私密DNS

Appearance

私密DNS部署指南

用于自定义域名解析DNS,需要用到coredns,而不是AdGuard 因为AdGuard会泄露CNAME记录

coredns配置

安装 coredns

bash coredns-install.sh

点我查看代码
bash
#!/bin/bash

# 1. 配置参数
VERSION="1.14.4"
BINARY_URL="https://github.com/coredns/coredns/releases/download/v$VERSION/coredns_${VERSION}_linux_amd64.tgz"
INSTALL_DIR="/usr/local/bin"
CONF_DIR="/etc/coredns"

# 2. 下载并安装二进制文件
echo "正在下载 CoreDNS v$VERSION..."
wget -qO coredns.tgz "$BINARY_URL"
tar -xzf coredns.tgz
sudo mv coredns "$INSTALL_DIR/coredns"
rm coredns.tgz LICENSE README.md

# 3. 创建目录结构
sudo mkdir -p "$CONF_DIR/rules"

# 4. 生成基础配置文件 (Corefile)
cat <<EOF | sudo tee "$CONF_DIR/Corefile"
# 标准 DNS (UDP/TCP)
.:53 {
    import rules/mappings.conf
    forward . 8.8.8.8
    cache 30
}

# DNS over TLS (DoT)
tls://.:853 {
    tls fullchain.crt private.key
    import rules/mappings.conf
    forward . 8.8.8.8
    cache 30
}

# DNS over HTTPS (DoH)
https://.:443/dns-query {
    tls fullchain.crt private.key
    import rules/mappings.conf
    forward . 8.8.8.8
    cache 30
}
EOF

# 5. 创建示例映射规则
if [ ! -f "$CONF_DIR/rules/mappings.conf" ]; then
    echo "rewrite name abc.com www.bilibili.com" | sudo tee "$CONF_DIR/rules/mappings.conf"
fi

# 6. 配置 Systemd 服务
cat <<EOF | sudo tee /etc/systemd/system/coredns.service
[Unit]
Description=CoreDNS DNS server
Documentation=https://coredns.io
After=network.target

[Service]
WorkingDirectory=$CONF_DIR
ExecStart=$INSTALL_DIR/coredns -conf Corefile
Restart=on-failure
User=root

[Install]
WantedBy=multi-user.target
EOF

# 7. 启动服务
sudo systemctl daemon-reload
sudo systemctl enable coredns
sudo systemctl restart coredns

echo "安装完成!"
echo "请确保将你的证书文件 (fullchain.crt 和 private.key) 放入 $CONF_DIR 目录中。"
echo "修改规则请编辑: $CONF_DIR/rules/mappings.conf"

安装后的关键后续步骤

  1. 放入证书:由于脚本中配置了 TLS/DoH,你需要将你的证书文件放入 /etc/coredns/ 目录:
  • /etc/coredns/fullchain.crt
  • /etc/coredns/private.key
  • 如果你还没有证书,可以使用 certbot 申请(Let's Encrypt)。

  1. 验证状态:安装后执行 systemctl status coredns,确保显示 active (running)。

  2. 更新规则:修改 rules/mappings.conf 后,重启服务 systemctl restart coredns

配置

clash(mihomo)

yaml
dns:
  enable: true
  ipv6: false
  # 这里的 DNS 用于非特定域名的兜底查询
  nameserver:
    - 223.5.5.5
    - 119.29.29.29
  
  # 核心逻辑:特定域名使用你的私有 DoH
  nameserver-policy:
    # 匹配你的域名,强制走你的 DoH
    "abc.com": "https://dnsprivate.86686808.uk/dns-query"
    "xyz.com": "https://dnsprivate.86686808.uk/dns-query"
    # 如果你有内网域名,建议也在这里配置
    "*.internal.local": "https://dnsprivate.86686808.uk/dns-query"

  # 建议配置 fallback,防止私有 DNS 挂掉时无法解析
  fallback:
    - https://8.8.8.8/dns-query

singbox

json
{
  "dns": {
    "servers": [
      {
        "tag": "private-doh",
        "type": "https",
        "url": "https://dnsprivate.86686808.uk/dns-query"
      },
      {
        "tag": "default-dns",
        "type": "https",
        "url": "https://223.5.5.5/dns-query",
        "detour": "direct"
      }
    ],
    "rules": [
      {
        "domain_suffix": ["abc.com", "xyz.com"],
        "server": "private-doh"
      }
    ],
    "final": "default-dns"
  }
}

surge5

TOML
[DNS]
# 1. 默认解析用公共 DNS (或者你信任的 DNS)
server = 223.5.5.5

# 2. 针对性配置:只给 abc.com 指定你的私有 DoH
nameserver-policy = /abc.com/https://dnsprivate.86686808.uk/dns-query

Shadowrocket 模块引用 (Module)

[Host]
abc.com = server:https://dnsprivate.86686808.uk/dns-query

[Rule]
# DoH 域名走直连
DOMAIN,dnsprivate.86686808.uk,DIRECT