此前一上使用 ImmortalWRT,偶遇 Esxi 断电,ImmortalWRT 无法启动,提示:对象类型需要托管的 I/O. 经查阅,可能原因是固件问题,或使用 Starwin v 2 转换固件格式导致。所以改为使用 istoreOS
istoreOS 下载地址:KoolCenter 固件下载服务器
一、安装
1. 格式转化
使用 StarWind 转换刚下载的 istoreOS img 文件
注意:vmdk image format -> Esxi Server Image,Esxi pre-allocated image 之前使用 ImmortalWRT 是官网下载的 vmdk,可能是断电无法启动的原因。
选择刚下的 img 格式文件,next 下一步
一定要选择 Esxi Server Image
选最后一项:Esxi pre-allocated image
转换完文件:
2. 创建虚拟机
保留:SATA 控制器 0,可删除:硬盘 1、SCSI 控制器 0、USB 控制器 1、CD/DVD 驱动器 1
添加硬盘 >> 现有硬盘 >> 上传格式转换后的 2 个文件
虚拟机选项 >> 引导选项 >> EFI,取消勾选启用 UEFI 安全引导
二、IstoreOS 设置
安装成功后,输入 quickstart >> change lan ip,修改 ip
使用上述修改后的 ip 访问,然后网络向导 >> 配置为旁路由 >> 手动配置,按需设置
三、软件安装
先把对应的包都安装好:luci-app-adguardhome,luci-app-mosdns,OpenClash。然后我们来一个一个的配置。
安装各插件过程中,raw. githubusercontent. gom 可能无法访问,导致上述软件无法正常下载资源,添加如下:
vim /etc/hosts
# 将下述内容添加至hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
添加:
185.199.110.133 raw.githubusercontent.com
140.82.113.26 alive.github.com
140.82.113.5 api.github.com
185.199.108.153 assets-cdn.github.com
185.199.108.133 avatars.githubusercontent.com
185.199.108.133 avatars0.githubusercontent.com
185.199.108.133 avatars1.githubusercontent.com
185.199.108.133 avatars2.githubusercontent.com
185.199.108.133 avatars3.githubusercontent.com
185.199.108.133 avatars4.githubusercontent.com
185.199.108.133 avatars5.githubusercontent.com
185.199.108.133 camo.githubusercontent.com
140.82.112.21 central.github.com
185.199.110.133 cloud.githubusercontent.com
140.82.113.10 codeload.github.com
185.199.108.133 desktop.githubusercontent.com
185.199.108.133 favicons.githubusercontent.com
140.82.112.4 gist.github.com
3.5.30.52 github-cloud.s3.amazonaws.com
52.216.32.225 github-com.s3.amazonaws.com
52.217.128.201 github-production-release-asset-2e65be.s3.amazonaws.com
54.231.171.57 github-production-repository-file-5c1aeb.s3.amazonaws.com
52.217.136.217 github-production-user-asset-6210df.s3.amazonaws.com
192.0.66.2 github.blog
140.82.112.3 github.com
140.82.112.17 github.community
185.199.110.154 github.githubassets.com
151.101.193.194 github.global.ssl.fastly.net
185.199.108.153 github.io
185.199.108.133 github.map.fastly.net
185.199.108.153 githubstatus.com
140.82.112.25 live.github.com
185.199.108.133 media.githubusercontent.com
185.199.108.133 objects.githubusercontent.com
13.107.42.16 pipelines.actions.githubusercontent.com
185.199.108.133 raw.githubusercontent.com
185.199.108.133 user-images.githubusercontent.com
140.82.112.22 education.github.com
185.199.108.133 private-user-images.githubusercontent.com
也可使用 .run 文件进行安装:Are-u-ok/x86 at main AUK9527/Are-u-ok GitHub
sh 包名.run
1. Adguardhome 安装
(1)更新 core,提示 a task is already running
手动把 /usr/share/AdGuardHome/update_core.sh 下的相关代码注释掉
或者
check_if_already_running(){
sleep 1 # 增加此项
running_tasks="$(ps |grep 'AdGuardHome' |grep 'update_core' |grep -v 'grep' |
[ "${running_tasks}" -gt "2" ] && echo -e "\nA task is already running." &&
}
(2)更新 core,提示 wget-ssl: not found
opkg update
opkg install wget-ssl
(3)端口冲突(ADG 直接使用 53 端口)
在 Linux 设备上运行 AdGuard Home,通常会出现 53(本地 DNS 服务器)、68(DHCP 客户端)、80(Http)、443(Https) 端口冲突的问题,可以通过 netstat -tunlp | grep 端口号查询占用进程。有两种解决方案:使用不同端口、停用冲突进程。
如果是通过 Docker 方式运行 AdGuard Home,出现 listen udp 0.0.0.0:53: bind: address already in use 的提示,需要手动处理,方法如下:
#停止 DNSStubListener
systemctl stop systemd-resolved
#创建文件夹(如果不存在)
mkdir /etc/systemd/resolved.conf.d/
#使用 Nano 创建配置文件2021-04-29 16:16:00 星期四
nano /etc/systemd/resolved.conf.d/adguardhome.conf
在编辑器中粘贴以下内容:
[Resolve]
DNS=127.0.0.1
DNSStubListener=no
保存后执行以下命令。
#创建备份
sudo mv /etc/resolv.conf /etc/resolv.conf.backup
#将 /etc/resolv.conf 链接至 /run/systemd/resolve/resolv.conf
ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf
#重启 DNSStubListener
systemctl restart systemd-resolved
完成后使用 netstat -tunlp | grep 53 命令检查是否依旧有进程占用 53 端口,如无冲突,重启 AdGuard Home 容器即可。
(4)开机启动
用 ssh 登录 openwrt 后,输入下面的代码回车即可,无需重启 openwrt
chmod 755 /etc/init.d/AdGuardHome
service AdGuardHome restart
/etc/init.d/adguardhome start
如果上述无法启动,执行
/etc/init.d/AdGuardHome enable
(5)平均处理时间过长
以下几个因素会使 AdGuard Home 的处理时间过长:
- 本地到上游 DNS 的速度:如果本地运营商的 DNS 没有 DNS 劫持、投毒的问题,建议使用运营商 DNS + 公共 DNS 的方案,DNS 速度可以通过 Ping 值比较。并在 AdGuard Home 中选择以「并行请求」的方式处理 DNS 请求
- 浏览安全、家庭控制与强制安全搜索服务:以上三个功能,在 DNS 请求时不会经过 DNS 缓存,直接向上游 DNS 服务器请求,从而减慢 AdGuard Home 的处理速度
- IPv 6:如果使用的宽带、校园网不支持 IPv 6,可以禁用解析 IPv 6,提高响应速度
- 过滤规则:过多的过滤规则会影响响应速度,宁缺毋滥,选择最合适自己的规则,一般保留 3 – 4 个广告过滤规则即可。
- 统计周期: 在完成以上优化后,发现平均处理时间并没有太大改变,使用体验上也并不慢,有可能是因为统计周期过长,将优化前的结果计入,导致优化前后的结果无太大差异。不妨将仪表盘的统计周期缩短为 24 小时再看看。
- 完成以上步骤后使用体验比没有使用 AdGuard Home 还要糟糕,问题有亿点严重了。这个时候需要查找 AdGuard Home 的日志,寻找问题的原因。
(6)登陆跳转无反应
路径:服务-AdGuard Home-手动设置第六行,ttl 没改的话是 0 s,改成 3600 s,然后保存/应用,重新用账号密码登录就可以了
2. MosDNS 安装
opkg update
opkg install curl
sh -c "$(curl -ksS https://raw.githubusercontent.com/sbwml/luci-app-mosdns/v5/install.sh)"
四、配置
上面讲了实现的思路、旁路由设置、相关软件的安装及可能出现的问题,现在讲软件的具体配置。
1. OpenClash
OpenClash 配置繁多,初始配置请自行参考 OpenClash 的 wiki,下面只说换成本文方案所需的配置。
插件设置–模式设置–运行模式: 切换到Fake-IP(增强)模式我用的是Fake-IP(TUN-混合)模式「UDP-TUN, TCP-转发」插件设置–DNS 设置–本地 DNS 劫持选择禁用插件设置–流量控制–绕过中国大陆 IP取消勾选插件设置–流量控制–仅允许内网开启插件设置–IPv6 设置这页的选项全都关闭就行了覆写设置–常规设置这里都不用改,只需要记住 DNS 监听,后面配置 mosdns 要用- 覆写设置 – DNS 设置 – Fake-IP地址范围选择 198.18.0.1/16
覆写设置–DNS 设置–自定义上游 DNS 服务器勾选覆写设置–DNS 设置–追加上游 DNS勾选覆写设置–DNS 设置–追加默认 DNS勾选覆写设置–DNS 设置–Fake-IP 持久化勾选覆写设置–DNS 设置页面下方NameServer,FallBack,Default-NameServer里的 DNS 服务器全都取消勾选,我们只用运营商提供的 DNS 服务器就够了,一般运营商 DNS 都是最快的,也是 CDN 最 优化 的。插件设置–GEO 数据库订阅把GeoIP Dat和GeoSite这两个库的自动更新打开,都选 Loyalsoldier 的版本,这个是用来给 mosdns 用的。插件设置–开发者选项里,我们自定义一下防火墙规则,增加如下这些行。
# This script is called by /etc/init.d/openclash
# Add your custom firewall rules here, they will be added after the end of the OpenClash iptables rules
en_mode=$(uci -q get openclash.config.en_mode)
proxy_port=$(uci -q get openclash.config.proxy_port)
if [ "$en_mode" == "fake-ip" ]; then
LOG_OUT "limit route to only fake ips with proxy port $proxy_port"
iptables -t nat -D openclash -p tcp -j REDIRECT --to-ports $proxy_port
sleep 1
LOG_OUT "update telegram ipset"
/etc/mosdns/rule/geoip2ipset.sh /etc/openclash/GeoIP.dat telegram
iptables -t nat -A openclash -m set --match-set telegram dst -p tcp -j REDIRECT --to-ports $proxy_port
sleep 1
LOG_OUT "update netflix ipset"
/etc/mosdns/rule/geoip2ipset.sh /etc/openclash/GeoIP.dat netflix
iptables -t nat -A openclash -m set --match-set netflix dst -p tcp -j REDIRECT --to-ports $proxy_port
sleep 1
fi
# 停止 AdguradHome
LOG_OUT "stop adguardhome"
/etc/init.d/AdGuardHome stop
sleep 1
# 开启 AdguradHome
LOG_OUT "start adguardhome"
/etc/init.d/AdGuardHome start
sleep 1
# 停止 Mosdns
LOG_OUT "stop mosdns"
/etc/init.d/mosdns stop
sleep 1
# 开启 Mosdns
LOG_OUT "start mosdns"
/etc/init.d/mosdns start
sleep 1
# 重载 Mosdns
LOG_OUT "reload mosdns"
/etc/init.d/mosdns reload
sleep 1
exit 0
其中/etc/mosdns/rule/geoip2ipset.sh这个脚本可以根据 GeoIP 数据库来生成对应的 ipset。内容如下,这个文件放到路由器上后,记得要执行chmod a+x /etc/mosdns/rule/geoip2ipset.sh给它赋予可执行权限。
#!/bin/bash
geoipfile="$1"
tag="$2"
tmpdir="/tmp/v2dat"
FW4=$(command -v fw4)
cd $(cd $(dirname $BASH_SOURCE) && pwd)
mkdir -p "$tmpdir"
filename=$(basename -- "$geoipfile")
filename="${filename%.*}"
filename="$tmpdir/${filename}_$tag.txt"
if [ "$tag" == "telegram" ]; then
wget -4 --timeout 5 -O "$filename" 'https://mirror.ghproxy.com/https://raw.githubusercontent.com/fernvenue/telegram-cidr-list/master/CIDR.txt'
if [ "$?" != "0" ]; then
/usr/bin/v2dat unpack geoip -o "$tmpdir" -f "$tag" "$geoipfile"
fi
else
/usr/bin/v2dat unpack geoip -o "$tmpdir" -f "$tag" "$geoipfile"
fi
if test -f "$filename"; then
if [ -n "$FW4" ]; then
nft add set inet fw4 "$tag" { type ipv4_addr\; flags interval\; auto-merge\; }
nft add set inet fw4 "${tag}6" { type ipv6_addr\; flags interval\; auto-merge\; }
nft flush set inet fw4 "$tag"
nft flush set inet fw4 "${tag}6"
fi
ipset create "$tag" hash:net -!
ipset create "${tag}6" hash:net family inet6 -!
ipset flush "$tag"
ipset flush "${tag}6"
while read p; do
if ! grep -q ":" <<< "$p"; then
if [ -n "$FW4" ]; then
nft add element inet fw4 "$tag" { "$p" }
fi
ipset add "$tag" "$p"
else
if [ -n "$FW4" ]; then
nft add element inet fw4 "${tag}6" { "$p" }
fi
ipset add "${tag}6" "$p"
fi
done <"$filename"
else
echo "$filename missing."
fi
rm -rf "$tmpdir"
2. MosDNS
MosDNS 可以只做分流,配合 Adguardhome 去广告使用,也可以在 MosDNS 中实现广告屏蔽的功能。两种方法的配置文件如下。
(1)只分流,不去广告
选自定义配置文件,取消DNS 转发 的勾,然后我就直接贴配置了,注意 Clash DNS 端口要改成你自己在 OpenClash 里的配置,LAN IP-CIDR 也要改成你自己的内网配置,这里 mosdns 监听了 5335 端口。并且要在GeoData 数据导出里配置上我们用到的标签:GeoSite: cn, apple-cn, category-games@cn, geolocation-!cn,GeoIP: cn。需要对 Adguardhome 进行相应配置。
[!info] 注意
mosdns v 5.3.4 之后,apple-cn 无法获取,需要尝试删除, 或采用如下方法解决
解决办法:
1.可以把自定义配置的第19、20行注销掉(- “/var/mosdns/geosite_apple-cn.txt”和- “/var/mosdns/[email protected]”)让MOSDNS正常运行,不过感觉这样怪怪的。
2.打开MOSDNS的数据库自更新,修改/usr/share/mosdns/mosdns.sh
将
https://github.com/Loyalsoldier/geoip/releases/latest/download/geoip-only-cn-private.dat
https://github.com/Loyalsoldier/geoip/releases/latest/download/geoip-only-cn-private.dat.sha256sum
修改为
https://github.com/Loyalsoldier/“师夷长技以制夷”-rules-dat/releases/latest/download/geoip.dat
https://github.com/Loyalsoldier/“师夷长技以制夷”-rules-dat/releases/latest/download/geosite.dat.sha256sum
然后在ssh运行/usr/share/mosdns/mosdns.sh geodata更新数据库。
自定义规则列表里移除domain:bing.com,并添加到灰名单列表里,这样newbing就可以正常使用
log:
level: info
file: "/tmp/mosdns.log"
plugins:
# 缓存插件
- tag: cache
type: cache
args:
size: 20480
lazy_cache_ttl: 86400
# 国内域名
- tag: geosite_cn
type: domain_set
args:
exps:
- "lan"
- "local"
- "arpa"
files:
- "/etc/mosdns/rule/whitelist.txt"
- "/var/mosdns/geosite_cn.txt"
- "/var/mosdns/geosite_apple-cn.txt"
- "/var/mosdns/[email protected]"
# 国内 IP
- tag: geoip_cn
type: ip_set
args:
files:
- "/var/mosdns/geoip_cn.txt"
# 国外域名
- tag: geosite_no_cn
type: domain_set
args:
files:
- "/etc/mosdns/rule/greylist.txt"
- "/var/mosdns/geosite_geolocation-!cn.txt"
# 国内 DNS
- tag: forward_local
type: forward
args:
upstreams:
- addr: "quic://223.5.5.5"
- addr: "tls://1.12.12.12"
enable_pipeline: true
- addr: "tls://120.53.53.53"
enable_pipeline: true
# 国外 DNS
# 自己查找低延迟 DNS
- tag: forward_remote
type: forward
args:
upstreams:
# 101DNS
- addr: "tls://101.101.101.101"
enable_pipeline: true
# NextDNS HK 节点
- addr: "https://45.11.104.186"
insecure_skip_verify: true
# OpenDNS SANDNOX
- addr: "tls://208.67.222.2"
enable_pipeline: true
# OpenDNS
- addr: "tls://208.67.222.222"
enable_pipeline: true
# 私人分流 dns
- tag: forward_private
type: forward
args:
upstreams:
- addr: "https://doh.apad.pro/dns-query"
bootstrap: "223.5.5.5"
# 国内解析
- tag: local_sequence
type: sequence
args:
- exec: $forward_local
# 国外解析
- tag: remote_sequence
type: sequence
args:
- exec: prefer_ipv4
- exec: $forward_remote
# 分流解析
- tag: private_sequence
type: sequence
args:
- exec: $forward_private
# clash 解析
- tag: clash_sequence
type: sequence
args:
- exec: forward 127.0.0.1:7874
- exec: ttl 0
# 有响应终止返回
- tag: has_resp_sequence
type: sequence
args:
- matches: has_resp
exec: accept
# fallback 用分流 sequence
# 返回国外 IP 则用 clash 解析得出 fakeip
- tag: fallback_sequence
type: sequence
args:
- exec: $private_sequence
- matches: "!resp_ip $geoip_cn"
exec: goto clash_sequence
- exec: accept
# 国外 sequence
- tag: fallback2_sequence
type: sequence
args:
- exec: $remote_sequence
- matches: "resp_ip $geoip_cn"
exec: goto local_sequence
- exec: goto clash_sequence
# fallback 用分流 DNS ,超时后用国外 DNS 解析
- tag: fallback
type: fallback
args:
primary: fallback_sequence
secondary: fallback2_sequence
threshold: 2000
always_standby: true
# 主要的运行逻辑插件
# sequence 插件中调用的插件 tag 必须在 sequence 前定义,
# 否则 sequence 找不到对应插件。
- tag: main_sequence
type: sequence
args:
# drop https query type
- matches:
- qtype 65
exec: reject 3
# handle local ptr
- matches:
- qtype 12
exec: $local_sequence
- exec: jump has_resp_sequence
#FakeIP 不缓存
- matches:
- qname $geosite_no_cn
exec: $clash_sequence
- exec: jump has_resp_sequence
# 缓存
- exec: $cache
- exec: jump has_resp_sequence
- matches:
- qname $geosite_cn
exec: $local_sequence
- exec: jump has_resp_sequence
- exec: $fallback
- tag: udp_server
type: udp_server
args:
entry: main_sequence
listen: ":5335" #mosdns 监听端口
log:
level: info
file: "/tmp/mosdns.log"
include: []
plugins:
# 缓存插件
- tag: cache
type: cache
args:
size: 20480
lazy_cache_ttl: 86400
dump_interval: 600
# 国内域名
- tag: geosite_cn
type: domain_set
args:
exps:
- "lan"
- "local"
- "arpa"
files:
- "/etc/mosdns/rule/whitelist.txt"
- "/var/mosdns/geosite_cn.txt"
- "/var/mosdns/geosite_apple-cn.txt"
- "/var/mosdns/[email protected]"
# 国内 IP
- tag: geoip_cn
type: ip_set
args:
files:
- "/var/mosdns/geoip_cn.txt"
# 国外域名
- tag: geosite_no_cn
type: domain_set
args:
files:
- "/etc/mosdns/rule/greylist.txt"
- "/var/mosdns/geosite_geolocation-!cn.txt"
# hosts
- tag: hosts
type: hosts
args:
files:
- "/etc/mosdns/rule/hosts.txt"
# 国内解析
- tag: local_sequence
type: sequence
args:
- exec: forward 59.51.78.210
- matches:
- has_resp
- resp_ip 192.168.1.0/24 # LAN IPCIDR 改成你路由器的网段
exec: ttl 1800-0
# 国外解析
- tag: remote_sequence
type: sequence
args:
- exec: prefer_ipv4
- matches:
- qtype 28
exec: reject 0
- exec: forward 127.0.0.1:7874
- exec: ttl 1800-0
# 有响应终止返回
- tag: has_resp_sequence
type: sequence
args:
- matches: has_resp
exec: accept
# fallback 用本地服务器 sequence
# 返回非国内 ip 则 drop_resp
- tag: fallback_local
type: sequence
args:
- exec: $local_sequence
- matches: "!resp_ip $geoip_cn"
exec: drop_resp
# fallback 用远程服务器 sequence
- tag: fallback
type: fallback
args:
primary: fallback_local
secondary: remote_sequence
threshold: 100
always_standby: true
# 主要的运行逻辑插件
# sequence 插件中调用的插件 tag 必须在 sequence 前定义,
# 否则 sequence 找不到对应插件。
- tag: main_sequence
type: sequence
args:
- exec: $cache
# hosts
- exec: $hosts
- exec: jump has_resp_sequence
# drop https query type
- matches:
- qtype 65
exec: reject 3
# handle local ptr
- matches:
- qtype 12
exec: $local_sequence
- exec: jump has_resp_sequence
bobyai # 处理所有 IPv6 请求
- matches:
- qtype 28 # 匹配 AAAA 请求类型
exec: $local_sequence
- exec: jump has_resp_sequence
- matches:
- qname $geosite_cn
exec: $local_sequence
- exec: jump has_resp_sequence
- matches:
- qname $geosite_no_cn
exec: $remote_sequence
- exec: jump has_resp_sequence
- exec: $fallback
- tag: udp_server
type: udp_server
args:
entry: main_sequence
listen: ":5335"
- tag: server_tcp
type: tcp_server
args:
entry: main_sequence
listen: ":5335"
log:
level: info
file: "/tmp/mosdns.log"
include: []
plugins:
# 国内域名
- tag: geosite_cn
type: domain_set
args:
exps:
- "lan"
- "local"
- "arpa"
files:
- "/etc/mosdns/rule/whitelist.txt"
- "/var/mosdns/geosite_cn.txt"
- "/var/mosdns/geosite_apple-cn.txt"
- "/var/mosdns/[email protected]"
# 国内 IP
- tag: geoip_cn
type: ip_set
args:
files:
- "/var/mosdns/geoip_cn.txt"
# 国外域名
- tag: geosite_no_cn
type: domain_set
args:
files:
- "/etc/mosdns/rule/greylist.txt"
- "/var/mosdns/geosite_geolocation-!cn.txt"
# hosts
- tag: hosts
type: hosts
args:
files:
- "/etc/mosdns/rule/hosts.txt"
# 国内解析
- tag: local_sequence
type: sequence
args:
- exec: forward 127.0.0.1
- matches:
- has_resp
- resp_ip 192.168.1.0/24 # LAN IPCIDR 改成你路由器的网段
exec: ttl 1800-0
# 国外解析
- tag: remote_sequence
type: sequence
args:
- matches:
- qtype 28
exec: reject 0
- exec: forward 127.0.0.1:7874
- exec: ttl 1800-0
# 有响应终止返回
- tag: has_resp_sequence
type: sequence
args:
- matches: has_resp
exec: accept
# fallback 用本地服务器 sequence
# 返回非国内 ip 则 drop_resp
- tag: fallback_local
type: sequence
args:
- exec: $local_sequence
- matches: "!resp_ip $geoip_cn"
exec: drop_resp
# fallback 用远程服务器 sequence
- tag: fallback
type: fallback
args:
primary: fallback_local
secondary: remote_sequence
threshold: 200
always_standby: true
# 主要的运行逻辑插件
# sequence 插件中调用的插件 tag 必须在 sequence 前定义,
# 否则 sequence 找不到对应插件。
- tag: main_sequence
type: sequence
args:
# hosts
- exec: $hosts
- exec: jump has_resp_sequence
# drop https query type
- matches:
- qtype 65
exec: reject 3
# handle local ptr
- matches:
- qtype 12
exec: $local_sequence
- exec: jump has_resp_sequence
- matches:
- qname $geosite_cn
exec: $local_sequence
- exec: jump has_resp_sequence
- matches:
- qname $geosite_no_cn
exec: $remote_sequence
- exec: jump has_resp_sequence
- exec: $fallback
- tag: udp_server
type: udp_server
args:
entry: main_sequence
listen: ":5335"
(2)去广告
在 MosDNS 就行实现了广告屏蔽功能,所以不需要安装配置 Adguardhome.
log:
level: info
file: "/tmp/mosdns.log"
include: []
plugins:
# 国内域名
- tag: geosite_cn
type: domain_set
args:
exps:
- "lan"
- "local"
- "arpa"
files:
- "/etc/mosdns/rule/whitelist.txt"
- "/var/mosdns/geosite_cn.txt"
- "/var/mosdns/geosite_apple-cn.txt"
- "/var/mosdns/[email protected]"
# 国内 IP
- tag: geoip_cn
type: ip_set
args:
files:
- "/var/mosdns/geoip_cn.txt"
# 国外域名
- tag: geosite_no_cn
type: domain_set
args:
files:
- "/etc/mosdns/rule/greylist.txt"
- "/var/mosdns/geosite_geolocation-!cn.txt"
# hosts
- tag: hosts
type: hosts
args:
files:
- "/etc/mosdns/rule/hosts.txt"
# 缓存插件
- tag: cache
type: cache
args:
size: 20480
lazy_cache_ttl: 86400
- tag: ad_sequence
type: sequence
args:
- exec: concurrent 3
- matches: # 如果
- qname "/etc/mosdns/rule/adlist/anti-ad-domains.txt" # 如果请求的域名在广告列表内。
exec: reject 3 # 执行 直接返回 NXDOMAIN(3) 屏蔽。
- exec: cache 1024 # 然后。查找 cache。
- matches: # 如果
- has_resp # 有应答了(上一步 cache 找到应答)
exec: accept # 结束。
# 上一步没有找到缓存,就会到这一步,转发至 本地 获取应答。
- exec: forward 127.0.0.1
# sequence 结束(被 reject,accept,或者运行到末尾)后就会返回调用者。在这个配置文件中
# 调用者是下面的服务器。服务器就会返回应答至客户端。
# 国内解析
- tag: local_sequence
type: sequence
args:
- exec: concurrent 3
- exec: forward 192.168.1.1
- matches:
- has_resp
- resp_ip 192.168.1.0/24 # LAN IPCIDR
exec: ttl 1800-0
# 国外解析
- tag: remote_sequence
type: sequence
args:
- exec: concurrent 3
- matches:
- qtype 28
exec: reject 0
- exec: forward 127.0.0.1:7874
- exec: ttl 1800-0
# 有响应终止返回
- tag: has_resp_sequence
type: sequence
args:
- matches: has_resp
exec: accept
# fallback 用本地服务器 sequence
# 返回非国内 ip 则 drop_resp
- tag: fallback_local
type: sequence
args:
- exec: $local_sequence
- matches: "!resp_ip $geoip_cn"
exec: drop_resp
# fallback 用远程服务器 sequence
- tag: fallback
type: fallback
args:
primary: fallback_local
secondary: remote_sequence
threshold: 200
always_standby: true
# 主要的运行逻辑插件
# sequence 插件中调用的插件 tag 必须在 sequence 前定义,
# 否则 sequence 找不到对应插件。
- tag: main_sequence
type: sequence
args:
# hosts
- exec: $hosts
- exec: jump has_resp_sequence
# drop https query type
- matches:
- qtype 65
exec: reject 3
# handle local ptr
- matches:
- qtype 12
exec: $local_sequence
- exec: jump has_resp_sequence
- matches:
- qname $geosite_cn
exec: $local_sequence
- exec: jump has_resp_sequence
- matches:
- qname $geosite_no_cn
exec: $remote_sequence
- exec: jump has_resp_sequence
- exec: $fallback
- tag: udp_server
type: udp_server
args:
entry: main_sequence
listen: :5335
- tag: server_tcp
type: tcp_server
args:
entry: main_sequence
listen: :5335
(3)最终使用版
log:
level: info
file: "/tmp/mosdns.log"
plugins:
# 缓存插件
- tag: cache
type: cache
args:
size: 20480
lazy_cache_ttl: 180
dump_file: /etc/mosdns/cache.dump
dump_interval: 60
# 国内域名
- tag: geosite_cn
type: domain_set
args:
exps:
- "lan"
- "local"
- "arpa"
files:
- "/etc/mosdns/rule/whitelist.txt"
- "/var/mosdns/geosite_cn.txt"
- "/var/mosdns/geosite_apple-cn.txt"
- "/var/mosdns/[email protected]"
# 国内 IP
- tag: geoip_cn
type: ip_set
args:
files:
- "/var/mosdns/geoip_cn.txt"
# 国外域名
- tag: geosite_no_cn
type: domain_set
args:
files:
- "/etc/mosdns/rule/greylist.txt"
- "/var/mosdns/geosite_geolocation-!cn.txt"
# 广告域名
- tag: adlist
type: domain_set
args:
files:
- "/etc/mosdns/rule/adlist.txt"
# hosts 文件
- tag: hosts
type: hosts
args:
files:
- "/etc/mosdns/rule/hosts.txt"
# 国内 DNS
- tag: forward_local
type: forward
args:
concurrent: 3
upstreams:
- addr: "tls://223.5.5.5" #阿里
enable_pipeline: false
- addr: "tls://1.12.12.12" #腾讯 dnspod
enable_pipeline: true
- addr: 59.51.78.210 #湖南运营商DNS
enable_pipeline: false
- addr: 114.114.114.114
enable_pipeline: false
- addr: "https://dns.alidns.com/dns-query"
dial_addr: "223.6.6.6"
- addr: "tls://dns.alidns.com"
dial_addr: "2400:3200:baba::1"
enable_pipeline: true
- addr: "tls://dns.alidns.com"
dial_addr: "223.5.5.5"
enable_pipeline: true
- addr: "https://dns.alidns.com/dns-query"
dial_addr: "223.5.5.5"
enable_http3: true
- addr: "https://dns.alidns.com/dns-query"
dial_addr: "2400:3200::1"
enable_http3: true
# 国外 DNS
# 自己查找低延迟 DNS
- tag: forward_remote
type: forward
args:
concurrent: 3
upstreams:
# Google DNS
- addr: tls://8.8.8.8
laoxiongb2c enable_pipeline: true
# Cloundflare 节点
- addr: tls://1.1.1.1
insecure_skip_verify: true
# OpenDNS SANDNOX
- addr: "tls://208.67.222.2"
enable_pipeline: true
# OpenDNS
- addr: "tls://208.67.222.222"
enable_pipeline: true
# 101DNS
- addr: "tls://101.101.101.101"
enable_pipeline: true
# NextDNS HK 节点
- addr: "https://45.11.104.186"
insecure_skip_verify: true
- addr: "https://dns.google/dns-query"
dial_addr: "2001:4860:4860::6464"
- addr: "https://dns.google/dns-query"
dial_addr: "2001:4860:4860::0064"
- addr: "https://dns.google/dns-query"
dial_addr: "2001:4860:4860::8844"
- addr: "https://dns.google/dns-query"
dial_addr: "2001:4860:4860::8888"
- addr: "https://dns.google/dns-query"
dial_addr: "8.8.4.4"
- addr: "https://dns.google/dns-query"
dial_addr: "8.8.8.8"
- addr: "tls://dns.google"
dial_addr: "8.8.4.4"
enable_pipeline: true # TCP/DoT 启用 RFC 7766 新的 query pipelining 连接复用模式
- addr: "tls://dns.google"
dial_addr: "2001:4860:4860::8888"
enable_pipeline: true
- addr: "tls://dns.google"
dial_addr: "8.8.8.8"
enable_pipeline: true
# h3
- addr: "https://dns.google/dns-query"
dial_addr: "2001:4860:4860::8844"
enable_http3: true
- addr: "https://dns.google/dns-query"
dial_addr: "8.8.4.4"
enable_http3: true
- addr: "https://dns.google/dns-query"
dial_addr: "2001:4860:4860::8888"
enable_http3: true
- addr: "https://dns.google/dns-query"
dial_addr: "8.8.8.8"
enable_http3: true
- addr: "https://1.1.1.1/dns-query"
dial_addr: "1.1.1.1"
- addr: "tls://1.1.1.1"
dial_addr: "1.1.1.1"
enable_pipeline: true # TCP/DoT 启用 RFC 7766 新的 query pipelining 连接复用模式
- addr: "tls://1.1.1.1"
dial_addr: "1.1.1.1"
enable_pipeline: true
- addr: "https://dns.nextdns.io"
dial_addr: "45.90.28.186"
enable_http3: true
- addr: "https://dns.nextdns.io"
dial_addr: "2a07:a8c0::ae:d5cb"
enable_http3: true
- addr: "tls://dns.nextdns.io"
enable_pipeline: true
dial_addr: "45.90.28.186"
- addr: "https://dns11.quad9.net/dns-query"
dial_addr: "9.9.9.11"
- addr: "https://dns11.quad9.net/dns-query"
dial_addr: "2620:fe::11"
- addr: "tls://dns11.quad9.net"
dial_addr: "9.9.9.11"
enable_pipeline: true
- addr: "tls://dns11.quad9.net"
dial_addr: "2620:fe::11"
enable_pipeline: true
# 私人分流 dns
- tag: forward_private
type: forward
args:
concurrent: 3
upstreams:
- addr: "https://dns.google/dns-query"
bootstrap: "223.5.5.5"
bootstrap_version: 4 #解析的doh域名返回ipv4还是v6
enable_pipeline: false
enable_http3: false #http3 udp不稳 还是强制走http2
- addr: "https://doh.pub/dns-query"
dial_addr: "1.12.12.12"
- addr: "https://doh.pub/dns-query"
dial_addr: "120.53.53.53"
- addr: "tls://dot.pub"
dial_addr: "1.12.12.12"
enable_pipeline: true
- addr: "tls://dot.pub"
dial_addr: "120.53.53.53"
enable_pipeline: true
# 广告域名
- tag: ad_sequence
type: sequence
args:
- matches: # 如果
- qname $adlist # 如果请求的域名在广告列表内。
exec: reject 3 # 执行 直接返回 NXDOMAIN(3) 屏蔽。
# 国内解析
- tag: local_sequence
type: sequence
args:
- exec: $forward_local
# 国外解析
- tag: remote_sequence
type: sequence
args:
- exec: prefer_ipv4
- exec: $forward_remote
# 分流解析
- tag: private_sequence
type: sequence
args:
- exec: $forward_private
# clash 解析
- tag: clash_sequence
type: sequence
args:
- exec: forward 127.0.0.1:7874
- exec: ttl 0
# 有响应终止返回
- tag: has_resp_sequence
type: sequence
args:
- matches: has_resp
exec: accept
# fallback 用分流 sequence
# 返回国外 IP 则用 clash 解析得出 fakeip
- tag: fallback_sequence
type: sequence
args:
- exec: $private_sequence
- matches: "!resp_ip $geoip_cn"
exec: goto clash_sequence
- exec: accept
# 国外 sequence
- tag: fallback2_sequence
type: sequence
args:
- exec: $remote_sequence
- matches: "resp_ip $geoip_cn"
exec: goto local_sequence
- exec: goto clash_sequence
# fallback 用分流 DNS ,超时后用国外 DNS 解析
- tag: fallback
type: fallback
args:
primary: fallback_sequence
secondary: fallback2_sequence
threshold: 2000
always_standby: true
# 主要的运行逻辑插件
# sequence 插件中调用的插件 tag 必须在 sequence 前定义,
# 否则 sequence 找不到对应插件。
- tag: main_sequence
type: sequence
args:
# host
- exec: $hosts
- exec: jump has_resp_sequence
# drop https query type
- matches:
- qtype 65
exec: reject 3
# handle local ptr
- matches:
- qtype 12
exec: $local_sequence
- exec: jump has_resp_sequence
#FakeIP 不缓存
- matches:
- qname $geosite_no_cn
exec: $clash_sequence
- exec: jump has_resp_sequence
- exec: $ad_sequence
# 缓存
- exec: $cache
- exec: jump has_resp_sequence
- matches:
- qname $geosite_cn
exec: $local_sequence
- exec: jump has_resp_sequence
- exec: $fallback
- tag: udp_server
type: udp_server
args:
entry: main_sequence
listen: ":5335" #mosdns 监听端口
- tag: server_tcp
type: tcp_server
args:
entry: main_sequence
listen: ":5335"
3. AdGuardHome
在 luci 页面上,开启端口重定向,选择 重定向53端口到AdGuardHome,这里注意 AdGuardHome 本身不要监听 53 端口,把 53 端口留给 dnsmasq,AdGuardHome 设置一个其它的端口就可以了。
在 Web 管理页面上,设置–DNS 设置 中,上游 DNS 服务器内只填写一个 mosdns 的地址127.0.0.1:5335 #mosdns,私人反向 DNS 服务器写上127.0.0.1 #dnsmasq。DNS 缓存配置里面,缓存大小看你内存大小填写,乐观缓存勾上。
对于不想走代理的设备,可以在 设置–客户端设置 中添加,并且把上游 DNS 服务器设置成127.0.0.1。
解决谷歌 Play 商店不能更新:
ADG – 过滤器 – 添加 DNS 重写,[services.googleapis.cn](http://services.googleapis.cn/)198.18.1.50
如果无法使用游戏加速器:OpenClash – 插件设置 – 模式设置,取消勾选 UDP 流量转发
参考教程:https://blog.openwrtcn.eu.org/dnsling-wu-ran/https://github.com/IrineSistiana/mosdns/discussions/796
其他设置,请查看 [[Adguardhome 配置、优化教程]]
配置如下:
http:
pprof:
port: 6060
enabled: false
address: 0.0.0.0:3000
session_ttl: 720h
users:
- name: yanghaixiong
password: $2y$10$t4WZhKFulyEy245kV4zitOAmyHGGBASFezaASPefwXRGDuPZB6z72
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
theme: auto
dns:
bind_hosts:
- 0.0.0.0
port: 6060
anonymize_client_ip: false
ratelimit: 0
ratelimit_subnet_len_ipv4: 24
ratelimit_subnet_len_ipv6: 56
ratelimit_whitelist: []
refuse_any: false
upstream_dns:
- 127.0.0.1:5335
upstream_dns_file: ""
bootstrap_dns:
- 8.8.8.8
fallback_dns: []
upstream_mode: fastest_addr
fastest_timeout: 1s
allowed_clients: []
disallowed_clients: []
blocked_hosts:
- version.bind
- id.server
- hostname.bind
trusted_proxies:
- 127.0.0.0/8
- ::1/128
cache_size: 0
cache_ttl_min: 0
cache_ttl_max: 0
cache_optimistic: false
bogus_nxdomain: []
aaaa_disabled: true
enable_dnssec: false
edns_client_subnet:
custom_ip: ""
enabled: true
use_custom: false
max_goroutines: 300
handle_ddr: true
ipset: []
ipset_file: ""
bootstrap_prefer_ipv6: false
upstream_timeout: 10s
private_networks: []
use_private_ptr_resolvers: false
local_ptr_upstreams:
- 127.0.0.1
use_dns64: false
dns64_prefixes: []
serve_http3: false
use_http3_upstreams: false
serve_plain_dns: true
hostsfile_enabled: true
tls:
enabled: false
server_name: ""
force_https: false
port_https: 443
port_dns_over_tls: 853
port_dns_over_quic: 853
port_dnscrypt: 0
dnscrypt_config_file: ""
allow_unencrypted_doh: false
certificate_chain: ""
private_key: ""
certificate_path: ""
private_key_path: ""
strict_sni_check: false
querylog:
dir_path: ""
ignored: []
interval: 6h
size_memory: 1000
enabled: true
file_enabled: true
statistics:
dir_path: ""
ignored: []
interval: 6h
enabled: true
filters:
- enabled: true
url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
name: AdGuard Simplified Domain Names filter
id: 1
- enabled: true
url: https://adaway.org/hosts.txt
name: AdAway
id: 2
- enabled: true
url: https://raw.githubusercontent.com/vokins/yhosts/master/data/tvbox.txt
name: tvbox
id: 1575018007
- enabled: true
url: http://sbc.io/hosts/hosts
name: StevenBlack host basic
id: 1575618242
- enabled: true
url: http://sbc.io/hosts/alternates/fakenews-gambling-porn-social/hosts
name: StevenBlack host+fakenews + gambling + porn + social
id: 1575618243
- enabled: true
url: https://cdn.jsdelivr.net/gh/privacy-protection-tools/anti-AD/anti-ad-easylist.txt
name: anti-AD(Adblock+neohosts+yhosts+cjxlist+adhlist)
id: 1577113202
- enabled: true
url: https://raw.githubusercontent.com/o0HalfLife0o/list/master/ad.txt
name: halflife
id: 1734811795
- enabled: true
url: https://anti-ad.net/easylist.txt
name: anti-AD
id: 1734811796
- enabled: true
url: https://cdn.jsdelivr.net/gh/neoFelhz/neohosts@gh-pages/full/hosts.txt
name: neoHosts
id: 1734811797
- enabled: true
url: https://raw.githubusercontent.com/jdlingyu/ad-wars/master/hosts
name: 大圣净化
id: 1734811798
- enabled: true
url: https://raw.githubusercontent.com/banbendalao/ADgk/master/ADgk.txt
name: adgk手机去广告规则
id: 1734811799
- enabled: true
url: http://sub.adtchrome.com/adt-chinalist-easylist.txt
name: 广告终结者
id: 1734811800
- enabled: true
url: https://easylist-downloads.adblockplus.org/easylistchina+easylist.txt
name: EasyList China+EasyList
id: 1734811801
- enabled: true
url: https://easylist-downloads.adblockplus.org/easyprivacy.txt
name: EasyPrivacy
id: 1734811802
- enabled: true
url: https://raw.githubusercontent.com/cjx82630/cjxlist/master/cjx-annoyance.txt
name: EasyList China
id: 1734811803
- enabled: true
url: https://raw.githubusercontent.com/o0HalfLife0o/list/master/ad-pc.txt
name: ad-pc
id: 1734811804
- enabled: true
url: https://raw.githubusercontent.com/o0HalfLife0o/list/master/ad-mo.txt
name: ad-mo
id: 1734811805
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_21.txt
name: 'CHN: anti-AD'
id: 1734811811
- enabled: true
url: https://adrules.top/dns.txt
name: Adlist
id: 1734811812
whitelist_filters:
- enabled: true
url: https://raw.githubusercontent.com/privacy-protection-tools/dead-horse/master/anti-ad-white-list.txt
name: anti-ad白名单
id: 1734811806
- enabled: true
url: https://raw.githubusercontent.com/hl2guide/Filterlist-for-AdGuard/master/filter_whitelist.txt
name: filter_whitelist
id: 1734811807
- enabled: true
url: https://raw.githubusercontent.com/liwenjie119/adg-rules/master/white.txt
name: LWJ's white list
id: 1734811808
- enabled: true
url: https://raw.githubusercontent.com/ChengJi-e/AFDNS/master/QD.txt
name: DNS允许白名单
id: 1734811809
- enabled: true
url: https://gist.githubusercontent.com/YiDaCP/8f51ee10c770e5726ca4b8aff890de92/raw/dns.txt
name: 自用
id: 1734811810
user_rules:
- '@@||xhamster.com^'
- '@@||xhamsterlive.com^'
dhcp:
enabled: false
interface_name: ""
local_domain_name: lan
dhcpv4:
gateway_ip: ""
subnet_mask: ""
range_start: ""
range_end: ""
lease_duration: 86400
icmp_timeout_msec: 1000
options: []
dhcpv6:
range_start: ""
lease_duration: 86400
ra_slaac_only: false
ra_allow_slaac: false
filtering:
blocking_ipv4: ""
blocking_ipv6: ""
blocked_services:
schedule:
time_zone: UTC
ids: []
protection_disabled_until: null
safe_search:
enabled: false
bing: true
duckduckgo: true
ecosia: true
google: true
pixabay: true
yandex: true
youtube: true
blocking_mode: nxdomain
parental_block_host: family-block.dns.adguard.com
safebrowsing_block_host: standard-block.dns.adguard.com
rewrites:
- domain: services.googleapis.cn
answer: services.googleapis.com
- domain: developers.google.cn
answer: developers.google.com
safe_fs_patterns:
- /usr/bin/AdGuardHome/data/userfilters/*
safebrowsing_cache_size: 1048576
laoxiongb2c safesearch_cache_size: 1048576
parental_cache_size: 1048576
cache_time: 30
filters_update_interval: 24
blocked_response_ttl: 10
filtering_enabled: true
parental_enabled: false
safebrowsing_enabled: false
protection_enabled: true
clients:
runtime_sources:
whois: true
arp: true
rdns: false
dhcp: true
hosts: true
persistent: []
log:
enabled: true
file: ""
max_backups: 0
max_size: 100
max_age: 3
compress: false
local_time: false
verbose: false
os:
group: ""
user: ""
rlimit_nofile: 0
schema_version: 29
4. 防火墙
添加如下规则,重启防火墙:
#6060 是 AdGuardHome 的 DNS 监听端口,两个端口必须一致
iptables -t nat -A PREROUTING -d 198.18.0.0/16 -p tcp -j REDIRECT --to-ports 7892
iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 6060
iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 6060
ip6tables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 6060
ip6tables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 6060
firewall 4 nftables 的补充说明:
在 /etc/nftables.d/10-custom-filter-chains. nft 添加以下规则,注意每行前面都要有空格
chain adg_redirect {
type nat hook prerouting priority dstnat - 10; policy accept;
meta nfproto { ipv 4, ipv 6 } udp dport 53 counter packets 0 bytes 0 redirect to : 6060 comment "ADG"
}
五、验证
测试用网站:
Test Ad Block – Toolz
AdBlock Tester: test your AdBlock extensions
IP/DNS Detect – What is your IP, what is your DNS, what informations you send to websites.
DNS leak test
DNS Leak Test – BrowserLeaks
总结
参考
- [ 1 ] 记录adg+opc+mosdns,实现dns分流、防泄漏,兼容ipv6-OPENWRT专版-恩山无线论坛
- [ 2 ] AdGuard+MosDNS+OpenClash 套娃代理组合 – V2EX
[Total: 0 Average: 0]
必须 注册 为本站用户, 登录 后才可以发表评论!