本文介绍如何在 Linux 系统上安装、配置和使用 Cloudflared,以实现基于 DoH 的安全 DNS 服务。
Cloudflared文档地址:
https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/
1.安装cloudflared
自行选择对应版本Binary下载 也可以下载deb或rpm安装包进行安装 以amd64为例
Binary:
curl -L https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 -o /usr/local/bin/cloudflared
chmod +x /usr/local/bin/cloudflareddeb:
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
dpkg -i cloudflared-linux-amd64.debrpm:
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-x86_64.rpm
rpm -i cloudflared-linux-x86_64.rpm
2.部署cloudflared doh服务
创建systemd服务
vim /etc/systemd/system/dns.service写入以下内容 默认使用https://1.1.1.1/dns-query和https://1.0.0.1/dns-query
[Unit]
Description=DNS over HTTPS (DoH) proxy client
Wants=network-online.target nss-lookup.target
Before=nss-lookup.target
[Service]
DynamicUser=yes
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
NoNewPrivileges=true
ExecStart=/usr/local/bin/cloudflared proxy-dns --max-upstream-conns 0
Restart=on-failure
RestartPreventExitStatus=23
LimitNPROC=30000
LimitNOFILE=1000000
[Install]
WantedBy=multi-user.target如果需要使用其他doh 在ExecStart=/usr/local/bin/cloudflared proxy-dns --max-upstream-conns 0后配置--upstream参数 示例如下
ExecStart=/usr/local/bin/cloudflared proxy-dns --max-upstream-conns 0 --upstream https://8.8.8.8/dns-query --upstream https://8.8.4.4/dns-query
完成后开启服务 此时cloudflared监听在127.0.0.1:53以处理dns请求
systemctl enable --now dns测试是否有效
nslookup google.com 127.0.0.1
3.修改系统dns以使用doh
vim /etc/resolv.conf将里面所有内容删掉 填入下列nameserver后保存
nameserver 127.0.0.1
注意事项
1./etc/resolv.conf 文件可能被其他服务修改
设置 /etc/resolv.conf 为只读:
chattr +i /etc/resolv.conf此命令防止文件被意外修改,但需注意后续修改配置前需手动解除保护(chattr -i /etc/resolv.conf)
2.端口53冲突
禁用其他可能存在的服务:
systemctl stop dnsmasq
systemctl disable dnsmasq