor will 494 | # trigger insecure mode for that zone (like without a trustanchor). 495 | # Default on, which insists on dnssec data for trust-anchored zones. 496 | harden-dnssec-stripped: no 497 | 498 | # Harden against queries that fall under dnssec-signed nxdomain names. 499 | # harden-below-nxdomain: yes 500 | 501 | # Harden the referral path by performing additional queries for 502 | # infrastructure data. Validates the replies (if possible). 503 | # Default off, because the lookups burden the server. Experimental 504 | # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. 505 | # harden-referral-path: no 506 | 507 | # Harden against algorithm downgrade when multiple algorithms are 508 | # advertised in the DS record. If no, allows the weakest algorithm 509 | # to validate the zone. 510 | # harden-algo-downgrade: no 511 | 512 | # Sent minimum amount of information to upstream servers to enhance 513 | # privacy. Only sent minimum required labels of the QNAME and set QTYPE 514 | # to A when possible. 515 | qname-minimisation: yes 516 | 517 | # QNAME minimisation in strict mode. Do not fall-back to sending full 518 | # QNAME to potentially broken nameservers. A lot of domains will not be 519 | # resolvable when this option in enabled. 520 | # This option only has effect when qname-minimisation is enabled. 521 | # qname-minimisation-strict: no 522 | 523 | # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN 524 | # and other denials, using information from previous NXDOMAINs answers. 525 | # aggressive-nsec: yes 526 | 527 | # Use 0x20-encoded random bits in the query to foil spoof attempts. 528 | # This feature is an experimental implementation of draft dns-0x20. 529 | use-caps-for-id: no 530 | 531 | # Domains (and domains in them) without support for dns-0x20 and 532 | # the fallback fails because they keep sending different answers. 533 | # caps-exempt: "licdn.com" 534 | # caps-exempt: "senderbase.org" 535 | 536 | # Enforce privacy of these addresses. Strips them away from answers. 537 | # It may cause DNSSEC validation to additionally mark it as bogus. 538 | # Protects against 'DNS Rebinding' (uses browser as network proxy). 539 | # Only 'private-domain' and 'local-data' names are allowed to have 540 | # these private addresses. No default. 541 | # private-address: 10.0.0.0/8 542 | # private-address: 172.16.0.0/12 543 | # private-address: 192.168.0.0/16 544 | # private-address: 169.254.0.0/16 545 | # private-address: fd00::/8 546 | # private-address: fe80::/10 547 | # private-address: ::ffff:0:0/96 548 | 549 | # Allow the domain (and its subdomains) to contain private addresses. 550 | # local-data statements are allowed to contain private addresses too. 551 | # private-domain: "example.com" 552 | 553 | # If nonzero, unwanted replies are not only reported in statistics, 554 | # but also a running total is kept per thread. If it reaches the 555 | # threshold, a warning is printed and a defensive action is taken, 556 | # the cache is cleared to flush potential poison out of it. 557 | # A suggested value is 10000000, the default is 0 (turned off). 558 | unwanted-reply-threshold: 10000000 559 | 560 | # Do not query the following addresses. No DNS queries are sent there. 561 | # List one address per entry. List classless netblocks with /size, 562 | # do-not-query-address: 127.0.0.1/8 563 | # do-not-query-address: ::1 564 | 565 | # if yes, the above default do-not-query-address entries are present. 566 | # if no, localhost can be queried (for testing and debugging). 567 | do-not-query-localhost: no 568 | 569 | # if yes, perform prefetching of almost expired message cache entries. 570 | prefetch: yes 571 | 572 | # if yes, perform key lookups adjacent to normal lookups. 573 | prefetch-key: yes 574 | 575 | # deny queries of type ANY with an empty response. 576 | # deny-any: no 577 | 578 | # if yes, Unbound rotates RRSet order in response. 579 | rrset-roundrobin: yes 580 | 581 | # if yes, Unbound doesn't insert authority/additional sections 582 | # into response messages when those sections are not required. 583 | minimal-responses: yes 584 | 585 | # true to disable DNSSEC lameness check in iterator. 586 | # disable-dnssec-lame-check: no 587 | 588 | # module configuration of the server. A string with identifiers 589 | # separated by spaces. Syntax: "[dns64] [validator] iterator" 590 | # most modules have to be listed at the beginning of the line, 591 | # except cachedb(just before iterator), and python (at the beginning, 592 | # or, just before the iterator). 593 | module-config: "cachedb iterator" 594 | 595 | # File with trusted keys, kept uptodate using RFC5011 probes, 596 | # initial file like trust-anchor-file, then it stores metadata. 597 | # Use several entries, one per domain name, to track multiple zones. 598 | # 599 | # If you want to perform DNSSEC validation, run unbound-anchor before 600 | # you start Unbound (i.e. in the system boot scripts). 601 | # And then enable the auto-trust-anchor-file config item. 602 | # Please note usage of unbound-anchor root anchor is at your own risk 603 | # and under the terms of our LICENSE (see that file in the source). 604 | # auto-trust-anchor-file: "" 605 | 606 | # trust anchor signaling sends a RFC8145 key tag query after priming. 607 | # trust-anchor-signaling: yes 608 | 609 | # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) 610 | # root-key-sentinel: yes 611 | 612 | # File with trusted keys for validation. Specify more than one file 613 | # with several entries, one file per entry. 614 | # Zone file format, with DS and DNSKEY entries. 615 | # Note this gets out of date, use auto-trust-anchor-file please. 616 | # trust-anchor-file: "/usr/share/dnssec-root/trusted-key.key" 617 | 618 | # Trusted key for validation. DS or DNSKEY. specify the RR on a 619 | # single line, surrounded by "". TTL is ignored. class is IN default. 620 | # Note this gets out of date, use auto-trust-anchor-file please. 621 | # (These examples are from August 2007 and may not be valid anymore). 622 | # trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ==" 623 | # trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A" 624 | 625 | # File with trusted keys for validation. Specify more than one file 626 | # with several entries, one file per entry. Like trust-anchor-file 627 | # but has a different file format. Format is BIND-9 style format, 628 | # the trusted-keys { name flag proto algo "key"; }; clauses are read. 629 | # you need external update procedures to track changes in keys. 630 | # trusted-keys-file: "" 631 | 632 | # Ignore chain of trust. Domain is treated as insecure. 633 | # domain-insecure: "example.com" 634 | 635 | # Override the date for validation with a specific fixed date. 636 | # Do not set this unless you are debugging signature inception 637 | # and expiration. "" or "0" turns the feature off. -1 ignores date. 638 | # val-override-date: "" 639 | 640 | # The time to live for bogus data, rrsets and messages. This avoids 641 | # some of the revalidation, until the time interval expires. in secs. 642 | # val-bogus-ttl: 60 643 | 644 | # The signature inception and expiration dates are allowed to be off 645 | # by 10% of the signature lifetime (expir-incep) from our local clock. 646 | # This leeway is capped with a minimum and a maximum. In seconds. 647 | # val-sig-skew-min: 3600 648 | # val-sig-skew-max: 86400 649 | 650 | # The maximum number the validator should restart validation with 651 | # another authority in case of failed validation. 652 | # val-max-restart: 5 653 | 654 | # Should additional section of secure message also be kept clean of 655 | # unsecure data. Useful to shield the users of this validator from 656 | # potential bogus data in the additional section. All unsigned data 657 | # in the additional section is removed from secure messages. 658 | # val-clean-additional: yes 659 | 660 | # Turn permissive mode on to permit bogus messages. Thus, messages 661 | # for which security checks failed will be returned to clients, 662 | # instead of SERVFAIL. It still performs the security checks, which 663 | # result in interesting log files and possibly the AD bit in 664 | # replies if the message is found secure. The default is off. 665 | # val-permissive-mode: no 666 | 667 | # Ignore the CD flag in incoming queries and refuse them bogus data. 668 | # Enable it if the only clients of Unbound are legacy servers (w2008) 669 | # that set CD but cannot validate themselves. 670 | # ignore-cd-flag: no 671 | 672 | # Serve expired responses from cache, with serve-expired-reply-ttl in 673 | # the response, and then attempt to fetch the data afresh. 674 | serve-expired: yes 675 | # 676 | # Limit serving of expired responses to configured seconds after 677 | # expiration. 0 disables the limit. 678 | serve-expired-ttl: 0 679 | # 680 | # Set the TTL of expired records to the serve-expired-ttl value after a 681 | # failed attempt to retrieve the record from upstream. This makes sure 682 | # that the expired records will be served as long as there are queries 683 | # for it. 684 | serve-expired-ttl-reset: no 685 | # 686 | # TTL value to use when replying with expired data. 687 | serve-expired-reply-ttl: 0 688 | # 689 | # Time in milliseconds before replying to the client with expired data. 690 | # This essentially enables the serve-stale behavior as specified in 691 | # RFC 8767 that first tries to resolve before 692 | # immediately responding with expired data. 0 disables this behavior. 693 | # A recommended value is 1800. 694 | # serve-expired-client-timeout: 4 695 | 696 | # Return the original TTL as received from the upstream name server rather 697 | # than the decrementing TTL as stored in the cache. Enabling this feature 698 | # does not impact cache expiry, it only changes the TTL Unbound embeds in 699 | # responses to queries. Note that enabling this feature implicitly disables 700 | # enforcement of the configured minimum and maximum TTL. 701 | # serve-original-ttl: no 702 | 703 | # Have the validator log failed validations for your diagnosis. 704 | # 0: off. 1: A line per failed user query. 2: With reason and bad IP. 705 | # val-log-level: 0 706 | 707 | # It is possible to configure NSEC3 maximum iteration counts per 708 | # keysize. Keep this table very short, as linear search is done. 709 | # A message with an NSEC3 with larger count is marked insecure. 710 | # List in ascending order the keysize and count values. 711 | # val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150" 712 | 713 | # if enabled, ZONEMD verification failures do not block the zone. 714 | # zonemd-permissive-mode: no 715 | 716 | # instruct the auto-trust-anchor-file probing to add anchors after ttl. 717 | # add-holddown: 2592000 # 30 days 718 | 719 | # instruct the auto-trust-anchor-file probing to del anchors after ttl. 720 | # del-holddown: 2592000 # 30 days 721 | 722 | # auto-trust-anchor-file probing removes missing anchors after ttl. 723 | # If the value 0 is given, missing anchors are not removed. 724 | # keep-missing: 31622400 # 366 days 725 | 726 | # debug option that allows very small holddown times for key rollover, 727 | # otherwise the RFC mandates probe intervals must be at least 1 hour. 728 | # permit-small-holddown: no 729 | 730 | # the amount of memory to use for the key cache. 731 | # plain value in bytes or you can append k, m or G. default is "4Mb". 732 | # key-cache-size: 4m 733 | #lowrmem key-cache-size: 100k 734 | # the number of slabs to use for the key cache. 735 | # the number of slabs must be a power of 2. 736 | # more slabs reduce lock contention, but fragment memory usage. 737 | #RAWDNS key-cache-slabs: {POWCORES} 738 | 739 | # the amount of memory to use for the negative cache. 740 | # plain value in bytes or you can append k, m or G. default is "1Mb". 741 | # neg-cache-size: 1m 742 | #lowrmem neg-cache-size: 10k 743 | # By default, for a number of zones a small default 'nothing here' 744 | # reply is built-in. Query traffic is thus blocked. If you 745 | # wish to serve such zone you can unblock them by uncommenting one 746 | # of the nodefault statements below. 747 | # You may also have to use domain-insecure: zone to make DNSSEC work, 748 | # unless you have your own trust anchors for this zone. 749 | # local-zone: "localhost." nodefault 750 | # local-zone: "127.in-addr.arpa." nodefault 751 | # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault 752 | # local-zone: "home.arpa." nodefault 753 | # local-zone: "onion." nodefault 754 | # local-zone: "test." nodefault 755 | # local-zone: "invalid." nodefault 756 | # local-zone: "10.in-addr.arpa." nodefault 757 | # local-zone: "16.172.in-addr.arpa." nodefault 758 | # local-zone: "17.172.in-addr.arpa." nodefault 759 | # local-zone: "18.172.in-addr.arpa." nodefault 760 | # local-zone: "19.172.in-addr.arpa." nodefault 761 | # local-zone: "20.172.in-addr.arpa." nodefault 762 | # local-zone: "21.172.in-addr.arpa." nodefault 763 | # local-zone: "22.172.in-addr.arpa." nodefault 764 | # local-zone: "23.172.in-addr.arpa." nodefault 765 | # local-zone: "24.172.in-addr.arpa." nodefault 766 | # local-zone: "25.172.in-addr.arpa." nodefault 767 | # local-zone: "26.172.in-addr.arpa." nodefault 768 | # local-zone: "27.172.in-addr.arpa." nodefault 769 | # local-zone: "28.172.in-addr.arpa." nodefault 770 | # local-zone: "29.172.in-addr.arpa." nodefault 771 | # local-zone: "30.172.in-addr.arpa." nodefault 772 | # local-zone: "31.172.in-addr.arpa." nodefault 773 | # local-zone: "168.192.in-addr.arpa." nodefault 774 | # local-zone: "0.in-addr.arpa." nodefault 775 | # local-zone: "254.169.in-addr.arpa." nodefault 776 | # local-zone: "2.0.192.in-addr.arpa." nodefault 777 | # local-zone: "100.51.198.in-addr.arpa." nodefault 778 | # local-zone: "113.0.203.in-addr.arpa." nodefault 779 | # local-zone: "255.255.255.255.in-addr.arpa." nodefault 780 | # local-zone: "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault 781 | # local-zone: "d.f.ip6.arpa." nodefault 782 | # local-zone: "8.e.f.ip6.arpa." nodefault 783 | # local-zone: "9.e.f.ip6.arpa." nodefault 784 | # local-zone: "a.e.f.ip6.arpa." nodefault 785 | # local-zone: "b.e.f.ip6.arpa." nodefault 786 | # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault 787 | # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa. 788 | 789 | # Add example.com into ipset 790 | # local-zone: "example.com" ipset 791 | 792 | # If Unbound is running service for the local host then it is useful 793 | # to perform lan-wide lookups to the upstream, and unblock the 794 | # long list of local-zones above. If this Unbound is a dns server 795 | # for a network of computers, disabled is better and stops information 796 | # leakage of local lan information. 797 | unblock-lan-zones: yes 798 | 799 | # The insecure-lan-zones option disables validation for 800 | # these zones, as if they were all listed as domain-insecure. 801 | insecure-lan-zones: yes 802 | 803 | # a number of locally served zones can be configured. 804 | # local-zone: 805 | # local-data: "" 806 | # o deny serves local data (if any), else, drops queries. 807 | # o refuse serves local data (if any), else, replies with error. 808 | # o static serves local data, else, nxdomain or nodata answer. 809 | # o transparent gives local data, but resolves normally for other names 810 | # o redirect serves the zone data for any subdomain in the zone. 811 | # o nodefault can be used to normally resolve AS112 zones. 812 | # o typetransparent resolves normally for other types and other names 813 | # o inform acts like transparent, but logs client IP address 814 | # o inform_deny drops queries and logs client IP address 815 | # o inform_redirect redirects queries and logs client IP address 816 | # o always_transparent, always_refuse, always_nxdomain, always_nodata, 817 | # always_deny resolve in that way but ignore local data for 818 | # that name 819 | # o always_null returns 0.0.0.0 or ::0 for any name in the zone. 820 | # o noview breaks out of that view towards global local-zones. 821 | # 822 | # defaults are localhost address, reverse for 127.0.0.1 and ::1 823 | # and nxdomain for AS112 zones. If you configure one of these zones 824 | # the default content is omitted, or you can omit it with 'nodefault'. 825 | # 826 | # If you configure local-data without specifying local-zone, by 827 | # default a transparent local-zone is created for the data. 828 | # 829 | # You can add locally served data with 830 | # local-zone: "local." static 831 | # local-data: "mycomputer.local. IN A 192.0.2.51" 832 | # local-data: 'mytext.local TXT "content of text record"' 833 | # 834 | # You can override certain queries with 835 | # local-data: "adserver.example.com A 127.0.0.1" 836 | # 837 | # You can redirect a domain to a fixed address with 838 | # (this makes example.com, www.example.com, etc, all go to 192.0.2.3) 839 | # local-zone: "example.com" redirect 840 | # local-data: "example.com A 192.0.2.3" 841 | # 842 | # Shorthand to make PTR records, "IPv4 name" or "IPv6 name". 843 | # You can also add PTR records using local-data directly, but then 844 | # you need to do the reverse notation yourself. 845 | # local-data-ptr: "192.0.2.3 www.example.com" 846 | local-zone: "0.in-addr.arpa." nodefault 847 | local-zone: "127.in-addr.arpa." nodefault 848 | local-data-ptr:"{ETHIP} {DNS_SERVERNAME}" 849 | local-data-ptr:"127.0.0.1 {DNS_SERVERNAME}" 850 | #serverip-enable local-data-ptr:" {SERVER_IP} {DNS_SERVERNAME}" 851 | #serverip-enable local-zone: "paopao.dns" redirect 852 | #serverip-enable local-data: "paopao.dns A {SERVER_IP}" 853 | # tag a localzone with a list of tag names (in "" with spaces between) 854 | # local-zone-tag: "example.com" "tag2 tag3" 855 | 856 | # add a netblock specific override to a localzone, with zone type 857 | # local-zone-override: "example.com" 192.0.2.0/24 refuse 858 | 859 | # service clients over TLS (on the TCP sockets) with plain DNS inside 860 | # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. 861 | # Give the certificate to use and private key. 862 | # default is "" (disabled). requires restart to take effect. 863 | # tls-service-key: "path/to/privatekeyfile.key" 864 | # tls-service-pem: "path/to/publiccertfile.pem" 865 | # tls-port: 853 866 | # https-port: 443 867 | 868 | # cipher setting for TLSv1.2 869 | # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" 870 | # cipher setting for TLSv1.3 871 | # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" 872 | 873 | # Pad responses to padded queries received over TLS 874 | # pad-responses: yes 875 | 876 | # Padded responses will be padded to the closest multiple of this size. 877 | # pad-responses-block-size: 468 878 | 879 | # Use the SNI extension for TLS connections. Default is yes. 880 | # Changing the value requires a reload. 881 | # tls-use-sni: yes 882 | 883 | # Add the secret file for TLS Session Ticket. 884 | # Secret file must be 80 bytes of random data. 885 | # First key use to encrypt and decrypt TLS session tickets. 886 | # Other keys use to decrypt only. 887 | # requires restart to take effect. 888 | # tls-session-ticket-keys: "path/to/secret_file1" 889 | # tls-session-ticket-keys: "path/to/secret_file2" 890 | 891 | # request upstream over TLS (with plain DNS inside the TLS stream). 892 | # Default is no. Can be turned on and off with unbound-control. 893 | # tls-upstream: no 894 | 895 | # Certificates used to authenticate connections made upstream. 896 | # tls-cert-bundle: "" 897 | 898 | # Add system certs to the cert bundle, from the Windows Cert Store 899 | # tls-win-cert: no 900 | # and on other systems, the default openssl certificates 901 | # tls-system-cert: no 902 | 903 | # Pad queries over TLS upstreams 904 | # pad-queries: yes 905 | 906 | # Padded queries will be padded to the closest multiple of this size. 907 | # pad-queries-block-size: 128 908 | 909 | # Also serve tls on these port numbers (eg. 443, ...), by listing 910 | # tls-additional-port: portno for each of the port numbers. 911 | 912 | # HTTP endpoint to provide DNS-over-HTTPS service on. 913 | # http-endpoint: "/dns-query" 914 | 915 | # HTTP/2 SETTINGS_MAX_CONCURRENT_STREAMS value to use. 916 | # http-max-streams: 100 917 | 918 | # Maximum number of bytes used for all HTTP/2 query buffers. 919 | # http-query-buffer-size: 4m 920 | 921 | # Maximum number of bytes used for all HTTP/2 response buffers. 922 | # http-response-buffer-size: 4m 923 | 924 | # Set TCP_NODELAY socket option on sockets used for DNS-over-HTTPS 925 | # service. 926 | # http-nodelay: yes 927 | 928 | # Disable TLS for DNS-over-HTTP downstream service. 929 | # http-notls-downstream: no 930 | 931 | # The interfaces that use these listed port numbers will support and 932 | # expect PROXYv2. For UDP and TCP/TLS interfaces. 933 | # proxy-protocol-port: portno for each of the port numbers. 934 | 935 | # DNS64 prefix. Must be specified when DNS64 is use. 936 | # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. 937 | # dns64-prefix: 64:ff9b::0/96 938 | 939 | # DNS64 ignore AAAA records for these domains and use A instead. 940 | # dns64-ignore-aaaa: "example.com" 941 | 942 | # ratelimit for uncached, new queries, this limits recursion effort. 943 | # ratelimiting is experimental, and may help against randomqueryflood. 944 | # if 0(default) it is disabled, otherwise state qps allowed per zone. 945 | # ratelimit: 0 946 | 947 | # ratelimits are tracked in a cache, size in bytes of cache (or k,m). 948 | # ratelimit-size: 4m 949 | # ratelimit cache slabs, reduces lock contention if equal to cpucount. 950 | # ratelimit-slabs: 4 951 | 952 | # 0 blocks when ratelimited, otherwise let 1/xth traffic through 953 | # ratelimit-factor: 10 954 | 955 | # Aggressive rate limit when the limit is reached and until demand has 956 | # decreased in a 2 second rate window. 957 | # ratelimit-backoff: no 958 | 959 | # override the ratelimit for a specific domain name. 960 | # give this setting multiple times to have multiple overrides. 961 | # ratelimit-for-domain: example.com 1000 962 | # override the ratelimits for all domains below a domain name 963 | # can give this multiple times, the name closest to the zone is used. 964 | # ratelimit-below-domain: com 1000 965 | 966 | # global query ratelimit for all ip addresses. 967 | # feature is experimental. 968 | # if 0(default) it is disabled, otherwise states qps allowed per ip address 969 | # ip-ratelimit: 0 970 | 971 | # ip ratelimits are tracked in a cache, size in bytes of cache (or k,m). 972 | # ip-ratelimit-size: 4m 973 | # ip ratelimit cache slabs, reduces lock contention if equal to cpucount. 974 | # ip-ratelimit-slabs: 4 975 | 976 | # 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through 977 | # ip-ratelimit-factor: 10 978 | 979 | # Aggressive rate limit when the limit is reached and until demand has 980 | # decreased in a 2 second rate window. 981 | # ip-ratelimit-backoff: no 982 | 983 | # Limit the number of connections simultaneous from a netblock 984 | # tcp-connection-limit: 192.0.2.0/24 12 985 | 986 | # select from the fastest servers this many times out of 1000. 0 means 987 | # the fast server select is disabled. prefetches are not sped up. 988 | fast-server-permil: 1000 989 | # the number of servers that will be used in the fast server selection. 990 | fast-server-num: 3 991 | 992 | # Enable to attach Extended DNS Error codes (RFC8914) to responses. 993 | # ede: no 994 | 995 | # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale 996 | # Answer as EDNS0 option to expired responses. 997 | # Note that the ede option above needs to be enabled for this to work. 998 | # ede-serve-expired: no 999 | 1000 | # Specific options for ipsecmod. Unbound needs to be configured with 1001 | # --enable-ipsecmod for these to take effect. 1002 | # 1003 | # Enable or disable ipsecmod (it still needs to be defined in 1004 | # module-config above). Can be used when ipsecmod needs to be 1005 | # enabled/disabled via remote-control(below). 1006 | # ipsecmod-enabled: yes 1007 | # 1008 | # Path to executable external hook. It must be defined when ipsecmod is 1009 | # listed in module-config (above). 1010 | # ipsecmod-hook: "./my_executable" 1011 | # 1012 | # When enabled Unbound will reply with SERVFAIL if the return value of 1013 | # the ipsecmod-hook is not 0. 1014 | # ipsecmod-strict: no 1015 | # 1016 | # Maximum time to live (TTL) for cached A/AAAA records with IPSECKEY. 1017 | # ipsecmod-max-ttl: 3600 1018 | # 1019 | # Reply with A/AAAA even if the relevant IPSECKEY is bogus. Mainly used for 1020 | # testing. 1021 | # ipsecmod-ignore-bogus: no 1022 | # 1023 | # Domains for which ipsecmod will be triggered. If not defined (default) 1024 | # all domains are treated as being allowed. 1025 | # ipsecmod-allow: "example.com" 1026 | # ipsecmod-allow: "nlnetlabs.nl" 1027 | 1028 | # Timeout for REUSE entries in milliseconds. 1029 | # tcp-reuse-timeout: 60000 1030 | # Max number of queries on a reuse connection. 1031 | # max-reuse-tcp-queries: 200 1032 | # Timeout in milliseconds for TCP queries to auth servers. 1033 | # tcp-auth-query-timeout: 3000 1034 | 1035 | 1036 | # Python config section. To enable: 1037 | # o use --with-pythonmodule to configure before compiling. 1038 | # o list python in the module-config string (above) to enable. 1039 | # It can be at the start, it gets validated results, or just before 1040 | # the iterator and process before DNSSEC validation. 1041 | # o and give a python-script to run. 1042 | # python: 1043 | # Script file to load 1044 | # python-script: "/ubmodule-tst.py" 1045 | 1046 | # Dynamic library config section. To enable: 1047 | # o use --with-dynlibmodule to configure before compiling. 1048 | # o list dynlib in the module-config string (above) to enable. 1049 | # It can be placed anywhere, the dynlib module is only a very thin wrapper 1050 | # to load modules dynamically. 1051 | # o and give a dynlib-file to run. If more than one dynlib entry is listed in 1052 | # the module-config then you need one dynlib-file per instance. 1053 | # dynlib: 1054 | # Script file to load 1055 | # dynlib-file: "/dynlib.so" 1056 | 1057 | # Remote control config section. 1058 | remote-control: 1059 | # Enable remote control with unbound-control(8) here. 1060 | # set up the keys and certificates with unbound-control-setup. 1061 | #RAWDNS control-enable: yes 1062 | #CNAUTO control-enable: no 1063 | 1064 | # what interfaces are listened to for remote control. 1065 | # give 0.0.0.0 and ::0 to listen to all interfaces. 1066 | # set to an absolute path to use a unix local name pipe, certificates 1067 | # are not used for that, so key and cert files need not be present. 1068 | #RAWDNS control-interface: /tmp/uc_raw.sock 1069 | # control-interface: 127.0.0.1 1070 | # control-interface: ::1 1071 | 1072 | # port number for remote control operations. 1073 | # control-port: 8953 1074 | 1075 | # for localhost, you can disable use of TLS by setting this to "no" 1076 | # For local sockets this option is ignored, and TLS is not used. 1077 | #RAWDNS control-use-cert: "no" 1078 | 1079 | # Unbound server key file. 1080 | # server-key-file: "/unbound_server.key" 1081 | 1082 | # Unbound server certificate file. 1083 | # server-cert-file: "/unbound_server.pem" 1084 | 1085 | # unbound-control key file. 1086 | # control-key-file: "/unbound_control.key" 1087 | 1088 | # unbound-control certificate file. 1089 | # control-cert-file: "/unbound_control.pem" 1090 | 1091 | # Stub zones. 1092 | # Create entries like below, to make all queries for 'example.com' and 1093 | # 'example.org' go to the given list of nameservers. list zero or more 1094 | # nameservers by hostname or by ipaddress. If you set stub-prime to yes, 1095 | # the list is treated as priming hints (default is no). 1096 | # With stub-first yes, it attempts without the stub if it fails. 1097 | # Consider adding domain-insecure: name and local-zone: name nodefault 1098 | # to the server: section if the stub is a locally served zone. 1099 | # stub-zone: 1100 | # name: "example.com" 1101 | # stub-addr: 192.0.2.68 1102 | # stub-prime: no 1103 | # stub-first: no 1104 | # stub-tcp-upstream: no 1105 | # stub-tls-upstream: no 1106 | # stub-no-cache: no 1107 | # stub-zone: 1108 | # name: "example.org" 1109 | # stub-host: ns.example.com. 1110 | 1111 | # Forward zones 1112 | # Create entries like below, to make all queries for 'example.com' and 1113 | # 'example.org' go to the given list of servers. These servers have to handle 1114 | # recursion to other nameservers. List zero or more nameservers by hostname 1115 | # or by ipaddress. Use an entry with name "." to forward all queries. 1116 | # If you enable forward-first, it attempts without the forward if it fails. 1117 | # forward-zone: 1118 | # name: "example.com" 1119 | # forward-addr: 192.0.2.68 1120 | # forward-addr: 192.0.2.73@5355 # forward to port 5355. 1121 | # forward-first: no 1122 | # forward-tcp-upstream: no 1123 | # forward-tls-upstream: no 1124 | # forward-no-cache: no 1125 | # forward-zone: 1126 | # name: "example.org" 1127 | # forward-host: fwd.example.com 1128 | 1129 | # Authority zones 1130 | # The data for these zones is kept locally, from a file or downloaded. 1131 | # The data can be served to downstream clients, or used instead of the 1132 | # upstream (which saves a lookup to the upstream). The first example 1133 | # has a copy of the root for local usage. The second serves example.org 1134 | # authoritatively. zonefile: reads from file (and writes to it if you also 1135 | # download it), primary: fetches with AXFR and IXFR, or url to zonefile. 1136 | # With allow-notify: you can give additional (apart from primaries and urls) 1137 | # sources of notifies. 1138 | # auth-zone: 1139 | # name: "." 1140 | # primary: 199.9.14.201 # b.root-servers.net 1141 | # primary: 192.33.4.12 # c.root-servers.net 1142 | # primary: 199.7.91.13 # d.root-servers.net 1143 | # primary: 192.5.5.241 # f.root-servers.net 1144 | # primary: 192.112.36.4 # g.root-servers.net 1145 | # primary: 193.0.14.129 # k.root-servers.net 1146 | # primary: 192.0.47.132 # xfr.cjr.dns.icann.org 1147 | # primary: 192.0.32.132 # xfr.lax.dns.icann.org 1148 | # primary: 2001:500:200::b # b.root-servers.net 1149 | # primary: 2001:500:2::c # c.root-servers.net 1150 | # primary: 2001:500:2d::d # d.root-servers.net 1151 | # primary: 2001:500:2f::f # f.root-servers.net 1152 | # primary: 2001:500:12::d0d # g.root-servers.net 1153 | # primary: 2001:7fd::1 # k.root-servers.net 1154 | # primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org 1155 | # primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org 1156 | # fallback-enabled: yes 1157 | # for-downstream: no 1158 | # for-upstream: yes 1159 | # auth-zone: 1160 | # name: "example.org" 1161 | # for-downstream: yes 1162 | # for-upstream: yes 1163 | # zonemd-check: no 1164 | # zonemd-reject-absence: no 1165 | # zonefile: "example.org.zone" 1166 | 1167 | # Views 1168 | # Create named views. Name must be unique. Map views to requests using 1169 | # the access-control-view option. Views can contain zero or more local-zone 1170 | # and local-data options. Options from matching views will override global 1171 | # options. Global options will be used if no matching view is found. 1172 | # With view-first yes, it will try to answer using the global local-zone and 1173 | # local-data elements if there is no view specific match. 1174 | # view: 1175 | # name: "viewname" 1176 | # local-zone: "example.com" redirect 1177 | # local-data: "example.com A 192.0.2.3" 1178 | # local-data-ptr: "192.0.2.3 www.example.com" 1179 | # view-first: no 1180 | # view: 1181 | # name: "anotherview" 1182 | # local-zone: "example.com" refuse 1183 | 1184 | # DNSCrypt 1185 | # To enable, use --enable-dnscrypt to configure before compiling. 1186 | # Caveats: 1187 | # 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper 1188 | # for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage 1189 | # 2. dnscrypt channel attaches to an interface. you MUST set interfaces to 1190 | # listen on `dnscrypt-port` with the follo0wing snippet: 1191 | # server: 1192 | # interface: 0.0.0.0@443 1193 | # interface: ::0@443 1194 | # 1195 | # Finally, `dnscrypt` config has its own section. 1196 | # dnscrypt: 1197 | # dnscrypt-enable: yes 1198 | # dnscrypt-port: 443 1199 | # dnscrypt-provider: 2.dnscrypt-cert.example.com. 1200 | # dnscrypt-secret-key: /path/unbound-conf/keys1/1.key 1201 | # dnscrypt-secret-key: /path/unbound-conf/keys2/1.key 1202 | # dnscrypt-provider-cert: /path/unbound-conf/keys1/1.cert 1203 | # dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert 1204 | 1205 | # CacheDB 1206 | # External backend DB as auxiliary cache. 1207 | # To enable, use --enable-cachedb to configure before compiling. 1208 | # Specify the backend name 1209 | # (default is "testframe", which has no use other than for debugging and 1210 | # testing) and backend-specific options. The 'cachedb' module must be 1211 | # included in module-config, just before the iterator module. 1212 | cachedb: 1213 | backend: "redis" 1214 | # # secret seed string to calculate hashed keys 1215 | cachedb-check-when-serve-expired: no 1216 | # 1217 | # # For "redis" backend: 1218 | # # (to enable, use --with-libhiredis to configure before compiling) 1219 | # # redis server's IP address or host name 1220 | redis-server-path: "/tmp/redis.sock" 1221 | redis-timeout: 100 1222 | # # set timeout on redis records based on DNS response TTL 1223 | redis-expire-records: no 1224 | #RAWDNS redis-logical-db: 0 1225 | #CNAUTO redis-logical-db: 1 1226 | 1227 | # IPSet 1228 | # Add specify domain into set via ipset. 1229 | # To enable: 1230 | # o use --enable-ipset to configure before compiling; 1231 | # o Unbound then needs to run as root user. 1232 | # ipset: 1233 | # # set name for ip v4 addresses 1234 | # name-v4: "list-v4" 1235 | # # set name for ip v6 addresses 1236 | # name-v6: "list-v6" 1237 | # 1238 | 1239 | # Dnstap logging support, if compiled in by using --enable-dnstap to configure. 1240 | # To enable, set the dnstap-enable to yes and also some of 1241 | # dnstap-log-..-messages to yes. And select an upstream log destination, by 1242 | # socket path, TCP or TLS destination. 1243 | # dnstap: 1244 | # dnstap-enable: no 1245 | # # if set to yes frame streams will be used in bidirectional mode 1246 | # dnstap-bidirectional: yes 1247 | # dnstap-socket-path: "" 1248 | # # if "" use the unix socket in dnstap-socket-path, otherwise, 1249 | # # set it to "IPaddress[@port]" of the destination. 1250 | # dnstap-ip: "" 1251 | # # if set to yes if you want to use TLS to dnstap-ip, no for TCP. 1252 | # dnstap-tls: yes 1253 | # # name for authenticating the upstream server. or "" disabled. 1254 | # dnstap-tls-server-name: "" 1255 | # # if "", it uses the cert bundle from the main Unbound config. 1256 | # dnstap-tls-cert-bundle: "" 1257 | # # key file for client authentication, or "" disabled. 1258 | # dnstap-tls-client-key-file: "" 1259 | # # cert file for client authentication, or "" disabled. 1260 | # dnstap-tls-client-cert-file: "" 1261 | # dnstap-send-identity: no 1262 | # dnstap-send-version: no 1263 | # # if "" it uses the hostname. 1264 | # dnstap-identity: "" 1265 | # # if "" it uses the package version. 1266 | # dnstap-version: "" 1267 | # dnstap-log-resolver-query-messages: no 1268 | # dnstap-log-resolver-response-messages: no 1269 | # dnstap-log-client-query-messages: no 1270 | # dnstap-log-client-response-messages: no 1271 | # dnstap-log-forwarder-query-messages: no 1272 | # dnstap-log-forwarder-response-messages: no 1273 | 1274 | # Response Policy Zones 1275 | # RPZ policies. Applied in order of configuration. QNAME, Response IP 1276 | # Address, nsdname, nsip and clientip triggers are supported. Supported 1277 | # actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp-only 1278 | # and drop. Policies can be loaded from a file, or using zone 1279 | # transfer, or using HTTP. The respip module needs to be added 1280 | # to the module-config, e.g.: module-config: "respip validator iterator". 1281 | # rpz: 1282 | # name: "rpz.example.com" 1283 | # zonefile: "rpz.example.com" 1284 | # primary: 192.0.2.0 1285 | # allow-notify: 192.0.2.0/32 1286 | # url: http://www.example.com/rpz.example.org.zone 1287 | # rpz-action-override: cname 1288 | # rpz-cname-override: www.example.org 1289 | # rpz-log: yes 1290 | # rpz-log-name: "example policy" 1291 | # rpz-signal-nxdomain-ra: no 1292 | # for-downstream: no 1293 | # tags: "example" 1294 | 1295 | #CNAUTO forward-zone: 1296 | #CNAUTO name: "." 1297 | #socksok forward-addr: 127.0.0.1@5303 1298 | #CNAUTO forward-addr: 127.0.0.1@5302 1299 | 1300 | #RAWDNS include-toplevel: "/data/unbound_custom.conf" -------------------------------------------------------------------------------- /src/unbound_custom.conf: -------------------------------------------------------------------------------- 1 | #Example of setting up SRV records for KMS server VLMCS. 2 | #Assuming your local network suffix is .lan. 3 | 4 | # server: 5 | # local-zone: "_vlmcs._tcp.lan." static 6 | # local-data: "_vlmcs._tcp.lan. IN SRV 0 0 1688 kms.ad.local." 7 | # local-data: "_vlmcs._tcp.lan. IN SRV 0 0 1688 192.168.1.2." -------------------------------------------------------------------------------- /src/watch_list.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | load_mark_data() { 3 | echo load_mark_data 4 | if [ -f /data/global_mark.dat ]; then 5 | datfile="/data/global_mark.dat" 6 | datsize=$(wc -c <"$datfile") 7 | if [ "$datsize" -gt "10000" ]; then 8 | echo "dat size pass." 9 | mkdir -p /tmp/global_mark 10 | sp_dat="/tmp/global_mark/global_mark.dat.xz" 11 | sp_sha="/tmp/global_mark/global_mark.dat.sha" 12 | /usr/sbin/mosdns eat cut 13 | sp_dat_hash=$(sha512sum "$sp_dat" | grep -Eo "[0-9A-Za-z]{128}" | head -1) 14 | sp_sha_hash=$(grep -Eo "[0-9A-Za-z]{128}" $sp_sha | head -1) 15 | if [ "$sp_dat_hash" = "$sp_sha_hash" ]; then 16 | echo global_mark hash: OK. 17 | cd /tmp/global_mark || exit 18 | xz -df $sp_dat 19 | if [ -f /tmp/global_mark/global_mark.dat ]; then 20 | /usr/sbin/mosdns eat spilt 21 | fi 22 | cd - || exit 23 | else 24 | echo global_mark hash: Bad. 25 | fi 26 | rm -rf /tmp/global_mark/ 27 | else 28 | echo "bad dat size." 29 | fi 30 | fi 31 | if [ ! -f /tmp/global_mark.dat ]; then 32 | touch /tmp/global_mark.dat 33 | fi 34 | if [ -f /data/custom_cn_mark.txt ]; then 35 | /usr/sbin/mosdns eat list /tmp/custom_cn_mark.txt /data/custom_cn_mark.txt 36 | else 37 | touch /data/custom_cn_mark.txt 38 | touch /tmp/custom_cn_mark.txt 39 | fi 40 | } 41 | 42 | if [ "$1" = "load_mark_data" ]; then 43 | load_mark_data 44 | exit 45 | fi 46 | 47 | load_ttl_rules() { 48 | touch /tmp/force_ttl_rules.txt 49 | touch /tmp/force_ttl_rules.toml 50 | touch /tmp/force_ttl_rules_cloaking.toml 51 | if [ ! -f /data/force_ttl_rules.txt ]; then 52 | touch /data/force_ttl_rules.txt 53 | return 1 54 | fi 55 | force_ttl_rules_new=$(md5sum /data/force_ttl_rules.txt | grep -Eo "[a-z0-9]{32}" | head -1) 56 | if [ -f /tmp/force_ttl_rules.txt.sum ]; then 57 | force_ttl_rules_old=$(md5sum /tmp/force_ttl_rules.txt.sum | grep -Eo "[a-z0-9]{32}" | head -1) 58 | if [ "$force_ttl_rules_new" = "$force_ttl_rules_old" ]; then 59 | return 1 60 | fi 61 | else 62 | echo "$force_ttl_rules_new" >/tmp/force_ttl_rules.txt.sum 63 | fi 64 | /usr/sbin/mosdns eat ttl_rules 65 | return 0 66 | } 67 | 68 | if [ "$1" = "load_ttl_rules" ]; then 69 | load_ttl_rules 70 | exit 71 | fi 72 | 73 | load_trackerslist() { 74 | if [ ! -f /data/trackerslist.txt ]; then 75 | /usr/sbin/data_update.sh comp_trackerslist 76 | fi 77 | /usr/sbin/mosdns eat trackerslist 78 | echo "Apply trackerslist..." 79 | } 80 | 81 | if [ "$1" = "load_trackerslist" ]; then 82 | load_trackerslist 83 | exit 84 | fi 85 | 86 | gen_hash() { 87 | if [ -f "$1" ]; then 88 | md5sum "$1" | cut -d" " -f1 89 | else 90 | echo -n "empty_file" 91 | fi 92 | } 93 | 94 | reload_dns() { 95 | force_reload_flag=$1 96 | if [ "$force_reload_flag" = "force" ]; then 97 | export reload_mosdns=1 98 | else 99 | export reload_mosdns=0 100 | fi 101 | if [ "$CNAUTO" != "no" ]; then 102 | export reload_mosdns=0 103 | if [ -f /data/force_recurse_list.txt ]; then 104 | mosdns eat list /tmp/force_recurse_list.txt /data/force_recurse_list.txt /data/force_cn_list.txt 105 | fi 106 | if [ -f /data/force_dnscrypt_list.txt ]; then 107 | mosdns eat list /tmp/force_dnscrypt_list.txt /data/force_dnscrypt_list.txt /data/force_nocn_list.txt 108 | fi 109 | if [ -f /data/force_forward_list.txt ]; then 110 | mosdns eat list /tmp/force_forward_list.txt /data/force_forward_list.txt 111 | fi 112 | if [ ! -f /data/Country-only-cn-private.mmdb ]; then 113 | /usr/sbin/data_update.sh ex_mmdb 114 | fi 115 | if [ "$(gen_hash /data/force_recurse_list.txt)" != "$force_recurse_list" ]; then 116 | export reload_mosdns=1 117 | fi 118 | if [ "$(gen_hash /data/force_cn_list.txt)" != "$force_cn_list" ]; then 119 | export reload_mosdns=1 120 | fi 121 | if [ "$(gen_hash /data/force_dnscrypt_list.txt)" != "$force_dnscrypt_list" ]; then 122 | export reload_mosdns=1 123 | fi 124 | if [ "$(gen_hash /data/force_nocn_list.txt)" != "$force_nocn_list" ]; then 125 | export reload_mosdns=1 126 | fi 127 | if [ "$(gen_hash /data/force_forward_list.txt)" != "$force_forward_list" ]; then 128 | export reload_mosdns=1 129 | fi 130 | if [ "$(gen_hash /data/custom_env.ini)" != "$custom_env" ]; then 131 | export reload_mosdns=1 132 | fi 133 | if [ "$CN_TRACKER" = "yes" ]; then 134 | if [ "$(gen_hash /data/trackerslist.txt)" != "$trackerslist" ]; then 135 | load_trackerslist 136 | export reload_mosdns=1 137 | fi 138 | fi 139 | if [ "$USE_MARK_DATA" = "yes" ]; then 140 | if [ -f /tmp/global_mark.flag ]; then 141 | if grep -q "ok" /tmp/global_mark.flag; then 142 | load_mark_data 143 | echo "" >/tmp/global_mark.flag 144 | export reload_mosdns=1 145 | fi 146 | fi 147 | if [ "$(gen_hash /data/custom_cn_mark.txt)" != "$custom_cn_mark" ]; then 148 | /usr/sbin/mosdns eat list /tmp/custom_cn_mark.txt /data/custom_cn_mark.txt 149 | export reload_mosdns=1 150 | fi 151 | fi 152 | RULES_TTL=$(echo "$RULES_TTL" | grep -Eo "[0-9]+|head -1") 153 | if [ -z "$RULES_TTL" ]; then 154 | RULES_TTL=0 155 | fi 156 | if [ "$RULES_TTL" -gt 0 ]; then 157 | if [ "$(gen_hash /data/force_ttl_rules.txt)" != "$force_ttl_rules" ]; then 158 | load_ttl_rules 159 | if [ "$?" = "0" ]; then 160 | if ps | grep dnscrypt-proxy | grep -q dnscrypt.toml; then 161 | dnscrypt_id=$(ps | grep -v "grep" | grep dnscrypt-proxy | grep dnscrypt.toml | grep -Eo "[0-9]+" | head -1) 162 | kill "$dnscrypt_id" 163 | fi 164 | echo "dnscrypt reload rules..." 165 | dnscrypt-proxy -config /data/dnscrypt-resolvers/dnscrypt.toml >/dev/null 2>&1 & 166 | fi 167 | export reload_mosdns=1 168 | fi 169 | fi 170 | if [ "$(gen_hash /data/Country-only-cn-private.mmdb)" != "$Country" ]; then 171 | cat /data/Country-only-cn-private.mmdb >/tmp/Country.mmdb 172 | export reload_mosdns=1 173 | fi 174 | if [ $reload_mosdns = "1" ]; then 175 | while ps | grep -v grep | grep -q "mosdns.yaml"; do 176 | mosdns_id=$(ps | grep -v "grep" | grep "mosdns.yaml" | grep -Eo "[0-9]+" | head -1) 177 | kill "$mosdns_id" 2>/dev/null 178 | done 179 | echo "mosdns reload..." 180 | touch /data/custom_env.ini 181 | grep -Eo "^[_a-zA-Z0-9]+=\".+\"" /data/custom_env.ini >/tmp/custom_env.ini 182 | if [ -f "/tmp/custom_env.ini" ]; then 183 | while IFS= read -r line; do 184 | line=$(echo "$line" | sed 's/"//g' | sed "s/'//g") 185 | export "$line" 186 | done <"/tmp/custom_env.ini" 187 | fi 188 | /usr/sbin/mosdns start -d /data -c /tmp/mosdns.yaml & 189 | sleep 1 190 | ps -ef | grep -v "grep" | grep "mosdns" 191 | fi 192 | fi 193 | if [ "$force_reload_flag" = "force" ]; then 194 | return 195 | fi 196 | if [ "$(gen_hash /etc/unbound/named.cache)" != "$named" ]; then 197 | while ps | grep -v grep | grep -q unbound_raw; do 198 | unbound_id=$(ps | grep -v "grep" | grep "unbound_raw" | grep -Eo "[0-9]+" | head -1) 199 | kill "$unbound_id" 2>/dev/null 200 | done 201 | echo "unbound reload..." 202 | /usr/sbin/unbound -c /tmp/unbound_raw.conf >/dev/null 2>&1 & 203 | sleep 1 204 | ps | grep -v grep | grep unbound_raw 205 | fi 206 | } 207 | if [ "$1" = "reload_dns" ]; then 208 | reload_dns force 209 | exit 210 | fi 211 | while true; do 212 | file_list="/etc/unbound/named.cache" 213 | if [ "$CNAUTO" != "no" ]; then 214 | if [ ! -f /data/force_dnscrypt_list.txt ]; then 215 | cp /usr/sbin/force_dnscrypt_list.txt /data/ 216 | fi 217 | if [ ! -f /data/force_recurse_list.txt ]; then 218 | cp /usr/sbin/force_recurse_list.txt /data/ 219 | fi 220 | if [ ! -f /data/Country-only-cn-private.mmdb ]; then 221 | /usr/sbin/data_update.sh ex_mmdb 222 | fi 223 | file_list=$file_list" /data/Country-only-cn-private.mmdb /data/force_recurse_list.txt /data/force_dnscrypt_list.txt /data/custom_env.ini" 224 | if [ -f /data/force_cn_list.txt ]; then 225 | file_list=$file_list" /data/force_cn_list.txt" 226 | fi 227 | if [ -f /data/force_nocn_list.txt ]; then 228 | file_list=$file_list" /data/force_nocn_list.txt" 229 | fi 230 | if [ "$USE_MARK_DATA" = "yes" ]; then 231 | if [ ! -f /data/global_mark.dat ]; then 232 | if [ -f /usr/sbin/global_mark.dat ]; then 233 | cp /usr/sbin/global_mark.dat /data/ 234 | else 235 | touch /data/global_mark.dat 236 | fi 237 | fi 238 | if [ ! -f /data/custom_cn_mark.txt ]; then 239 | touch /data/custom_cn_mark.txt 240 | fi 241 | file_list=$file_list" /data/global_mark.dat /data/custom_cn_mark.txt" 242 | fi 243 | if [ "$CN_TRACKER" = "yes" ]; then 244 | if [ ! -f /data/trackerslist.txt ]; then 245 | /usr/sbin/data_update.sh comp_trackerslist 246 | fi 247 | file_list=$file_list" /data/trackerslist.txt" 248 | fi 249 | if echo "$CUSTOM_FORWARD" | grep -Eoq ":[0-9]+"; then 250 | file_list=$file_list" /data/force_forward_list.txt" 251 | if [ ! -f /data/force_forward_list.txt ]; then 252 | cp /usr/sbin/force_forward_list.txt /data/ 253 | fi 254 | fi 255 | RULES_TTL=$(echo "$RULES_TTL" | grep -Eo "[0-9]+|head -1") 256 | if [ -z "$RULES_TTL" ]; then 257 | RULES_TTL=0 258 | fi 259 | if [ "$RULES_TTL" -gt 0 ]; then 260 | file_list=$file_list" /data/force_ttl_rules.txt" 261 | if [ ! -f /data/force_ttl_rules.txt ]; then 262 | touch /data/force_ttl_rules.txt 263 | fi 264 | fi 265 | force_dnscrypt_list=$(gen_hash /data/force_dnscrypt_list.txt) 266 | export force_dnscrypt_list 267 | force_nocn_list=$(gen_hash /data/force_nocn_list.txt) 268 | export force_nocn_list 269 | force_recurse_list=$(gen_hash /data/force_recurse_list.txt) 270 | export force_recurse_list 271 | force_cn_list=$(gen_hash /data/force_cn_list.txt) 272 | export force_cn_list 273 | force_forward_list=$(gen_hash /data/force_forward_list.txt) 274 | export force_forward_list 275 | force_ttl_rules=$(gen_hash /data/force_ttl_rules.txt) 276 | export force_ttl_rules 277 | trackerslist=$(gen_hash /data/trackerslist.txt) 278 | export trackerslist 279 | custom_cn_mark=$(gen_hash /data/custom_cn_mark.txt) 280 | export custom_cn_mark 281 | Country=$(gen_hash /data/Country-only-cn-private.mmdb) 282 | export Country 283 | custom_env=$(gen_hash /data/custom_env.ini) 284 | export custom_env 285 | fi 286 | named=$(gen_hash /etc/unbound/named.cache) 287 | export named 288 | inotifywait -e modify,delete $file_list && sleep 1 && reload_dns check 289 | done 290 | --------------------------------------------------------------------------------