向资深软路由玩家提问，关于 lede 项目 DNS 的设置

看看 iptable

@defunct9 iptable 我不怎么熟，但是 iptables -S 看起来也没有 53 端口相关的转发吧

-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N MINIUPNPD
-N forwarding_lan_rule
-N forwarding_rule
-N forwarding_wan_rule
-N input_lan_rule
-N input_rule
-N input_wan_rule
-N output_lan_rule
-N output_rule
-N output_wan_rule
-N reject
-N syn_flood
-N zone_lan_dest_ACCEPT
-N zone_lan_forward
-N zone_lan_input
-N zone_lan_output
-N zone_lan_src_ACCEPT
-N zone_wan_dest_ACCEPT
-N zone_wan_dest_REJECT
-N zone_wan_forward
-N zone_wan_input
-N zone_wan_output
-N zone_wan_src_REJECT
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p tcp -m tcp --dport 7744 -m comment --comment "!fw3: vpn" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p tcp -m tcp --dport 56471 -m comment --comment "!fw3: QBittorrent" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p tcp -m tcp --dport 51413 -m comment --comment "!fw3: Transmission" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1688 -m comment --comment "!fw3: kms" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject

简单来说，DNSMASQ 有两个参数 server 和 ipset 发挥的作用

server 的作用是将指定的域名交给指定的域名服务器解析，并将 ip 存入 ipset 中，iptables 再将目标地址为这个 ipset 的 package 转发到科学上网的端口或线路上

你研究一下这个参数的说明

-S, --local, --server=[/[<domain>]/[domain/]][<server>[#<port>]][@<interface>][@<source-ip>[#<port>]]
Specify upstream servers directly. Setting this flag does not suppress reading of /etc/resolv.conf, use --no-resolv to do that. If one or more optional domains are given, that server is used only for those domains and they are queried only using the specified server. This is intended for private nameservers: if you have a nameserver on your network which deals with names of the form xxx.internal.thekelleys.org.uk at 192.168.1.1 then giving the flag --server=/internal.thekelleys.org.uk/192.168.1.1 will send all queries for internal machines to that nameserver, everything else will go to the servers in /etc/resolv.conf. DNSSEC validation is turned off for such private nameservers, UNLESS a --trust-anchor is specified for the domain in question. An empty domain specification, // has the special meaning of "unqualified names only" ie names without any dots in them. A non-standard port may be specified as part of the IP address using a # character. More than one --server flag is allowed, with repeated domain or ipaddr parts as required.
More specific domains take precedence over less specific domains, so: --server=/google.com/1.2.3.4 --server=/www.google.com/2.3.4.5 will send queries for google.com and gmail.google.com to 1.2.3.4, but www.google.com will go to 2.3.4.5

Matching of domains is normally done on complete labels, so /google.com/ matches google.com and www.google.com but NOT supergoogle.com. This can be overridden with a * at the start of a pattern only: /*google.com/ will match google.com and www.google.com AND supergoogle.com. The non-wildcard form has priority, so if /google.com/ and /*google.com/ are both specified then google.com and www.google.com will match /google.com/ and /*google.com/ will only match supergoogle.com.

For historical reasons, the pattern /.google.com/ is equivalent to /google.com/ if you wish to match any subdomain of google.com but NOT google.com itself, use /*.google.com/

The special server address '#' means, "use the standard servers", so --server=/google.com/1.2.3.4 --server=/www.google.com/# will send queries for google.com and its subdomains to 1.2.3.4, except www.google.com (and its subdomains) which will be forwarded as usual.

Also permitted is a -S flag which gives a domain but no IP address; this tells dnsmasq that a domain is local and it may answer queries from /etc/hosts or DHCP but should never forward queries on that domain to any upstream servers. --local is a synonym for --server to make configuration files clearer in this case.

IPv6 addresses may include an %interface scope-id, eg fe80::202:a412:4512:7bbf%eth0.

The optional string after the @ character tells dnsmasq how to set the source of the queries to this nameserver. It can either be an ip-address, an interface name or both. The ip-address should belong to the machine on which dnsmasq is running, otherwise this server line will be logged and then ignored. If an interface name is given, then queries to the server will be forced via that interface; if an ip-address is given then the source address of the queries will be set to that address; and if both are given then a combination of ip-address and interface name will be used to steer requests to the server. The query-port flag is ignored for any servers which have a source address specified but the port may be specified directly as part of the source address. Forcing queries to an interface is not implemented on all platforms supported by dnsmasq.

Upstream servers may be specified with a hostname rather than an IP address. In this case, dnsmasq will try to use the system resolver to get the IP address of a server during startup. If name resolution fails, starting dnsmasq fails, too. If the system's configuration is such that the system resolver sends DNS queries through the dnsmasq instance which is starting up then this will time-out and fail.

https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html#index

dnsmasq.conf 贴出来看看

另外说一下，server 和 ipset 这两个参数一般不在那个/var/etc/dnsmasq.conf.cfg01411c 配置文件中，但是你查看一下配置文件中的 conf-file 参数对应的目录下，应该有使用 server 和 ipset 的配置文件。

一般使用的是/tmp/dnsmasq.d/

@defunct9 #4

# auto-generated config file from /etc/config/dhcp
conf-file=/etc/dnsmasq.conf
dhcp-authoritative
domain-needed
localise-queries
read-ethers
enable-ubus=dnsmasq
expand-hosts
bind-dynamic
local-service
cache-size=8192
edns-packet-max=1232
domain=lan
local=/lan/
server=/docker.io/127.0.0.1#5333
addn-hosts=/tmp/hosts
dhcp-leasefile=/tmp/dhcp.leases
resolv-file=/tmp/resolv.conf.d/resolv.conf.auto
stop-dns-rebind
rebind-localhost-ok
dhcp-broadcast=tag:needs-broadcast
conf-dir=/tmp/dnsmasq.d
user=dnsmasq
group=dnsmasq


dhcp-ignore-names=tag:dhcp_bogus_hostname
conf-file=/usr/share/dnsmasq/dhcpbogushostname.conf

srv-host=_vlmcs._tcp,OpenWrt,1688,0,100

bogus-priv
conf-file=/usr/share/dnsmasq/rfc6761.conf
dhcp-range=set:lan,192.168.0.100,192.168.0.249,255.255.0.0,120h
no-dhcp-interface=pppoe-wan

@Jinnrry #6 /etc/dnsmasq.conf 这个文件里面只有一行 log-facility=/dev/null ，其他都是注释

/var/etc/dnsmasq.conf.cfg01411c 这个文件里应该有这一行吧
conf-dir=/tmp/dnsmasq.d

然后 /tmp/dnsmasq.d 里有
root@iStoreOS:~# cat /tmp/dnsmasq.d/dnsmasq-ssrplus.conf
conf-dir=/tmp/dnsmasq.d/dnsmasq-ssrplus.d

通过这种方式给 dnsmasq 追加了设置

server=/docker.io/127.0.0.1#5333

这个配置就是将 docker.io 这个域名由 127.0.0.1 5353 端口的域名服务进行解析

@kursk #5 我靠，大佬厉害，按照你说的，我找到配置了。

在/var/etc/dnsmasq.conf.cfg01411c 这个文件中额外加了一个配置文件路径`conf-dir=/tmp/dnsmasq.d`

/tmp/dnsmasq.d 这个文件夹里面有完整的分流规则

@kursk #9 这一条是我自己手动加的

@Puteulanus 是的，感谢大佬

我没跑 SSR-Plus ，给你看看 Passwall 的，基本也是这么个流程，最后追到 /tmp/dnsmasq.d/dnsmasq-passwall.conf 里：
conf-dir=/tmp/dnsmasq.d/passwall
server=127.0.0.1#15354
all-servers
no-poll
no-resolv
这就把 server 给设置到 ChinaDNS-NG 头上了

server=/docker.io/127.0.0.1#5333

就是这句

@Jinnrry server 参数要配合 ipset 一起使用才能实现科学上网

@kursk #15 我加 server=/docker.io/127.0.0.1#5333 是为了让 docker.io 走 chinadns 去解析，因为我看 chinadns 是禁止 ipv6 的。dnsmasq 会返回 ipv6 地址，我梯子服务器没有 ipv6 ，linux 默认优先使用 ipv6 ，就导致 docker pull 不能走代理。

我在 openwrt 好像找不到加 ipset 的地方？只有一个 DNS 转发可以设置 server ，硬编码改配置文件的话感觉不太优雅

@defunct9 #14 感谢 ssh 哥

@kursk #3 再请教一下，“iptables 再将目标地址为这个 ipset 的 package 转发到科学上网的端口或线路上” 这个配置是在哪呢？ 我用 iptables -L 看，好像没找到相关的配置呢

@Puteulanus #13
@kursk #3

我又研究了一下 SSR-PLUS 的强制代理，我发现设置某个域名强制走代理，其实只是加了一个`server=/docker.io/127.0.0.1#5335` 这样的设置，并没有设置 ipset ，这样强制 dns 使用海外 dns 解析，那如果向 docker 这个域名，返回 ipv6 的解析结果，我服务器不支持 ipv6 的话其实没啥用吧

@Jinnrry iptables 的配置与具体的采用的科学上网的工具有关

比如你使用 gost 作为科学上网工具，在本地开了 18443 作为端口转发，那么整体配置思路如下

在 dnsmasq 中的配置
server=/docker.io/127.0.0.1#10053
nftset=/docker.io/4#inet#wgcross#crs_dst

以上配置的作用是将 docker.io 的域名交给 127.0.0.1#10053 这个域名解析服务器解析，返回的 ip 存到 nft table 名为 wgcross 的 ipset crs_dst 中

说明一下：因为我使用的 openwrt23.05 已经是 firewell 4 了，而 firewell 4 使用 nftables 代替了 iptables ，所以与你使用的 firewell 3 的配置参数不同，但是思路是一样的

然后我的 nftables 的配置中就有如下一项

nft add rule inet wgcross PREROUTING ip daddr @crs_dst meta l4proto {tcp,udp} redirect to :18443

这个命令在 nft table 名为 wgcross 中增加了一条规则，将目标地址在 ipset crs_dst 中的 tcp 和 udp 包都专发到本地的 18443 端口上

所以通过 server ，nftset(firewell 3 是 ipset)解决 DNS 域名污染并存储了对应域名的目标 ip ，再通过 iptables 实现了目标 ip 转发到指定端口

我记得 iptables -L 默认是 NAT 表，一般转发规则在 PREROUTING 表中，你可能对 iptables 的几个表的使用不理解，你看看我写的这篇文章 https://mp.weixin.qq.com/s?__biz=Mzg3OTYwMTE1NA==&mid=2247483967&idx=1&sn=ed36e7007329ad78cf55c91fbed7b0b8&chksm=cf00b152f877384447032ecb2f5500f902941980683977e2d301f6e581599509f20121161889&token=111951293&lang=zh_CN#rd
可能对你有所启发