From cdff028daa4281ae305f5fa7fc51843298e5927e Mon Sep 17 00:00:00 2001 From: Martin Gao Date: Sat, 30 Mar 2024 00:17:06 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BC=98=E5=8C=96=E9=BB=98=E8=AE=A4=E9=85=8D?= =?UTF-8?q?=E7=BD=AE=EF=BC=8C=E5=AE=9E=E7=8E=B0=E5=9B=BD=E5=86=85=E5=A4=96?= =?UTF-8?q?=E5=88=86=E7=BB=84?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ReadMe.md | 4 +- etc/smartdns/smartdns.conf | 413 ++----------------------------------- 2 files changed, 14 insertions(+), 403 deletions(-) diff --git a/ReadMe.md b/ReadMe.md index 5ebfecfc1a..d1ea11abc5 100644 --- a/ReadMe.md +++ b/ReadMe.md @@ -24,12 +24,12 @@ Use the following command to create a new container and run SmartDNS: docker run --name smartdns\ --restart unless-stopped\ -v /opt/docker/smartdns:/etc/smartdns - -p 1053:53/tcp -p 1053:53/udp\ + -p 6153:6153/udp -p 6253:6253/udp\ -d chihpengkao/smartdns Ports mappings you may need: -* `-p 53:53/tcp -p 53:53/udp` : plain DNS. +* `-p 6153:6153/udp -p 6253:6253/udp` : plain DNS. **Control the container** diff --git a/etc/smartdns/smartdns.conf b/etc/smartdns/smartdns.conf index 1bd3cbce1c..2fc235011c 100644 --- a/etc/smartdns/smartdns.conf +++ b/etc/smartdns/smartdns.conf @@ -1,421 +1,32 @@ -# dns server name, default is host name -# server-name, -# example: server-name smartdns -# -# whether resolv local hostname to ip address -# resolv-hostname yes +bind :6153 -group cn speed-check-mode ping,tcp:80 +bind :6253 -group oversea -no-speed-check -# dns server run user -# user [username] -# example: run as nobody -# user nobody -# - -# Include another configuration options, if -group is specified, only include the rules to specified group. -# conf-file [file] [-group group-name] -# conf-file blacklist-ip.conf -# conf-file whitelist-ip.conf -group office -# conf-file *.conf - -# dns server bind ip and port, default dns server port is 53, support binding multi ip and port -# bind udp server -# bind [IP]:[port][@device] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection] -# bind tcp server -# bind-tcp [IP]:[port][@device] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection] -# bind tls server -# bind-tls [IP]:[port][@device] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection] -# bind-cert-key-file [path to file] -# tls private key file -# bind-cert-file [path to file] -# tls cert file -# bind-cert-key-pass [password] -# tls private key password -# bind-https server -# bind-https [IP]:[port][@device] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection] -# option: -# -group: set domain request to use the appropriate server group. -# -no-rule-addr: skip address rule. -# -no-rule-nameserver: skip nameserver rule. -# -no-rule-ipset: skip ipset rule or nftset rule. -# -no-speed-check: do not check speed. -# -no-cache: skip cache. -# -no-rule-soa: Skip address SOA(#) rules. -# -no-dualstack-selection: Disable dualstack ip selection. -# -no-ip-alias: ignore ip alias. -# -force-aaaa-soa: force AAAA query return SOA. -# -force-https-soa: force HTTPS query return SOA. -# -no-serve-expired: no serve expired. -# -no-rules: skip all rules. -# -ipset ipsetname: use ipset rule. -# -nftset nftsetname: use nftset rule. -# example: -# IPV4: -# bind :53 -# bind :53@eth0 -# bind :6053 -group office -no-speed-check -# IPV6: -# bind [::]:53 -# bind [::]:53@eth0 -# bind-tcp [::]:53 -bind [::]:53 -bind-tcp [::]:53 - -# tcp connection idle timeout -# tcp-idle-time [second] - -# dns cache size -# cache-size [number] -# 0: for no cache -# -1: auto set cache size cache-size 102400 - -# dns cache memory size -# cache-mem-size [size] - -# enable persist cache when restart cache-persist yes - -# cache persist file cache-file /etc/smartdns/smartdns.cache +cache-checkpoint-time 86400 -# cache persist time -# cache-checkpoint-time [second] -# cache-checkpoint-time 86400 - -# prefetch domain -# prefetch-domain [yes|no] prefetch-domain yes -# cache serve expired -# serve-expired [yes|no] serve-expired yes - -# cache serve expired TTL -# serve-expired-ttl [num] serve-expired-ttl 172800 -# reply TTL value to use when replying with expired data -# serve-expired-reply-ttl [num] -# serve-expired-reply-ttl 30 - -# List of hosts that supply bogus NX domain results -# bogus-nxdomain [ip/subnet] - -# List of IPs that will be filtered when nameserver is configured -blacklist-ip parameter -# blacklist-ip [ip/subnet] - -# List of IPs that will be accepted when nameserver is configured -whitelist-ip parameter -# whitelist-ip [ip/subnet] - -# List of IPs that will be ignored -# ignore-ip [ip/subnet] - -# alias of IPs -# ip-alias [ip/subnet] [ip1[,ip2]...] -# ip-alias 192.168.0.1/24 10.9.0.1,10.9.0.2 - -# speed check mode -# speed-check-mode [ping|tcp:port|none|,] -# example: -# speed-check-mode ping,tcp:80,tcp:443 -# speed-check-mode tcp:443,ping -# speed-check-mode none -speed-check-mode none - -# force AAAA query return SOA -# force-AAAA-SOA [yes|no] force-AAAA-SOA yes - -# force specific qtype return soa -# force-qtype-SOA [-,][qtypeid |...] -# force-qtype-SOA [qtypeid|start_id-end_id|,...] -# force-qtype-SOA 65 28 add type 65,28 -# force-qtype-SOA 65,28 add type 65,28 -# force-qtype-SOA 65-68 add type 65-68 -# force-qtype-SOA -,65-68, clear type 65-68 -# force-qtype-SOA - clear all type force-qtype-SOA 65 -# Enable IPV4, IPV6 dual stack IP optimization selection strategy -# dualstack-ip-selection-threshold [num] (0~1000) -# dualstack-ip-allow-force-AAAA [yes|no] -# dualstack-ip-selection [yes|no] -# dualstack-ip-selection no - -# edns client subnet -# edns-client-subnet [ip/subnet] -# edns-client-subnet 192.168.1.1/24 -# edns-client-subnet 8::8/56 - -# ttl for all resource record -# rr-ttl: ttl for all record -# rr-ttl-min: minimum ttl for resource record -# rr-ttl-max: maximum ttl for resource record -# rr-ttl-reply-max: maximum reply ttl for resource record -# example: -# rr-ttl 300 -rr-ttl-min 300 -# rr-ttl-max 86400 -# rr-ttl-reply-max 60 +rr-ttl-min 30 -# Maximum number of IPs returned to the client|8|number of IPs, 1~16 -# example: -# max-reply-ip-num 1 - -# Maximum number of queries per second|0|number of queries, 0 means no limit. -# example: -# max-query-limit 65535 - -# response mode -# response-mode [first-ping|fastest-ip|fastest-response] - -# set log level -# log-level: [level], level=off, fatal, error, warn, notice, info, debug -# log-file: file path of log file. -# log-console [yes|no]: output log to console. -# log-syslog [yes|no]: output log to syslog. -# log-size: size of each log file, support k,m,g -# log-num: number of logs, 0 means disable log log-level error - -# log-file /var/log/smartdns/smartdns.log log-size 1M -log-num 2 -# log-file-mode [mode]: file mode of log file. - -# dns audit -# audit-enable [yes|no]: enable or disable audit. -# audit-enable yes -# audit-SOA [yes|no]: enable or disable log soa result. -# audit-size size of each audit file, support k,m,g -# audit-file /var/log/smartdns-audit.log -# audit-console [yes|no]: output audit log to console. -# audit-syslog [yes|no]: output audit log to syslog. -# audit-file-mode [mode]: file mode of audit file. -# audit-size 128k -# audit-num 2 - -# Support reading dnsmasq dhcp file to resolve local hostname -# dnsmasq-lease-file /var/lib/misc/dnsmasq.leases - -# certificate file -# ca-file [file] -# ca-file /etc/ssl/certs/ca-certificates.crt - -# certificate path -# ca-path [path] -# ca-path /etc/ss/certs - -# remote udp dns server list -# server [IP]:[PORT]|URL [-blacklist-ip] [-whitelist-ip] [-check-edns] [-group [group] ...] [-exclude-default-group] -# default port is 53 -# -blacklist-ip: filter result with blacklist ip -# -whitelist-ip: filter result with whitelist ip, result in whitelist-ip will be accepted. -# -check-edns: result must exist edns RR, or discard result. -# g|-group [group]: set server to group, use with nameserver /domain/group. -# e|-exclude-default-group: exclude this server from default group. -# p|-proxy [proxy-name]: use proxy to connect to server. -# b|-bootstrap-dns: set as bootstrap dns server. -# -set-mark: set mark on packets. -# -subnet [ip/subnet]: set edns client subnet. -# -host-ip [ip]: set dns server host ip. -# -interface [interface]: set dns server interface. -# server 8.8.8.8 -blacklist-ip -check-edns -group g1 -group g2 -# server tls://dns.google:853 -# server https://dns.google/dns-query - -server 114.114.114.114 - -# remote tcp dns server list -# server-tcp [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-group [group] ...] [-exclude-default-group] -# default port is 53 -# server-tcp 8.8.8.8 - -server-tcp 119.29.29.29 -server-tcp 180.76.76.76 -server-tcp 8.26.56.26 - -# remote tls dns server list -# server-tls [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group] -# -spki-pin: TLS spki pin to verify. -# -tls-host-verify: cert hostname to verify. -# -host-name: TLS sni hostname. -# k|-no-check-certificate: no check certificate. -# p|-proxy [proxy-name]: use proxy to connect to server. -# -bootstrap-dns: set as bootstrap dns server. -# Get SPKI with this command: -# echo | openssl s_client -connect '[ip]:853' | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 -# default port is 853 -# server-tls 8.8.8.8 -# server-tls 1.0.0.1 - -server-tls 1.1.1.1 -server-tls 101.101.101.101 - -# remote https dns server list -# server-https https://[host]:[port]/path [-blacklist-ip] [-whitelist-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group] -# -spki-pin: TLS spki pin to verify. -# -tls-host-verify: cert hostname to verify. -# -host-name: TLS sni hostname. -# -http-host: http host. -# k|-no-check-certificate: no check certificate. -# p|-proxy [proxy-name]: use proxy to connect to server. -# -bootstrap-dns: set as bootstrap dns server. -# default port is 443 -# server-https https://cloudflare-dns.com/dns-query - -# socks5 and http proxy list -# proxy-server URL -name [proxy name] -# URL: socks5://[username:password@]host:port -# http://[username:password@]host:port -# -name: proxy name, use with server -proxy [proxy-name] - -server-https https://doh.pub/dns-query -server-https https://dns.alidns.com/dns-query - -# specific nameserver to domain -# nameserver [/domain/][group|-] -# nameserer group, set the domain name to use the appropriate server group. -# nameserver /www.example.com/office, Set the domain name to use the appropriate server group. -# nameserver /www.example.com/-, ignore this domain - -# expand ptr record from address record -# expand-ptr-from-address yes - -# specific address to domain -# address [/domain/][ip1,ip2|-|-4|-6|#|#4|#6] -# address #, block all A and AAAA request. -# address #6, block all AAAA request. -# address -6, allow all AAAA request. -# address /www.example.com/1.2.3.4, return ip 1.2.3.4 to client -# address /www.example.com/1.2.3.4,5.6.7.8, return multiple ip addresses -# address /www.example.com/-, ignore address, query from upstream, suffix 4, for ipv4, 6 for ipv6, none for all -# address /www.example.com/#, return SOA to client, suffix 4, for ipv4, 6 for ipv6, none for all - -# specific cname to domain -# cname /domain/target - -# add srv record, support multiple srv record. -# srv-record /domain/[target][,port][,priority][,weight] -# srv-record /_ldap._tcp.example.com/ldapserver.example.com,389 -# srv-record /_ldap._tcp.example.com/ - -# https-record /domain/[target=][,port=][,priority=][,alph=][,ech=][,ipv4hint=][,ipv6hint=] -# https-record noipv4hint,noipv6hint -# https-record /www.example.com/ipv4hint=192.168.1.2 - -# enable DNS64 feature -# dns64 [ip/subnet] -# dns64 64:ff9b::/96 - -# enable ipset timeout by ttl feature -# ipset-timeout [yes] - -# specific ipset to domain -# ipset [/domain/][ipsetname|#4:v4setname|#6:v6setname|-|#4:-|#6:-] -# ipset [ipsetname|#4:v4setname|#6:v6setname], set global ipset. -# ipset /www.example.com/block, set ipset with ipset name of block. -# ipset /www.example.com/-, ignore this domain. -# ipset ipsetname, set global ipset. - -# add to ipset when ping is unreachable -# ipset-no-speed ipsetname -# ipset-no-speed pass - -# enable nftset timeout by ttl feature -# nftset-timeout [yes|no] -# nftset-timeout yes - -# add to nftset when ping is unreachable -# nftset-no-speed [#4:ip#table#set,#6:ipv6#table#setv6] -# nftset-no-speed #4:ip#table#set - -# enable nftset debug, check nftset setting result, output log when error. -# nftset-debug [yes|no] -# nftset-debug yes - -# specific nftset to domain -# nftset [/domain/][#4:ip#table#set,#6:ipv6#table#setv6] -# nftset [#4:ip#table#set,#6:ipv6#table#setv6] set global nftset. -# nftset /www.example.com/ip#table#set, equivalent to 'nft add element ip table set { ... }' -# nftset /www.example.com/-, ignore this domain -# nftset /www.example.com/#6:-, ignore ipv6 -# nftset #6:ip#table#set, set global nftset. - -# set ddns domain -# ddns-domain domain - -# lookup local network hostname or ip address from mdns -# mdns-lookup [yes|no] -# mdns-lookup no - -# set hosts file -# hosts-file [file] - -# set domain rules -# domain-rules /domain/ [-speed-check-mode [...]] -# rules: -# [-c] -speed-check-mode [mode]: speed check mode -# speed-check-mode [ping|tcp:port|none|,] -# [-a] -address [address|-]: same as address option -# [-n] -nameserver [group|-]: same as nameserver option -# [-p] -ipset [ipset|-]: same as ipset option -# [-t] -nftset [nftset|-]: same as nftset option -# [-d] -dualstack-ip-selection [yes|no]: same as dualstack-ip-selection option -# [-g|-group group-name]: set domain-rules to group. -# -no-serve-expired: ignore expired domain -# -delete: delete domain rule -# -no-ip-alias: ignore ip alias -# -no-cache: ignore cache - -# collection of domains -# the domain-set can be used with /domain/ for address, nameserver, ipset, etc. -# domain-set -name [set-name] -type list -file [/path/to/file] -# [-n] -name [set name]: domain set name -# [-t] -type [list]: domain set type, list only now -# [-f] -file [path/to/set]: file path of domain set -# -# example: -# domain-set -name domain-list -type list -file /etc/smartdns/domain-list.conf -# address /domain-set:domain-list/1.2.3.4 -# nameserver /domain-set:domain-list/server-group -# ipset /domain-set:domain-list/ipset -# domain-rules /domain-set:domain-list/ -speed-check-mode ping - -# set ip rules -# ip-rules ip-cidrs [-ip-alias [...]] -# rules: -# [-c] -ip-alias [ip1,ip2]: same as ip-alias option -# [-a] -whitelist-ip: same as whitelist-ip option -# [-n] -blacklist-ip: same as blacklist-ip option -# [-p] -bogus-nxdomain: same as bogus-nxdomain option -# [-t] -ignore-ip: same as ignore-ip option - -# collection of IPs -# the ip-set can be used with /ip-cidr/ for ip-alias, ignore-ip, etc. -# ip-set -name [set-name] -type list -file [/path/to/file] -# [-n] -name [set name]: ip set name -# [-t] -type [list]: ip set type, list only now -# [-f] -file [path/to/set]: file path of ip set -# -# example: -# ip-set -name ip-list -file /etc/smartdns/ip-list.conf -# bogus-nxdomain ip-set:ip-list -# ip-alias ip-set:ip-list 1.2.3.4 -# ip-alias ip-set:ip-list ip-set:ip-map-list - -# set client rules -# client-rules [ip-cidr|mac|ip-set] [-group [group]] [-no-rule-addr] [-no-rule-nameserver] [-no-rule-ipset] [-no-speed-check] [-no-cache] [-no-rule-soa] [-no-dualstack-selection] -# client-rules option is same as bind option, please see bind option for detail. - -# set group rules -# group-begin [group-name] -# group-match [-g|group group-name] [-domain domain] [-client-ip [ip-cidr|mac|ip-set]] -# group-end +log-num -# load plugin -# plugin [path/to/file] [args] -# plugin /usr/lib/smartdns/libsmartdns-ui.so --p 8080 -i 0.0.0.0 -r /usr/share/smartdns/wwwroot +server 114.114.114.114 -group cn +server-tcp 180.76.76.76 -group cn +server-https https://doh.pub/dns-query -group cn +server-https https://dns.alidns.com/dns-query -group cn +server-tls 8.8.4.4 -group overseas -exclude-default-group +server-tls 1.0.0.1 -group overseas -exclude-default-group +server-tls 101.101.101.101 -group oversea -exclude-default-group \ No newline at end of file