用本地DNS 代理防止DNS 缓存投毒攻击

由于众所周知的原因, 某些域名遭受着持续的DNS 缓存投毒攻击, 通过UDP 协议进行DNS 查询时, 会收到来自旁路的干扰结果, 而通过TCP 进行DNS 查询则不会

现在我找到了另一个解决方案: 在本地开设DNS 代理服务器. 本地DNS 服务器与上游DNS 服务器之间通过TCP 协议进行查询, 将结果通过UDP 协议返回给本机客户端, 这样就不会被旁路干扰.

使用方法:

1. 安装好python 后打开Tcp-DNS-proxy , 下载tcpdns.py 运行;
2. 在命令行下运行 netstat -an 检查是否存在 UDP 127.0.0.1:53 结果
3. 修改网络设置, 将DNS 服务器改成 127.0.0.1
4. 在命令行下运行nslookup www.Twitter.com , 应该能得到正确的结果
服务器: UnKnown
Address: 127.0.0.1

非权威应答:
名称: Twitter.com
Addresses: 199.59.149.230
199.59.150.7
199.59.148.82
Aliases: www.Twitter.com

注. 如果Windows 用户不想 安装python, 可以下载我打包好的exe 程序包, 运行tcpdns.exe


How to use this python script ?

1:change your dns server to 127.0.0.1

$ vi /etc/resolve.conf  
nameserver 127.0.0.1

2:restart the network

$ sudo /etc/init.d/networking restart

3:run the script

$ sudo python tcpdns.py -f tcpdns.json.example

Commandline

usage: tcpdns.py [-h] -f CONFIG_JSON [-d]
 
TCP DNS Proxy
 
optional arguments:
  -h, --help      show this help message and exit
  -f CONFIG_JSON  Json config file
  -d              Print debug message
  -s              Stop tcp dns proxy daemon

Configuration file

{
    "socket_timeout": 20,
    "host": "0.0.0.0",
    "port": 53,
    "tcp_dns_server": ["8.8.8.8:53",
                       "8.8.4.4:53",
                       "156.154.70.1:53",
                       "156.154.71.1:53",
                       "208.67.222.222:53",
                       "208.67.220.220:53",
                       "209.244.0.3:53"],
    "udp_dns_server": ["208.67.222.222:5353"],
    "enable_server_switch": true,
    "speed_test": true,
    "enable_lru_cache": true,
    "lru_cache_size"  : 500,
    "udp_mode"        : false,
    "daemon_process"  : false,
    "internal_dns_server": ["192.168.1.1:53"],
    "internal_domain": ["*intra*"],
    "private_host"    : {"*google.com": "203.117.34.162"}
}
  • enable_server_switch: switch dns servers if network is slow
  • speed_test : test dns server speed on startup
  • enable_lru_cache : use lru cache to store dns server responses
  • udp_mode : use udp dns procotol, default is tcp dns protocol
  • daemon_process : daemon process on *nix platform
  • internal_dns_server : internal dns server on internal network
  • internal_domain : internal domains which use internal dns server to get ip address
  • private_host : like /etc/hosts on *nix platform

INSTALL

Linux system

 chmod +x ./install.sh
  ./install.sh

Windows system
Use tcpdns.exe in win directory.

Ubuntu or Debian installation guide

1:Use the following commands to install python modules

sudo apt-get install libevent-dev
 sudo apt-get install python-pip
 sudo pip install gevent
 sudo pip install python-daemon

2:Pull the submodule source code.

 cd Tcp-DNS-proxy
 git submodule update --init --recursive

Windows installation guide

In order to build gevent library you should install Visual Studio, although tcpdns.py can run perfectly without python gevent. If you cannot run "C:\Python27\Scripts\pip.exe" in the CMD, you can try "C:\Python27\python.exe -m pip".

1:Pull the submodule source code.

 cd Tcp-DNS-proxy
 git submodule update --init --recursive

2:install python 2.7.9

3:Install pip.exe

Download get-pip.py from get-pip.py, execute the following commands:

python get-pip.py

4:install greenlet

C:\Python27\Scripts\pip.exe install greenlet

5:install Microsoft Visual C++ Compiler for Python 2.7

Download link

6:Install python gevent

C:\Python27\Scripts\pip.exe install gevent

7:install pyinstaller

C:\Python27\Scripts\pip.exe install pyinstaller

8:execute toexe.bat

还没有评论,快来抢沙发!

发表评论

  • 😉
  • 😐
  • 😡
  • 😈
  • 🙂
  • 😯
  • 🙁
  • 🙄
  • 😛
  • 😳
  • 😮
  • emoji-mrgree
  • 😆
  • 💡
  • 😀
  • 👿
  • 😥
  • 😎
  • ➡
  • 😕
  • ❓
  • ❗
  • 69 queries in 0.423 seconds